最新您知道哪些法規適用於貴公司嗎?3 分鐘內即可確認。我們誠摯的禮物:歐盟法規工具韓國法規工具
我們能為您做什麼?

透過以下方式傳訊

KakaoTalkLINE

48 小時內回覆

傳送電郵給我們 →
部落格
Are you alone on the Train WiFi? How to find out
網路安全

Are you alone on the Train WiFi? How to find out

2026年7月8日·Alex Holmquist, Panke IT Solutions LLC

On the Seoul subway my phone joined the WiFi before I had it out of my pocket — and so had the carful of strangers pressed in around me. The person in the next seat is on the same network I am. Can they read what my phone is sending? The answer was decided the instant I connected, by one detail in the WiFi list I had never once looked at — and most people never do.

The moment my phone connected for me

The convenience is real, and so is the unease that follows it.

I went down the location rabbit hole in an earlier piece — how the carrier can tell which train you are on from that same auto-connect (the train's WiFi knows where you are). This time the worry is closer to home. Forget the carrier for a moment. Can the passenger across the aisle read what my phone is sending?

Two networks wearing almost the same name

Here is the thing I only noticed when I actually looked at the WiFi list. The train broadcasts two networks, and they sit one line apart. On SKT you get T wifi zone and T wifi zone_secure; Seoul's public WiFi does the same with SEOUL and SEOUL_Secure. One is open, one is encrypted, and both are broadcasting right now.

나무위키 (T 와이파이): the open T wifi zone needs no password and accepts any device, while T wifi zone_secure authenticates through your USIM before it lets you on.

They look almost the same in the list. The suffix is the whole story. Which one your phone landed on decides whether the stranger next to you can passively read your traffic.

Two networks the train co-broadcasts, side by side. Left,

Can someone on the same WiFi see my traffic?

It comes down to encryption, and specifically to how the network hands out keys. There are three ways this goes, and only the third one shuts the door.

  1. The open network gives out no key at all. T wifi zone, SEOUL, any open café SSID — the traffic travels over the air with no link-layer encryption, so a neighbour running free, off-the-shelf software can pull your packets out of the air — though anything behind the browser padlock stays scrambled even here. This is the only place the real danger lives.
  2. Your café's password network gives everyone the same key. WPA2-Personal derives one key from the shared password. Anyone who also knows that password — every other customer — can derive the per-session keys and decrypt the others. That is a separate story for another day, but it is why "it has a password" is not the reassurance people think.
  3. The _secure network gives every phone its own key. This is WPA2/WPA3-Enterprise. When your USIM authenticates, a RADIUS server issues a unique, random key for your session alone.

That third case is the one that matters, and the math itself is what makes it hold.

UC Berkeley CS161: in the enterprise setup each client negotiates its own pairwise master key with the authentication server, so no other user on the network holds the material to decrypt your session.

On _secure, then, the passenger next to you holds a key to their own session and nothing else. Passively reading your phone is not something they can choose to do — the network never gave them the means. That is the reveal I was looking for.

A phone at a café showing its Wi-Fi settings:

The one that still worries me: the evil twin

If the encrypted network is that strong, where is the residual risk? The fake one. Anyone can stand up an access point that broadcasts T wifi zone — the open network has no authentication to defeat, so cloning it is trivial, and your phone may join the strongest copy in the car without asking. Cloning _secure is much harder, because a real enterprise network proves its identity with a certificate. The protection only works if your phone actually checks that certificate, and many phones skip that check by default.

eaphammer (s0lst1c3): a public tool built specifically to stand up rogue enterprise access points and harvest credentials when clients fail to validate the server certificate.

That is the honest weak point, and it is exactly why the reader instinct that brought you here is the correct one.

What I actually changed

The small unease turned out to be pointing at something real, just aimed at the wrong target. So I changed three habits, and none of them cost me anything.

  1. I prefer the _secure network and let the open one sit there unused. Same coverage on the train, and a key that is mine alone.
  2. I treat any open carrier SSID, and any auto-join I did not expect, as hostile until proven otherwise. An unexpected T wifi zone in an odd place is a reason to stop and look before connecting.
  3. I turned off auto-join for open networks. That one setting is the whole ballgame — it stops my phone from silently walking onto an open, or cloned, network on my behalf.

Curiosity about who is on the network with you is the right question, and on a train it has a clean answer.

Next time your phone connects to something before you have touched it — do you know whether it chose the encrypted network or the open one right beside it?

References

  1. UC Berkeley CS161 — WPA2 and enterprise per-client keys
  2. 나무위키 — T 와이파이
  3. 서울특별시 — 공공와이파이 안내
  4. eaphammer — rogue enterprise access-point toolkit
擔心您的攻擊面暴露風險?

若想了解您的基礎設施在攻擊者掃描模型中的評分,請聯絡 contact@pankeit.com,進行攻擊面評估。

訂閱我們的部落格

掌握最新資安趨勢

絕無垃圾郵件,隨時可取消訂閱。

©2026 Panke IT Solutions LLC

Austin, TX