[tetraodonpuffer]

why aren't 'know networks' gps-geofenced on smartphones? You have GPS, if your previous 'known network' (say, home) was in location X, it should not automatically connect (or even try to connect) to it at X + 20 miles.

This way you should be able to keep your phone from connecting automatically to (or even looking for) a network that shouldn't be there in that location in the first place, and if you always tether to it it would work for your laptop too...

[janinge]

For that to work the networks themselves would have to securely distribute a list of locations, or it would have to be configurable on the devices. Many business and educational networks (like eduroam) span multiple locations. Even my "home" network is available multiple places (home, cottage, boat...).

Smartphones mostly use wireless networks and cell towers to determine their approximate location, which can be easily spoofed, except for the current active cell (which could be miles away). If devices had to acquire GPS fix every time they reconnected to a network, batteries would drain much faster. And satellite navigation doesn't work properly indoors. Civilian GPS can also be spoofed.

Manufacturers would probably prioritize usability over rectifying such a "problem" which never had bothered anyone before, except maybe if there was PR involved. I think there's still no way to list all configured wireless networks on iOS devices? Fixing this would probably improve privacy more (if people cared) than this randomized MAC feature.

[tetraodonpuffer]

I am not really sure why networks would have to distribute a list of locations: the default for connecting is simply 'do not autoconnect or look for any network I have not already connected previously in this location'.

If the user does not want to incur the GPS battery impact triangulating with cell towers already should give you enough location information not to look for your home network at work, or the network you saw in Spain last month when you are in the Netherlands.

And finally obviously everything can be spoofed, however I don't think it's reason enough not to have a minimal set of protections: the user can decide how much battery to dedicate to the task (i.e. no checking, cell tower checking, gps checking in increasing order of impact)

[tripzilch]

Because the "WiFi in de trein" network could be anywhere. It's the name of the free wifi of one of the large public transport / train corporations in the Netherlands.

The only solution is to not autoconnect, ever, or some sort of clever certificate pinning type of solution. Like, I could download the certificate from the (https) site of the train company, and be sure that the network I see claiming to be "WiFi in de trein" is in fact theirs. Ziggo (a Dutch ISP) does something like that when they turn all their customers' wifi-routers into semi-public access-points (for Ziggo customers). Unfortunately their solution has a few snags, as well (but it's really cool, I basically don't need a data plan).