What protects a wireless network against fake ones with the same name?
Nothing. Its a popular trick with iPhones since they are hard wired to camp with APs named attwifi (more correctly an SSID of attwifi). See, for example, On iPhone, beware of that AT&T Wi-Fi hot spot (2010), attwifi Impersonation Experiment (2011), attwifi SSID and the iPhone’s Secret Relationship (2012), iPhones can auto-connect to rogue Wi-Fi networks, researchers warn (2013), and others. Its kind of funny to watch it make its rounds with journalists ;)
In the case of the iDevices, you can't disable or remove the behavior. All you can do is have the phone prompt you for every wifi connection. And then you manually reject the ones like attwifi. How's that for Apple Data Security!
You have the wifi password attempts of all users who were connecting to that network...
WEP and WPA don't put the shared password on the wire like is done with HTTP/HTTPS and basic_auth
schemes. In WEP and WPA, the attacker never sees the plain text password. (The password is obviously used during key exchange, its just not transported in plain text. Instead, nonces are sent in the plain text. And WEP has its own set of problems).
Luckily, there's no wifi key exchange protocols that does the dumb basic_auth
thing, so the bad guy can't force a downgrade to make a user reveal his/her passwords. See, for example, Four-way Handshake in WPA-Personal (WPA-PSK) on the Security Stack Exchange.
You have a similar problem with the 3G/4G (et al) radios. What stops your phone from camping to the wrong base station or an attackers base station? Nothing - the phone camps where the signal strength is strongest, even if its controlled by the attacker and he/she forces your encryption algorithm to A0 (meaning no encryption).
Chris Paget did a lot of neat stuff in this area with Gnu Radio. See, for example, Chris Paget GNURadio Blackhat. Specifically, look at his/her IMSI Catcher.
Wifi and the 3G/4G networks are insecure infrastructure. Treat them as such - don't allow anything to leave the phone without privacy and integrity protections.