Re: re: Lee d
You don't.
An unencrypted (passphrase-less) or well-known-passphrase network is inherently susceptible to SSID duplication attacks. You just set up an SSID with the same name and same passphrase and people will join it unless they happen to know the original BSSID (which nobody publishes or takes any note of).
This is why PSK is pretty insecure for such things and why ALL public wifi with well-known passphrases is just basically an open connection that should be firewalled off, VPN'd through or limited to SSL-based usage only (even there, there's the possibility of DNS-spoofing until we get DNSSEC and SSL is heavily tied into DNS being authoritative).
But that's not the point. Not only are you joining a wifi network, you are then accepting a pushed profile onto your machine. This is akin to installing a piece of software - it's like going on Starbuck's wifi and then your browser is replacing your page with a downloaded executable that you then blindly run.
1) Stop using public wifi as any type of trusted network. If you have the passphrase, so does everyone else, and they can spoof the network and/or decrypt your communication anyway. Public wifi is untrusted, hostile, Internet. That's all. No matter what else they tell you. Until they start issuing proper signed certificates etc. to prove they are the original network (which is a nightmare for client installation), they aren't secure. And the closest "security" they can have is to tell the owners (if they bother to look) that there's a identically named network with the same passphrase nearby. In very expensive Cisco Meraki networks that are deployed in such places, you get an email alert as an administrator and you can try to "contain" the network (which means blast it off the airwaves with client disassociation messages, as far as I can tell).
2) Don't install things that just pop up unexpected. Profile installation is a system-level action on Apple devices, and profiles are capable of installing any amount and severity of settings. You cannot install one "accidentally" without clicking through a lot of scary dialogues.
This isn't a "stupid-Apple" attack (and I am quite happy to jump on those normally, as I hate all Apple products with a vengeance and have NEVER owned a single one). This is a "stupid-user" attack. If you perform similar actions on any other OS, the same problem with occur, vulnerability or not. You're taking incredibly stupid and high-end actions on your system based on something random and untrusted popping up on your screen despite lots of large scary warnings.