While Wi-Fi offers the convenience of a seamless, untethered data connection, it comes with security disadvantages that hackers love to exploit. Without knowing the tricks hackers use to target Wi-Fi devices, it’s hard for users to know which habits may be putting them most at risk.
Wi-Fi hacking frequently takes advantage of small mistakes users make while connecting devices to a network or setting up a router. To avoid the worst of these mistakes, there are a few simple precautions you can take to reduce your attack surface and prevent you from falling victim to some of the most common Wi-Fi attacks.
Get the Free Pen Testing Active Directory Environments EBook
The risks of Wi-Fi
When the average person thinks about Wi-Fi hacking, they probably imagine a hacker breaking into their local Wi-Fi network. While this does happen, Wi-Fi can also be abused to track users by their devices, compromise passwords with phishing attacks, and reveal information about where a person works or travels.
Hackers targeting Wi-Fi can decide whether to attack the network itself or to go after any connected devices. This gives hackers the flexibility to pick the weakest link, relying on a target to make critical mistakes and targeting any vulnerability that’s easy to exploit.
Wi-Fi is an attack surface that can also follow you around. Mobile Wi-Fi devices can easily be tracked between locations, leaking network names that can reveal information about the owner. For anyone not wanting their device to broadcast where they work or have been recently, this can be both a privacy and security issue.
To reduce these risks, we can lock down behaviors that leak private information and or make our devices more vulnerable. By taking the following steps, you can reduce your attack surface and keep yourself safer when using Wi-Fi at home or on the go.
1) Purge networks you don’t need from your preferred network list
The Preferred Network List, or PNL, is a list of Wi-Fi network names your device automatically trusts. This list is created from the networks you connect to over time, but it can’t distinguish between networks which share both the same name and type of security. That means that after connecting to a Starbucks Wi-Fi network a single time, your device will remember and connect automatically to any open network with the same name.
For a hacker, creating rogue access points which mimick the names of common open Wi-Fi access points is the easiest way to track nearby devices and conduct MITM attacks. If you leave your smartphone Wi-Fi on in public, your device won’t warn you when automatically joining an open network with a name matching any that you’ve joined before. Without other precautions, this could allow a hacker to load phishing pages, track which sites you visit, and learn which apps you’re using.
In Windows, you can delete your preferred networks by going to “Manage known networks” and clicking “Forget” on any networks you don’t want your computer connecting to automatically. At a minimum, you should remove all open Wi-Fi networks from this list. The risk of your device connecting automatically to a rogue AP pretending to be open Wi-Fi is much higher than encountering a malicious network with the exact same name and password as one stored in your PNL.
In the attack above, I used a $3 esp8266 microcontroller to create up to a thousand fake networks. Many nearby smartphones attempted to join networks with names they had connected to before, revealing which they trust. By finding which network names show up in the PNL of multiple nearby devices, a hacker can hijack the data connection of many devices at the same time with a single rogue network with a name like “attwifi.” If you have networks similar to those on the list above saved in your device’s PNL, you should delete them immediately!
2) Use a VPN to keep your local traffic encrypted
One of the fundamental flaws of WPA2 that’s being fixed in WPA3 is the concept of forward secrecy. This means that in the new WPA3 standard, recorded Wi-Fi traffic can’t be spied on even if the attacker gains knowledge of the Wi-Fi password later. With the current WPA2 standard, this is not the case. Traffic on a local network can be spied on both by other users and by an attacker who records the traffic and decrypts it after learning the password later.
While HTTPS has made the internet much safer and more private for Wi-Fi users on untrusted connections, VPN’s pick up the slack to discourage snooping on traffic. By encrypting DNS request and other revealing information that can open the door to a phishing attack, VPN’s make it harder for an attacker to see what the target is doing online, or to redirect users to a malicious website.
For the purpose of encrypting your local traffic, most popular VPN’s will offer a layer of protection to avoid being easy prey. PIA, Mullvad, or NordVPN will all render your local traffic indecipherable to a hacker, and provide forward secrecy by making recordings of your Wi-Fi traffic useless even if the attacker learns the WI-Fi password later.
In the example above, I turned off PIA while monitoring my Wi-Fi connection from another computer with Wireshark. Immediately after disconnecting, I was able to see that my phone was running Signal messenger, was on the AT&T network, and was currently watching a YouTube video just from DNS requests. I can even identify the VPN checking in with its update server. All of this information was leaked in a few seconds of sniffing traffic without using a VPN.
If you want to learn more about using Wireshark for sniffing information over Wi-Fi, you can check out this useful reference: https://www.varonis.com/blog/how-to-use-wireshark/
3) Disable auto-connect when joining networks
One disadvantage of purging your preferred network list is that any networks you connect to will require you to enter the password manually every time you want to connect. This can get annoying for networks you connect to often, and also requires you to clean your PNL after every time you join a new network.
For password-protected Wi-Fi networks you join frequently, there’s a solution to save the password while reducing the risk of your device automatically connecting to malicious networks using the same name. To do this, make sure to check the “disable auto-connect” checkbox when first connecting to a network. This will prevent your device from attempting to connect to a network that matches the name and security type of the one you’re joining.
While you’ll still have to click the name of the network each time you want to join it, you won’t have to type in your password. At the cost of a single click, you can avoid your device leaking the name of networks you’ve connected to before.
On MacOS devices, you can specify which networks auto-connect in the “advanced” button of the Network menu. You can simply uncheck any networks you don’t want to auto-connect.
4) Never use hidden networks
A normal Wi-Fi access point will send beacons containing all the information needed for nearby devices to discover and connect to it, such as the network SSID and supported encryption. Hidden networks, by contrast, never send beacons and don’t announce themselves in any way, requiring that a client device to be in range and already know about the network to connect. That means you’ll never see a hidden network included in the list of nearby access points, making it harder in theory for an attacker to know a network is there.
Some users think that security by obscurity is a good way to hide their network from Wi-Fi hackers, but the ironic truth is that by hiding your Wi-Fi network, you make all of your smart devices easier to track. Because a hidden Wi-Fi network will never broadcast before a device tries to connect to it, a Wi-Fi device configured to connect to a hidden network will have to assume that the network could be nearby at any moment.
In practice, that means that your device will be constantly calling out the name of the network you’ve hidden, making it easy to track your Wi-Fi device even if the MAC address is randomized or you’re taking other precautions to stay anonymous. Not only does this make it easier to trick your device into connecting to a rouge AP, it also allows anyone to track your presence by the radio signals your smart device is constantly sending.
In the image above, I’ve added a hidden network to a smartphone’s preferred network list. In Wireshark, we can easily track the device that’s calling out for a hidden network. Far from being hidden, we can not only identify the device, but also the name of the hidden network itself. If our goal was to make our Wi-Fi network more stealthy, we’ve instead made our client device perpetually call out the name of our “hidden” network for the entire world to see.
In some cases, the “hidden” network a device is calling out for can even be located on Wigle.net, if the SSID is sufficiently unique. This means you may even be giving away your home or work address to anyone listening in on Wi-Fi transmissions. If your goal is to keep the existence of a network stealthy, you should consider just using ethernet rather than setting up a hidden Wi-Fi network.
5) Disable WPS functionality on routers
From an attacker’s perspective, networks with WPS enabled stick out like a sore thumb. With a single command, a hacker can scan the local area for networks that support WPS and would represent a good target for an attack like WPS-Pixie.
Above, we can see local networks that have various versions of WPS enabled, meaning they’re worth auditing with a tool like Airgeddon to see if we can get a quick victory. Many versions of WPS are vulnerable to both PIN brute-forcing attacks and WPS-Pixie based attacks, which can allow an attacker to gain access to a vulnerable network in as few as 15 seconds.
What’s scary about WPS setup pin attacks is that the impact of a successful attack goes beyond simply changing the password. If the attacker is able to get your WPS setup pin in either a Reaver or WPS-Pixie style attack, they’ll be able to get your password no matter how long, unique, or secure it is. This is because the WPS setup PIN was designed in the first place to recover lost passwords, so by abusing it, the hacker has the same access the owner of the device has.
In order to kick a hacker who has your WPS setup pin out, you can’t simply change the password. You also need to disable the WPS setup pin, and possibly buy a new router if you ever want to use it again. Many routers don’t let you change the WPS setup pin, so to ensure your long, secure password stays secret, make sure to disable this option in your router’s menu settings.
The procedure for disabling your WPS setup pin may vary, but in general, you should log into your Wi-Fi router and disable the checkbox related to “WPS PIN” or “WPS Setup” to make sure this option is off. In some older routers, disabling this may not actually turn it off, so if you want to check for yourself, you can use the “-wash” command in Kali Linux to identify any nearby networks advertising WPS. If your device still advertises WPS after disabling it, you should replace the device.
6) Never re-use passwords for Wi-Fi
One of the biggest flaws of WPA2, the current Wi-Fi standard, is that a weak password can make it easy for an attacker to break into the network. If the password to your Wi-Fi network is among the top million or so worst passwords out there, it’s likely a hacker could breach your network in a matter of minutes. That’s because all they need to do is capture a handshake from a device connecting to the Wi-Fi, load it into a tool like Hashcat, and sit back while it tries every guess in a massive file of breached passwords.
One thing that’s critical here is to think of passwords as “strong” in two ways. For one, they must be difficult to guess, and for another, they must be unique. That means that using the same or very similar passwords in other accounts can lead to your password ending up on a breached password list, making it one of the default “bad” passwords a hacker will try in a brute-forcing attack.
So how can even a long and complicated password used in multiple places become public? Companies lose passwords from user accounts in breaches all the time, and one of the most common tactics is to try to use these passwords in other places once they become available. WI-Fi hackers know that people love to copy their favorite “strong” password from one account to another, and this makes it easier to brute force passwords that may be long but aren’t actually unique.
To see which of your favorite passwords might already be common knowledge, you can run your accounts through haveibeenpwned.com and see which companies may have leaked your account passwords. Never use a password for your Wi-Fi you use elsewhere online, and definitely never use a password that’s been exposed by another service.
7) Isolate clients to their own subnet
A potentially devastating mistake made by many small businesses offering Wi-Fi to customers is failing to restrict guest users to their own subnet. When done properly, subnet isolation means that each client can only communicate with the router, and isn’t free to scan other devices on the network or try to connect to open ports.
On a network with proper client isolation, an Nmap or ARP-scan should reveal nothing, or simply the router as the only device on the network. In addition, the router shouldn’t have any ports accessible which are hosting administration or configuration pages from the guest network, as these pages often will leak information a hacker can use to exploit the router.
In the picture above, we see the situation for most small business Wi-Fi networks that are offered to customers and don’t properly isolate clients to their own subnet. Without client isolation, anyone on the network can see and interact with every other connected device. This means security cameras, DVR systems, the router itself, and NAS or file servers on the network can be directly accessible to a hacker from the moment they join the network, greatly simplifying the task of finding the networks weakest link.
In the image above, a business providing Wi-Fi to clients has also exposed their security camera’s NAS server using default credentials to anyone on the network, allowing hackers to see through the cameras of the business and even go through old footage stored on the server. More often than not, businesses set up these networks and connect many Wi-Fi devices, forgetting to change the default password on everything from routers to printers.
If a business forgets to change the default password to a router and fails to isolate clients to their own subnet, it’s only a matter of time before a hacker steps in to administer the router for them. When a guest scans the network, they should only see two devices, the gateway and themselves.
With default admin passwords like “admin” or “password” left sitting on a router, hackers can upload malicious firmware updates to spy on users or run stolen credit cards through the connection by using the router as their own personal VPN. The first step to preventing this is to prevent unnecessary access to devices on the network in the first place.
Wi-Fi is safer with a few basic precautions
In general, you should store as few trusted Wi-Fi networks in your devices as needed, and disable auto-connect. If you work in a sensitive position and have unique Wi-Fi network names at your office, you could be leaking the details of your employment to interested parties without knowing it. When in doubt, simply disable your Wi-Fi radio when you’re not using it, as this will prevent most Wi-Fi-based attacks.
By taking the steps above, it’s easy to reduce the risk of your Wi-Fi device joining a malicious network automatically, being tracked between locations, or leaking personal information. While these tips aren’t a complete guide to staying safe on Wi-Fi, they will keep you safe from several of the easiest and cheapest attacks hackers employ.
If you want to learn more about what can happen when an attacker does breach your network, you can see more in our Office 360 Attack Lab.