While Wifi offers the convenience of a seamless, untethered data connection, it comes with security disadvantages that hackers love to exploit. Without knowing the tricks hackers use to target Wi-Fi devices, it’s hard for users to know which habits may be putting them most at risk.
Wifi hacking frequently takes advantage of small mistakes users make while connecting devices to a network or setting up a router. To avoid the worst of these mistakes, there are a few simple precautions you can take to reduce your attack surface and prevent you from falling victim to some of the most common Wi-Fi attacks.
The risks of Wi-Fi
When the average person thinks about Wi-Fi hacking, they probably imagine a hacker breaking into their local Wi-Fi network. While this does happen, Wi-Fi can also be abused to track users by their devices, compromise passwords with phishing attacks, and reveal information about where a person works or travels.
Hackers targeting Wi-Fi can decide whether to attack the network itself or to go after any connected devices. This gives hackers the flexibility to pick the weakest link, relying on a target to make critical mistakes and targeting any vulnerability that’s easy to exploit.
Wi-Fi is an attack surface that can also follow you around. Mobile Wi-Fi devices can easily be tracked between locations, leaking network names that can reveal information about the owner. For anyone not wanting their device to broadcast where they work or have been recently, this can be both a privacy and security issue.
To reduce these risks, we can lock down behaviors that leak private information and or make our devices more vulnerable. By taking the following steps, you can reduce your attack surface and keep yourself safe when using Wifi at home or on the go.
1) Purge networks you don’t need from your preferred network list
The Preferred Network List, or PNL, is a list of Wifi network names your device automatically trusts. This list is created from the networks you connect to over time, but it can’t distinguish between networks which share both the same name and type of security. That means that after connecting to a Starbucks Wi-Fi network a single time, your device will remember and connect automatically to any open network with the same name.
For a hacker, creating rogue access points which mimic the names of common open Wi-Fi access points is the easiest way to track nearby devices and conduct MITM attacks. If you leave your smartphone Wi-Fi on in public, your device won’t warn you when automatically joining an open network with a name matching any that you’ve joined before. Without other precautions, this could allow a hacker to load phishing pages, track which sites you visit, and learn which apps you’re using.
In Windows, you can delete your preferred networks by going to “Manage known networks” and clicking “Forget” on any networks you don’t want your computer connecting to automatically. At a minimum, you should remove all open Wi-Fi networks from this list. The risk of your device connecting automatically to a rogue AP pretending to be open Wi-Fi is much higher than encountering a malicious network with the exact same name and password as one stored in your PNL.
2) Use a VPN to keep your local traffic encrypted
One of the fundamental flaws of WPA2 that’s being fixed in WPA3 is the concept of forward secrecy. This means that in the new WPA3 standard, recorded Wi-Fi traffic can’t be spied on even if the attacker gains knowledge of the Wifi password later. With the current WPA2 standard, this is not the case. Traffic on a local network can be spied on both by other users and by an attacker who records the traffic and decrypts it after learning the password later.
While HTTPS has made the internet much safer and more private for Wifi users on untrusted connections, VPN’s pick up the slack to discourage snooping on traffic. By encrypting DNS request and other revealing information that can open the door to a phishing attack, VPN’s make it harder for an attacker to see what the target is doing online, or to redirect users to a malicious website.
For the purpose of encrypting your local traffic, most popular VPNs will offer a layer of protection to avoid being easy prey. PIA, Mullvad, or NordVPN will all render your local traffic indecipherable to a hacker, and provide forward secrecy by making recordings of your Wi-Fi traffic useless even if the attacker learns the WiFi password later.
3) Disable auto-connect when joining networks
One disadvantage of purging your preferred network list is that any networks you connect to will require you to enter the password manually every time you want to connect. This can get annoying for networks you connect to often, and also requires you to clean your PNL after every time you join a new network.
For password-protected Wi-Fi networks you join frequently, there’s a solution to save the password while reducing the risk of your device automatically connecting to malicious networks using the same name. To do this, make sure to check the “disable auto-connect” checkbox when first connecting to a network. This will prevent your device from attempting to connect to a network that matches the name and security type of the one you’re joining.
While you’ll still have to click the name of the network each time you want to join it, you won’t have to type in your password. At the cost of a single click, you can avoid your device leaking the name of networks you’ve connected to before.
4) Never use hidden networks
A normal Wi-Fi access point will send beacons containing all the information needed for nearby devices to discover and connect to it, such as the network SSID and supported encryption. Hidden networks, by contrast, never send beacons and don’t announce themselves in any way, requiring that a client device to be in range and already know about the network to connect. That means you’ll never see a hidden network included in the list of nearby access points, making it harder in theory for an attacker to know a network is there.
Some users think that security by obscurity is a good way to hide their network from Wifi hackers, but the ironic truth is that by hiding your Wi-Fi network, you make all of your smart devices easier to track. Because a hidden Wifi network will never broadcast before a device tries to connect to it, a Wi-Fi device configured to connect to a hidden network will have to assume that the network could be nearby at any moment.
In practice, that means that your device will be constantly calling out the name of the network you’ve hidden, making it easy to track your Wi-Fi device even if the MAC address is randomized or you’re taking other precautions to stay anonymous. Not only does this make it easier to trick your device into connecting to a rouge AP, it also allows anyone to track your presence by the radio signals your smart device is constantly sending.
5) Disable WPS functionality on routers
From an attacker’s perspective, networks with WPS enabled stick out like a sore thumb. With a single command, a hacker can scan the local area for networks that support WPS and would represent a good target for an attack like WPS-Pixie.
What’s scary about WPS setup pin attacks is that the impact of a successful attack goes beyond simply changing the password. If the attacker is able to get your WPS setup pin in either a Reaver or WPS-Pixie style attack, they’ll be able to get your password no matter how long, unique, or secure it is. This is because the WPS setup PIN was designed in the first place to recover lost passwords, so by abusing it, the hacker has the same access the owner of the device has.
In order to kick a hacker who has your WPS setup pin out, you can’t simply change the password. You also need to disable the WPS setup pin, and possibly buy a new router if you ever want to use it again. Many routers don’t let you change the WPS setup pin, so to ensure your long, secure password stays secret, make sure to disable this option in your router’s menu settings.
The procedure for disabling your WPS setup pin may vary, but in general, you should log into your Wi-Fi router and disable the checkbox related to “WPS PIN” or “WPS Setup” to make sure this option is off. In some older routers, disabling this may not actually turn it off, so if you want to check for yourself, you can use the “-wash” command in Kali Linux to identify any nearby networks advertising WPS. If your device still advertises WPS after disabling it, you should replace the device.
6) Never reuse passwords for Wifi
One of the biggest flaws of WPA2, the current Wi-Fi standard, is that a weak password can make it easy for an attacker to break into the network. If the password to your Wi-Fi network is among the top million or so worst passwords out there, it’s likely a hacker could breach your network in a matter of minutes. That’s because all they need to do is capture a handshake from a device connecting to the Wi-Fi, load it into a tool like Hashcat, and sit back while it tries every guess in a massive file of breached passwords.
One thing that’s critical here is to think of passwords as “strong” in two ways. For one, they must be difficult to guess, and for another, they must be unique. That means that using the same or very similar passwords in other accounts can lead to your password ending up on a breached password list, making it one of the default “bad” passwords a hacker will try in a brute-forcing attack.
So how can even a long and complicated password used in multiple places become public? Companies lose passwords from user accounts in breaches all the time, and one of the most common tactics is to try to use these passwords in other places once they become available. WI-Fi hackers know that people love to copy their favorite “strong” password from one account to another, and this makes it easier to brute force passwords that may be long but aren’t actually unique.
To see which of your favorite passwords might already be common knowledge, you can run your accounts through haveibeenpwned.com and see which companies may have leaked your account passwords. Never use a password for your Wifi you use elsewhere online, and definitely never use a password that’s been exposed by another service.
7) Isolate clients to their own subnet
A potentially devastating mistake made by many small businesses offering Wi-Fi to customers is failing to restrict guest users to their own subnet. When done properly, subnet isolation means that each client can only communicate with the router, and isn’t free to scan other devices on the network or try to connect to open ports.
On a network with proper client isolation, an Nmap or ARP-scan should reveal nothing, or simply the router as the only device on the network. In addition, the router shouldn’t have any ports accessible which are hosting administration or configuration pages from the guest network, as these pages often will leak information a hacker can use to exploit the router.
Please let ACCi answer any questions you may have about public Wifi.
We are here to help. 205-987-8711