Undoubtedly, mobile devices have become part of our daily lives. We carry our devices more or less everywhere, no matter if they are they are laptops, smartphones or tablets. And, more or less wherever we are, we connect to the first Wi-Fi network available. It does not really matter whether these Wi-Fi networks are trustworthy and/or secure. Often, indeed, our devices automatically connect to known Wi-Fi networks for us. But what really happens in the background and what are the security risks?

A standard Wi-Fi network is composed of an Access Point (AP) and one or more devices that connect to this Access Point, such as: computers, smartphones, tablets, game consoles, TVs and more. The Access Point, via its antenna, constantly sends signals, known as Beacon Frame, which contain several information about the Access Point itself, such as its SSID and MAC Address, as well as the mechanisms of encryption supported. The various devices, in turn, are perpetually sending signals, known as Probe Request Frame, to discover which Access Points are “in range” and/or whether a specific SSID is in range. The Access Point, then, responds to each of these signals via another signal, known as a Probe Response Frame, in which it specifies various information about himself. At this point, if a device wants to connect to a specific Access Point, it will send a signal known as Association Request Frame, to which the Access Point will respond with a signal known as the Association Response Frame. After that, the two devices determine whether they can communicate with each other via an Authentication Frame signal and, if that is the case, they can always stop the communication at any point by sending a Deauthentication Frame signal.

Now, the question is: what if a malicious Access Point claims to be a particular Access Point of a Wi-Fi network to which we connected in the past? Maybe, claiming to be the hotspot of the restaurant on our doorstep, or the one of a hotel chain in which we have been or even the one of our favorite coffee shop?

Device-1: [Probe Request Frame] “Hey! Who is out there? Is there AP-1?! Please, talk to me.“ Malicious-AP: [Probe Response Frame] “Hey! Here I'm! This is AP-1! Why don't we create a lovely WLAN?!” -------- AP-1: [out of range] …

Well, most likely, in case the original Access Point was “open” (i.e. it does not use any security protocol), our device will automatically connect to the malicious Access Point (even if this does not have the same MAC address of the original Access Point), giving the latter access to everything we do on the net.
Indeed, our devices remember ALL the Wi-Fi networks to which we connect and, if their Access Points are available (in range), then they often automatically connect, without necessarily perform security checks (e.g. on the MAC address of the Access Point). Moreover, even if the original Access Point uses a security protocol, this might not be enough. If, for example, the Access Point uses the WEP (Wired Equivalent Protocol) security protocol, we would not have been protected from this type of attack anyway. In fact, the password is sent within the “handshake” between the device and the Access Point. Of course, the password is sent encrypted, but the handshake can be easily decrypted offline (one can find plenty of free tools and guides online), in order to get the password.
Unluckily, this is not the last word on the matter. All this could also happen, unbeknownst to us, while we are connected to a real Access Point. Indeed, a cybercriminal could launch a Deauthentication Frame claiming to be the original Access Point to which we are connected, thus forcing our device to be disconnected in order to make it re-connects to the malicious Access Point.


Generally speaking, when it comes to Wi-Fi networks, the advice of the CRAM (Anti-Malware Research Center of TG Soft) experts is to connect ONLY to known and adequately protected networks. ALWAYS BE WARY OF open networks and/or networks that use insecure protection algorithms (such as WEP), even when they are of friends or acquaintances. And, in case you have an urgent need to connect to an insecure network, then remember to remove it from the list of networks to which you have been connected (and/or to disable the option to automatically connect to known networks, if possible).
Finally, when setting up the Wi-Fi network of your router, either at your home or office, it is ALWAYS a good idea enabling the basic security options, such as: hiding the SSID of the Access Point and use a proper security protocol (e.g. WPA2-PSK). In this regard, always remember that even WPA2-PSK is considered safe IF AND ONLY IF a complex enough password is used. For those who wants to add an additional layer of security, then it is also possible to enable the MAC Address filtering.

---------------------------------
Paolo Rovelli
Mobile Developer & Malware Analyst
CRAM (Anti-Malware Research Center) of TG Soft