Skip to main content
Version: 1.1.x

Common Attacks

Evil Twin / Rogue AP#

The most dangerous, and unfortunately also easy to execute attack is the evil twin or rogue access point attack.

Because frames advertising a WiFi network are unecrypted management frames, an attacker can create a network that has the same name and properties of a target network and then trick clients to connect to it. When a client connects to this rogue access point, the attacker can read, redirect and alter all traffic as a man in the middle (MITM). Think about it this way: What would stop you from giving your home WiFi the name of a popular open WiFi and wait for people to connect to it?

KARMA attack#

The KARMA attack is a form of evil twin attack. Wifi devices broadcast a list of networks they have connected to in the past using probe request frames. For example, your iPhone is likely to be transmitting networks you connected to before like Starbucks WiFi, Free_HotSpot or Airport WiFi. An attacker can capture these frames and act like an access point of suck a network, likely to make your device automatically connect.

Detection in nzyme#

There are several ways that nzyme will detect a rogue access point, some based on traditional and easy to spoof signatures (they will still catch less sophisticated attackers or opportunists) and some based on very hard to spoof attributes of frames advertisting access points:

  • The UNEXPECTED_FINGERPRINT alert detects different hardware platforms used to send frames. For example, if your legitimate access point runs on hardware, firmware and configuration combination X, the fingerprint will be different to the attack platform your attacker uses. This is not easy to spoof and also comes with a very low chance of false positive alerts.
  • The MULTIPLE_SIGNAL_TRACKS alert detect a significant enough change of signal strength of frames received by nzyme that indicate an evil twin access point. It is extremely hard for an attacker to match the signal strength of your legitimate access point and nzyme will detect this.
  • The BANDIT_CONTACT alert will detect known attack platforms used to execute evil twin attacks. (for example the WiFi Pineapple) Note that some bandit definitions will even catch attack platforms before they start executing attacks, during reconnaissance phase.
  • The BEACON_RATE_ANOMALY alert will detect an increase in beacon frames, caused by the additional amount of frames (on top of legitimate frames) sent by an evil twin access point.
  • The UNEXPECTED_BSSID, UNEXPECTED_SSID, UNEXPECTED_CHANNEL and CRYPTO_CHANGE alerts are detecting a deviation in high level configuration of an access point advertising your networks. These are easy to spoof for a determined attacker but still a good set of alerts to have in your pocket.

Jamming / Deauthentication#

The deauthentication frame is a part of the WiFi standard that instructs a device to disconnect from an access point. There are many legitimate reasons, like a graceful shutdown of an access point, but unfortunately there is also a big issue with it: It is an unencrypted management frame. Anyone can spoof it and instruct any device to disconnect from any access point. Because there is no way for a device to reliably decide if a deauthentication frame is legitimate or not, it will usually accept the orders and disconnect from the access point.

A deauthentication attack phase is part of forcing a device to connect to a rogue access point (see above), but here we focus on possibility of jamming a whole WiFi environment.

A WiFi deauth jammer#

Often, deauthentication frames are referred to as deauth frames. The extremely low-effort nature of spoofing deauth frames allows an attacker to send them with a tiny, easy to conceal device.

Deauthentication Device

These devices can be built using freely available software and some specialized devices that are ready to be used can be purchased online, in many shapes and forms.

Effects of deauth jamming#

The effect of an active deauth jammer depends on it's configuration. It could be configured to simply deauthenticate every device from every access point and cause massive connectivity issues across the whole WiFi environment. A more targeted attack would scan which devices are connected to access points serving a target network and then constantly deauthenticate all of them. Of course it could also target a single device.

Detection by nzmye#

Nzyme can detect deauth attacks automatically if a known deauth platform is used. It will raise a BANDIT_CONTACT alert:

Screenshot of alert

A human operator of nzyme can detect deauthentication attacks by spotting an increase in frame throughput. Note that currently, there is no view of deauthentication frame volume available but this might change in future versions. Another future possibility is to create an alert that attempts to detect deauthentication frame anomalies but this needs to be proven in practice to avoid too many false positive alerts in noisy or unpredictable environments.

Wiretapping / Eavesdropping#

It is very easy to capture all data that is exchanged in WiFi networks. What is important to understand is that this does not only affect unprotected (passwordless) WiFi networks but also WPA and WPA2 protected networks if you have the password for such a network. Everyone in the network shares the same key, so even if you are in a protected public network, everyone else with knowledge of the passphrase (think about a coffee shop network with a shared password) can listen to your traffic.

WiFi wiretapping happens entirely passively and there is no way for nzyme to detect it if this is the only executed attack. All communication in a WiFi network must be encrypted on higher network levels. (use encryption for HTTP, SMTP, IMAP and everything else your decices are using to communicate)