Snappy Tool Helps Avoid Fraudulent Wi-Fi Hotspots

Trustwave has created a Snappy tool that will make it easy to determine if the Wi-Fi network is fake or fraudulent. The utility particularly checks whether the network spoofs the MAC address and SSID. The solution is available for free downloading on the company’s GitHub repository.

For years, security experts have been warning about the dangers of using Wi-Fi hotspots in public places, as in cafes, airports, hotels, or shopping malls. The fact is that these access points may turn out to be devices of intruders who will eventually be able to carry out a man-in-the-middle attack, intercept the victim’s traffic, credentials from her accounts, and payment information.

Consider reading our other articles regarding Wi-Fi usage dangers. We talked about FrAg attacks on Wi-Fi access points – one of the most widespread attack types. There was also an interesting experiment where a guy hacked 70% of Tel Aviv routers. Also, there was an article where specialists explained danger of Wi-Fi devices on airplanes

Snappy tool allows detecting fake Wi-Fi networks

Trustwave expert Tom Neaves writes that spoofing MAC addresses and SSIDs of real access points in open networks is a trivial task for attackers. As a result, people’s devices often try to automatically connect to networks they have previously connected to using a saved access point, but in fact connect to a malicious device. To make it easier to avoid such situations, Neaves has created a Python script called Snappy that helps determine whether the access point the user is connecting to is the same as always, or the user is dealing with a fake device of hackers.

Explaining the mechanism

After analyzing the Beacon Management Frames, the expert found certain static elements, including data about the provider, BSSID, supported speeds, channel, country, maximum transmit power, and so on. This data varies for different 802.11 wireless access points, but remains the same for a particular access point over time.

Beacon Management Frames, that may uncover the Wi-Fi spoofing attempt

Neaves concluded that it was possible to concatenate these elements and hash them using SHA256, creating a unique access point signature that could then be used to detect matches or mismatches. >So, matches mean that the access point is the same as always (that is, trustworthy), while a signature mismatch means that something has changed, and the access point may be malicious.

Console interface of the Snappy tool

In addition, Snappy is able to detect hotspots created with Airbase-ng. This tool is often used by attackers to create fake access points, intercept packets of connected users, and inject data into other people’s network traffic.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *