How to force clients to connect to WiFi automatically?

You can't simply Force a client, but to trick him!

As long as the device's WiFi is running, it keeps sending probe requests, searching for your previous connected networks. Using some software like airodump-ng, you can easily sniff out those probes.
Then the attacker may create a similar evil twin using the BSSID and ESSID gathered from the previous probes.

So, as the device sees the pre-saved network up again, it re-connects thinking it is the legit network.

However, there is something to be aware of:
Only works with public networks. This does not work with secured networks unless you already know the security phrase.

Important note:
This attack also can be done to pre-saved networks with passphrase, if the passphrase is weak enough to be cracked. steps are:

  1. Create the evil twin networks using the BSSID, ESSID AND the same auth type of the spoofed network "WPA, WPA2 or WEP"
  2. The client will try to connect to the network providing the passphrase challenge
  3. The authentication won't work obviously, but you can sniff the challenge
  4. Using some cracking tool, you can crack the phrase
  5. Re-create the network using the new passphrase

Now the client will connect to the spoofed network even if it has some security level, so it's always a good idea to use a strong phrases!


There are a few methods that could have been used:

  1. Devices of all sorts that use WiFi connection usually have a setting that lets the device connect automatically when the same SSID is out there. This is usually set by default and users do not usually turn it off.
    Hak5 generated a list of many many public WiFi SSID's (Ex: "MacDonald's free wifi") that the devices probably connected to at some point in their life time.
    Then the devices connect to the AP since they recognize the SSID.
    Note:

    • This is a setting that can be turned off easily or even a simple "Forget this network" solves the issue.
    • Some devices also have a settings that tells the device to connect automatically to any open WiFi. You can imagine the issue here...

  2. Another method is to scan the local area for all WiFi connections and duplicate the exact ones using their SSID and MAC address and then create a stronger signal forcing the connected devices to move to your AP (They see it as the same one).

  3. Some devices also send out requests searching for specific WiFi connection that they have in their history in order to reconnect. These requests can be captured and used against the device by faking the AP the device is requesting.

Note: These methods will only work using a open WiFi network that does not require a passphrase. If you do wish to spoof an AP with a passphrase, it would have to be the same passphrase as the original AP.

Tags:

Router

Wifi

Honeypot

802.1X

Related

Why don't CDNs require authentication to access static files? What happens when a TPM chip breaks or fails? Is it possible to retrieve flash-based encrypted disks content (SSD, cellphones, USB sticks, ...) after password wipe/replacement? Generate Subject Key Identifier by hand using openssl command sequence Adding "Email or Username" in login page, is it safe? Basic question regarding OpenSSL and AES-GCM Is there a reason why legit web sites are using this type of obfuscation? Why is it more secure to use intermediate CA certificates? What extra security does a 2-step website login process with a PIN provide? Hosting company advised us to avoid PHP for security reasons. Are they right? How to store data that the computer can read but not the user? Does the amount of bandwidth available on a network determine how strong a DoS attack should be?

Recent Posts