WiFi Snooping: Unauthorized Network Surveillance

Wireless networks provide a convenient way to access the Internet. Instead of plugging a computer or phone into a physical network, it’s possible to enter a network’s SSID and (optional) password and connect via WiFi.

However, while wireless networks are convenient, they can also be less secure than wired networks. One of the advantages of wired Ethernet is that an attacker needs to be physically connected to the network to snoop on its traffic.

With WiFi networks, anyone connected to the network has the ability to intercept and monitor other users’ network traffic. This poses a potential risk to digital privacy and security, especially in the case of unsecured public wireless networks.

This article explores the threat of WiFi snooping. This includes how the attack is performed, its potential risks, and best practices for protecting against it.

Understanding WiFi Snooping

Wireless networks use radio signals to carry data instead of sending it over a cable. A computer connected to a wireless network will broadcast its traffic, and the wireless access point (AP) listening for this traffic will capture it and send it to the next network hop (either via wireless signals or an Ethernet cable). Any responses will be broadcast by the AP and received by the computer listening for them.

The problem with this design is that anyone can capture the wireless signals that are being transmitted by a computer and a wireless AP. By default, computers are configured to only listen for wireless traffic that is intended for them. However, they do so by capturing every bit of wireless traffic, checking to see if it was addressed to them, and discarding any packets intended for other users.

A WiFi snooper will reconfigure their network interface card (NIC) to be in promiscuous mode, which means it captures all traffic on the network, not just those packets intended for it. Then, using a network traffic analysis tool like Wireshark, they can capture all of the traffic flowing over the wireless network for analysis.

One protection against WiFi snooping is the use of a password-protected network, which encrypts the data flowing over the network. However, this only provides protection if the network is using a secure protocol (i.e. not WEP or WPA) and an attacker doesn’t know and can’t guess or brute force the password. While each user of a password-protected network has their own encryption key, the only secret used to derive this key is the network password, so anyone who observes the initial handshake setting up a user’s key can derive the key and use it to decrypt their traffic.

Risks and Consequences

Snooping on WiFi traffic provides an attacker with visibility into a user’s web browsing activity and can introduce other risks. Some of the potential consequences include:

• Sensitive Data Disclosure: If the web browser isn’t using a secure protocol (such as HTTPS), their network traffic may be readable by an eavesdropper. This could allow the attacker to steal sensitive information such as passwords, payment card data, or other personally identifiable information (PII).
• Traffic Analytics: Even if secure network protocols are used, an attacker may be able to infer some information about the user’s web browsing by inspecting unencrypted packet headers and similar unprotected data. For example, DNS traffic is unencrypted by default, and a request for the IP address associated with a particular website indicates that the user plans to browse that site.
• Malware Infections: When connected to a network labeled as a home or private network, computers may have relaxed security to permit access to file servers, printers, etc. An attacker on the same network may be able to exploit this weaker security to infect a computer with malware or steal sensitive data.
• Disruption: An attacker on the same WiFi network as their target may also take action to disrupt their connection. For example, sending de-authentication packets to a computer or wireless AP can cause the device to be disconnected from the network.

Recent Examples of WiFi Snooping

WiFi snooping attacks can be performed passively, with the attacker simply capturing wireless transmissions and snooping on traffic. These attacks are largely undetectable since a passive sensor has no impact on the rest of the network.

However, an attacker can also take a more active role in eavesdropping on wireless network traffic. For example, in an evil twin attack, the attacker sets up a rogue AP that uses the same SSID and password as a legitimate network. If users connect to this malicious AP, then the attacker can observe their network traffic.

One notable evil twin attack was carried out by the GRU, a Russian intelligence agency. The attackers would park their car near a building that they wanted to target and use a directional antenna and WiFi pineapple to send wireless signal into the building. When people connected to their malicious network, the attackers have the ability to eavesdrop on their traffic.

This attack was part of a large-scale intelligence operation targeting many different countries. The attackers were known to operate in Colorado, Brazil, Canada, Monaco, the Netherlands, and Switzerland.

Use Cases of WiFi Snooping

In theory, a WiFi snooping attack can be performed on any wireless network. If the network is not password-protected or if the attacker can learn or guess the password, they can capture and eavesdrop on the network traffic.

However, in practice, WiFi snooping is more prevalent on wireless networks that are more likely to be accessible to an attacker or are worth the effort of breaking into. For example, WiFi snooping attacks are common at hotels, airports, cafes, and other locations with public WiFi. However, cybercriminals may also target corporate wireless networks due to the potentially valuable data flowing over these networks.

The goal of WiFi snooping is to collect information. Some of the potential use cases for these attacks include:

• Corporate Espionage: WiFi snooping attacks are commonly used to steal intellectual property or other corporate data. Cybercriminals may connect to corporate networks or target traveling executives, attempting to sniff sensitive information off of airport or hotel WiFi networks.
• Credential Theft: Some network protocols, such as Telnet and FTP, transmit login information in cleartext. If these insecure protocols are in use, an attacker eavesdropping on a wireless network can collect login credentials and use them to take over users’ accounts.
• Identity and Financial Theft: Credentials are not the only types of sensitive data that might be flowing unencrypted over wireless networks. An attacker may be able to access personally identifiable information (PII) or financial data that could be used for identity theft or financial fraud.
• Network Reconnaissance: By monitoring network traffic, an attacker can map out the various communicating computers and the protocols and software in use. This can help an attacker to identify potentially exploitable vulnerabilities without exposing their presence on the network.

Protecting Against WiFi Snooping

WiFi snooping can pose a significant threat to data privacy and security. However, there are numerous options for protecting against this attack, including:

• Password-Protected Wi-Fi: While a snooper can still read traffic over an encrypted network, they need to know the password to do so. Setting a strong WiFi password makes it more difficult for an attacker to connect to and sniff traffic from a wireless network.
• Strong WiFi Protocols: Outdated WiFi protocols such as WEP and WPA contain exploitable vulnerabilities. Ensure that wireless networks are protected by secure protocols such as WPA2 or WPA3.
• Use HTTPS: With HTTPS, network traffic is encrypted by TLS and doesn’t rely on the encryption of the WiFi network or other medium. Using HTTPS when browsing the web limits the potential impacts of WiFi snooping attacks.
• Use a VPN: A virtual private network (VPN) is another means of encrypting traffic flowing over wireless networks. A VPN encrypts traffic traveling between a user’s computer and the VPN endpoint, protecting it against eavesdropping.
• Public Network Settings: If a computer is connected to a network labeled as a home or private network, it has fewer defenses in place than if that network was labeled as public. Be sure to label all untrusted networks as public if your computer asks.
• Patch Management: An attacker on the same WiFi network has additional access that they can use to exploit potential vulnerabilities in a computer. Apply updates and patches promptly to protect computers from attack.

Legal and Ethical Considerations

WiFi snooping attacks take advantage of legitimate functionality and the features of wireless networks. For example, a computer connected to a wireless network will also receive the traffic of other connected devices, so capturing this traffic is unavoidable. While a computer will usually discard the traffic not intended for it, choosing to observe all traffic on a personal or company-owned network is legal and ethical if performed for the purpose of network monitoring and troubleshooting.

However, legal and ethical problems with WiFi snooping arise when it is performed on someone else’s network or with malicious intent. WiFi snooping without the consent of the network owner may be classified as unauthorized access or abuse of computing systems, which is illegal in certain jurisdictions.

The use of WiFi snooping to collect sensitive information is also a threat to privacy and security and runs afoul of various data protection laws. For example, some data contained in wireless traffic may be considered PII, and the collection and processing of this data without the data subject’s consent may violate data protection laws.

In general, the term WiFi snooping is used to refer to network monitoring without authorization and with potentially malicious content. If an activity can’t be classified as legitimate network monitoring, it is likely unethical and potentially illegal.

Conclusion

WiFi snooping attacks take advantage of the fact that wireless networks typically offer less security than their wired counterparts. Anyone in range of the network’s radio signals can intercept packets, and anyone with knowledge of the network’s password — if it has one — can decrypt all other users’ traffic.

By snooping on WiFi traffic, an attacker can collect various types of sensitive information. If insecure protocols are in use, the eavesdropper may be able to steal login credentials or other sensitive data transmitted in cleartext. Even if traffic is using HTTPS and other encrypted protocols, an attacker may be able to glean some useful information from unencrypted metadata.

Ultimately, the best way to protect against WiFi snooping attacks is to treat all wireless networks as potentially insecure. Using HTTPS and a VPN can also be useful as they encrypt traffic, preventing potential eavesdropping.

Organizations can also take steps to mitigate the potential ramifications of a WiFi snooping attack. For example, the threat of credential theft can be addressed by switching to a passwordless authentication system.

Kelvin Zero’s Multi-Pass offers exactly that, with true passwordless MFA that eliminates the threat of an attacker intercepting and reusing unprotected login credentials. Learn more about Multi-Pass and how your organization can protect its employees and customers against password theft with next-gen, phishing resistant passwordless authentication.