What is a WiFi Karma attack?

When you're out and about, it's natural to look for WiFi networks you can connect to. After all, no one wants to use up all their available mobile data if there is an alternative. But the attraction of open WiFi networks has led to many consequences.

One of them is the WiFi Karma attack. And as you go about your daily life and your device connects to 'known networks', it's essential to be aware of the potential dangers.

Let's explore how WiFi Karma attacks work and how you can stay safe.

What is a WiFi Karma attack?

The WiFi Karma attack is a variation of the famous 'Evil Twin attack'. That's where the attacker tricks your device into connecting to a WiFi network controlled by the hacker.

Imagine a Doppelgänger trying to become your best friend to take advantage of your trust. In the tech world, this Doppelgänger is a malicious WiFi access point and the trust is the SSID (Service Set Identifier) ​​- the name of the WiFi network.

How does the Karma attack work?

What is a WiFi Karma attack? Picture 1

Impersonating someone you trust is an age-old trick, but in the world of technology, it's still very effective. Let's see how the Karma attack plays out.

1. Probe and listen

WiFi-capable devices have a Preferred Network List (PNL), which is like a list of trusted networks on your device. These are the networks you use all the time and save on your device to automatically connect to.

It's a time-saving feature that is unfortunately exploited.

Chances are you've saved your favorite coffee shop's WiFi network in your PNL, which might be named something like 'CoffeeBeanWiFi'. When searching for WiFi, your device keeps asking 'Is CoffeeBeanWiFi here?'.

The Karma attack begins by listening for these probe requests.

2. Mimic SSID

After listening to the poll, the attacker's device copies the requested SSID. It replied back "Hey, it's me, CoffeeBeanWiFi! Connect with me!"

3. Fraudulent links

The device unsuspectingly connects to the network and believes it has found your favorite coffee shop's WiFi connection.

This connection creates a man-in-the-middle (MitM) situation, where the attacker is now between your device and the Internet, intercepting data.

Malicious devices controlled by hackers can now eavesdrop on your WiFi connection, recording login credentials, banking details, and anything sent from your device.

Step-by-step example of a Karma attack

What is a WiFi Karma attack? Picture 2

For example, Sarah is a frequent airport traveler and often takes advantage of working on her laptop while waiting for her flight. Here's how she can get trapped:

1. Probe : Sarah's laptop signals, "Is AirportFreeWiFi here?". "AirportFreeWiFi" is the SSID of the free airport WiFi she frequently accesses. She saved the network to her device's PNL because it was too convenient.
2. Impersonation : A nearby attacker captures this signal using his fake WiFi access point. The hacker's device quickly broadcast its own SSID as 'AirportFreeWiFi'.
3. Falling in the trap : Sarah's laptop connects thinking it's a reliable WiFi network from an airport she's visited countless times.
4. Compromise of personal data : Taking advantage of this trust, an attacker could monitor Sarah's online activities, collect data, or install malware.

What is the target of this attack?

What is a WiFi Karma attack? Picture 3

At first glance, you might think every WiFi-enabled device with PNL is at risk. The reality is a little more complicated. As follows:

1. The device has a long PNL

Devices with a widely available Preferred Network List (PNL) are more vulnerable. This is because they have stored the names (or SSIDs) of a lot of networks they have connected to in the past. Every name on that list is an open opportunity for an impersonator attacker.

2. Old equipment, not updated

While most current smartphones and laptops have received protection patches, older devices, certain smart home devices, or those that are not updated regularly can be vulnerable to attack.

The good news is that most modern devices have security patches rolled out to protect against the Karma attack.

Modern devices with up-to-date security patches are a bit more effective at fending off attacks. They no longer shouted the names of previously connected networks but instead listened quietly.

Modern devices will only connect when they recognize a previously known, legitimate network.

3. Public WiFi

This is where risks still exist. Saved networks that don't require authentication, like most public WiFi in coffee shops and airports, remain a prime target.

This is because there is no password to confirm the authenticity of the network. Your device will most likely be eager to connect to an access point that has the same SSID as a trusted saved network. This risk exists even when the SSID is hidden.

How to protect yourself

What is a WiFi Karma attack? Picture 4

The Karma attack is a simple trust exploit, but fortunately, the ways to protect yourself are also easy to implement:

1. Turn off auto-connect : Prevent devices from automatically connecting to WiFi networks, especially open WiFi networks. This completely eliminates the threat.

2. Cut down on PNL : Frequently forget or remove networks from your PNL. A shorter list means an attacker has fewer opportunities for exploitation.

3. Use a VPN : If you are connecting to a public WiFi network, you should use a VPN or 'Virtual Private Network'. This creates a secure encrypted path for your data. The best part is that it protects you even if you accidentally connect to a phishing network.

4. Keep your device up to date : Keep your device software up to date. This includes software and firmware updates for devices such as WiFi-connected cameras and smart home devices.

Lesley Montoya

Update 23 October 2023