<img height="1" width="1" src="https://www.facebook.com/tr?id=3323484487762706&amp;ev=PageView&amp;noscript=1">
Blog Articles, Sonar

Hackers Targeting Preferred Network Lists (PNLs)

Sep 8, 2021
New call-to-action

Recent Content

SONAR detects new potentially fake access points posing as a common open networks being broadcast within a target network’s monitored range. If such networks are not legitimate, attackers use them to trick client devices into connecting to malicious networks. Ordinarily, hackers use this technique to target devices that automatically connect to these common open networks.

This post covers more on attackers targeting your client devices’ Preferred Network Lists. Keep reading to learn more about the threat and ways to mitigate such attacks.


What is a Preferred Network List?

A preferred network list (PNL) is a list of Wi-Fi network names (SSIDs) your device automatically trusts. PNL is a list of familiar Wi-Fi network names that a digital device automatically recognizes whenever a client is within network reach. Naturally, the PNL is generated from the networks you have connected to over time.


Attacks on PNLs

Unquestionably, Wi-Fi offers the convenience of a seamless, untethered data connection. Unfortunately, it comes with security loopholes that hackers like to exploit. It is essential to learn their tricks to know which habits put you most at risk and the best practices to avoid network attacks.

Attackers take advantage of small mistakes you make while connecting your device to a network or setting up an access point or router. To avoid a mistake such as your device joining a malicious access point, you can follow the few simple precautions discussed in this post. Undeniably, hackers targeting wireless networks can opt to attack the network itself or go after a connected device. This capability gives them the flexibility to pick the weakest link and easy to exploit vulnerabilities.

PNL is convenient but dangerous since anyone can broadcast an SSID name to trick a device into connecting. Hackers understand that clients’ devices cannot distinguish between Wi-Fi networks sharing the same name and type of security. For instance, if you connect to a Starbucks Wi-Fi someday, your device will remember the network. This way, it will connect automatically within the range of any open network with the ‘Starbucks’ name. Previous research indicates that if a targeted device has an SSID in the corresponding PNL, it will automatically initiate a connection with a fake hotspot, thus disclosing sensitive information to attackers.

Hackers simply create rogue access points that mimic the names of popular open Wi-Fi access points. This attack tactic makes it possible for the malicious actors to track nearby devices and conduct the popular man-in-the-middle (MITM) attacks. In fact, the attack happens without you knowing. Typically, if you leave your smartphone or laptop Wi-Fi on in public, the device will not warn you when automatically joining an open network with an SSID matching a name in your PNL. Once connected to malicious Wi-Fi, it sends your information through the rogue hotspot, leading to a serious risk of phishing and malware attacks. Without raising any alarm, this attack method potentially allows cybercriminals to track the sites you visit, learn the apps you use, load phishing pages, and steal sensitive information.   

Hackers have access to tools that help them create rogue access points with names of popular public networks. A security researcher demonstrated this tactic using a $3 esp8266 microcontroller to create up to a thousand fake networks. As a result, many nearby smartphones attempted to join the networks with names in their PNLs.


Best Practices to Avoid Connecting to Compromised Networks in PNLs

You can follow these best practices to reduce your attack surface and keep yourself and your Wi-Fi clients secured while using the network at home or on the go.

1. Purge Unused Networks From the PNL

You can delete any preferred network by accessing “Manage Known Networks” in Windows and clicking “Forget.” This step blocks your device from automatically connecting to the Wi-Fi even when you are in range. At the very least, it is preferable to remove all the open networks from the list.

You can purge the preferred network from your Android device by opening Settings, then Wi-Fi Settings. Select the network name you want to forget, tap “Forget this Network.”

2. Encrypt Traffic With VPN

The current WPA2 standard has a weakness that allows intruders to spy on traffic on a local network. An attacker can record the traffic and decrypt it later after discovering the password. Fortunately, virtual private networks (VPNs) provides encryption capabilities that discourage criminals from snooping on the traffic. The tool typically encrypts DNS requests and other revealing information that can open the door to different attacks. It makes it difficult for attackers to see what the client is doing online, and in effect making it impossible to redirect them to malicious websites.

3. Disable Auto-Connect

Purging your preferred network list means connecting to any network will require you to enter a password manually every time. Irrefutably, this process can get annoying, especially for the networks you connect to often. Also, it means that you need to keep cleaning your PNL as soon as you join a new network. You can enhance convenience by using a tool that saves the passwords while eliminating the risk of your devices connecting automatically to malicious networks using a similar name to a genuine network. However, it would be best to check the “disable auto-connect” checkbox when first connecting to a Wi-Fi network. This action prevents your device from connecting to rogue access points.

3. Avoid Re-Using Passwords for Wi-Fi

A weak WPA2 Wi-Fi password makes it easy for attackers to break into your network. Essentially, if your Wi-Fi password is among the top million worst passwords out there or vendor default passwords for specific routers, it is easy for a hacker to breach your network in minutes. All they need to do is capture a handshake from a client connecting to the network, load it into a tool to guess the password from a massive file of breached credentials. You can avoid this risk by creating strong passwords that are unique and difficult to guess.

Corey Belanger

Corey Belanger

Corey is a Security Consultant and leads QA of product development, using his expertise in these dual roles to more effectively test and secure applications, whether while building enterprise applications or while performing penetration tests and vulnerability assessments for customers. An Army veteran with a tour of duty in Afghanistan, Corey has built a post-military career in security while earning Network+, Security+, GIAC Certified Incident Handler, GIAC Python Coder, GIAC Web App Penetration Testing, and GIAC Penetration Tester certifications. Corey is also a BsidesNH organizer and founding member of TechRamp, avenues which he uses to help others build their skills for careers in security and technology. Fun Fact: When not manning a terminal or watching the Bruins, Corey can often be found snowboarding or riding his motorcycle.