<img height="1" width="1" src="https://www.facebook.com/tr?id=3323484487762706&amp;ev=PageView&amp;noscript=1">
Blog Articles

The Preferred Network List (PNL) for Devices Connecting to Your Network

Nov 9, 2021
New call-to-action

Recent Content

Do you know the preferred network list (PNL) for the devices connecting to your network?

 

Before answering the question, let us first understand what a preferred network list is. The PNL is a historical record of all the network names (SSIDs) that a device has previously connected to, and trusts to automatically connect to again in the future.

User devices trying to connect to a Wi-Fi network watch for access points (APs) broadcasting its availability for a device to connect to its network. Within that information contains the network name, or Service Set Identifier (SSID). Wi-Fi enabled devices trying to connect to a wireless network, and using Active Service Discovery, will then broadcast its interest in connecting to the AP if the network name is in its PNL, which increases the connection speed.

For instance, if you connect to a Starbucks Wi-Fi network once, your device will remember and try to automatically connect to any network with the SSID Starbucks. This is true whether you go to the same Starbucks in the future, or a Starbucks 1,000 miles away. All the user device knows is the network name; no additional data is stored. Auto-connecting to wireless networks in PNL saves time and is convenient for the user, but it is a security risk. Therefore, it is important to identify all networks in the PNL and stop connecting automatically to Wi-Fi to stay safe.

 

Risks Related to NPL

The risk with PNLs is that if there are many SSIDs in a device’s PNL, an attacker can sniff that traffic and set up a fake access point with the same SSID. That way, the cybercriminal can easily trick the client’s device into connecting to the fake access point (AP). Your device cannot distinguish between networks sharing the same name. Sometimes, cybercriminals iterate through different SSIDs in PNL to automatically initiate a connection with a fake hotspot, thus disclosing sensitive information to an attacker.

More frequently, hackers create rogue access points that mimic the names of common Wi-Fi access points. Attack tools take advantage of the WLAN probing techniques used by wireless clients, because the information sent by wireless access points to/from user devices is sent unencrypted. When a station probes for a WLAN in their preferred network list (PNL), the station discloses the SSID to a listening attacker. The attacker’s tool uses the disclosed SSID to impersonate a legitimate WLAN, luring the station to the attacker.  

If you leave your laptop’s or smartphone’s Wi-Fi feature on in public, the device will automatically try to join any network with a name matching one in the PNL, even without warning you. Indeed, this is an easy way to track nearby devices and conduct widespread man-in-the-middle attacks.

If the impersonated SSID is an open network the user device will automatically connect. The attacker can then set up a proxy server that funnels all the data, including passwords used, applications accessed, and websites visited through their infrastructure, enabling all sorts of opportunities to compromise the device.

Once compromised with a backdoor, all the attacker needs to do is wait for the user device to rejoin the real network and pivot to other areas, successfully accessing the company’s network. Also, rogue access points make it easy for hackers to load phishing pages, track the sites you visit, and discover the apps and services you are using.

The attacker can also set up a network impersonating the corporate network SSID that is stored in the user device, requiring a password to authenticate. This would then give the attacker visibility into the corporate Wi-Fi password, allowing them to compromise the corporate network.

Apart from creating rogue APs, a hacker can probe for a WLAN in their preferred network list (PNL) to disclose the SSIDs, which are a particularly interesting source of private location information, as devices store a list of all previously used hotspots.

 

Purge Networks From PNL 

After Sonar identifies your PNL, we recommend that you purge networks you do not need from the list. You can delete your preferred networks on Windows by going to “Manage Known Networks” and clicking “Forget” on any Wi-Fi network that you don’t want your computer to connect to automatically. For enhanced security, you should consider removing all open Wi-Fi networks from the PNL.

Disable Auto-Connections on Windows

If you prefer to use Windows keyboard shortcuts, you can start by hitting Win + X on the keyboard, then select Network Connections > Wi-Fi. In the Wi-Fi settings area, click Manage Known Networks, then select your open Wi-Fi network and click Properties. Next, click the slide button for Connect Automatically When in Range from On to Off.

Disable Auto-Connections on Windows

With macOS, it is simple to disable auto connections. First, you click on the Wi-Fi icon on the top menu bar of the screen and click Open Network Preferences. Then click the Apple Icon on your screen (far left) and select System Preferences > Network. You can also click Settings Icon in your dock at the bottom of the screen, where you access the Network area.

If you are in the range of the network, select it under the Network Name drop-down menu and disable the Automatically Join this Network checkbox directly underneath. If you are not in range, you can click Wi-Fi > Advanced. Next, find the open Wi-Fi network in the list under the Auto-Join section, and then disable the network’s checkbox.

Unfortunately not all devices allow you to purge the PNL stored.

 

Use a VPN

Unquestionably, extra precautions should be taken when accessing Wi-Fi in public, as such networks are potential cybercrime hotspots. This post recommends removing open Wi-Fi networks from your device’s PNL or keeping your device’s Wi-Fi disabled to stay safe. However, suppose you still need to use a public Wi-Fi network for personal or work-related tasks involving sensitive and financial information. In that case, you can enhance your security by using a virtual private network (VPN). Typically, VPN adds another encryption layer to your traffic, effectively making it harder for attackers to intercept your communications.

With a VPN, the data directly sent to and received from the website is routed through a server owned by the VPN vendor/provider. In effect, the internet protocol (IP) address you use to access servers and websites is the VPN server’s address, rather than your device’s or Wi-Fi’s address. Changing the origin IP address and encrypting traffic ensures eavesdroppers cannot learn about the services you access online or data you send via the public internet.

 

Enhancing Security With Sonar

Sonar has built-in features that make it possible to dissect a client device’s PNL. This capability allows us to consult with the customer when we see a large PNL on a client’s device that also has the company’s corporate network.

You can leverage Sonar services to eliminate wireless as an entry point for hackers. With Sonar subscription service, you can detect and receive alerts on threats on your wireless network, such as a growing PNL on your devices and the associated risks.

The service gives you continuous 24/7/365 monitoring, presenting a unified view of your company’s wireless network. You can detect malicious threats to your Wi-Fi network, including rogue and fake access points mimicking network SSIDs in your device’s PNLs. Once we detect security problems, our security experts offer technical phone and email support, consultative services, and personalized recommendations to mitigate risks.
Corey Belanger

Corey Belanger

Corey is a Security Consultant and leads QA of product development, using his expertise in these dual roles to more effectively test and secure applications, whether while building enterprise applications or while performing penetration tests and vulnerability assessments for customers. An Army veteran with a tour of duty in Afghanistan, Corey has built a post-military career in security while earning Network+, Security+, GIAC Certified Incident Handler, GIAC Python Coder, GIAC Web App Penetration Testing, and GIAC Penetration Tester certifications. Corey is also a BsidesNH organizer and founding member of TechRamp, avenues which he uses to help others build their skills for careers in security and technology. Fun Fact: When not manning a terminal or watching the Bruins, Corey can often be found snowboarding or riding his motorcycle.

LinkedIn
View all posts

Minimize your Cyber Risks with Pulsar Cyber Shield

A comprehensive array of services securing data,
network & firmware configurations, & your
wireless network.

Learn More 

100% of the team holds advanced cybersecurity certifications.

  • Certified Ethical Hacker
    Certified Ethical Hacker
    Certified Information Systems Security Professional
    Certified Information Systems Security Professional
    CompTIA Security+ Certified
    CompTIA Security+ Certified
    OSWP Offensive Security
    OSWP Offensive Security
    GIAC Security Expert
    GIAC Security Expert
    Offensive Security Certified Expert
    Offensive Security Certified Expert
    Offensive Security Certified Professional
    Offensive Security Certified Professional
    GIAC Exploit Researcher and Advanced Penetration Tester
    GIAC Exploit Researcher and Advanced Penetration Tester
    GIAC Web Application Penetration Tester
    GIAC Web Application Penetration Tester
    GIAC Certified Penetration Tester
    GIAC Certified Penetration Tester
  • GIAC Mobile Device Security Analyst
    GIAC Mobile Device Security Analyst
    GIAC Certified Incident Handler
    GIAC Certified Incident Handler
    GIAC Assessing and Auditing Wireless Networks
    GIAC Assessing and Auditing Wireless Networks
    GIAC Python Coder
    GIAC Python Coder
    GIAC Reverse Engineering Malware
    GIAC Reverse Engineering Malware
    GIAC Network Forensic Analyst
    GIAC Network Forensic Analyst
    GIAC Certified Forensic Analyst
    GIAC Certified Forensic Analyst
    GIAC Certified Forensic Examiner
    GIAC Certified Forensic Examiner
    GIAC Certified Intrusion Analyst
    GIAC Certified Intrusion Analyst
    GIAC Certified Detection Analyst
    GIAC Certified Detection Analyst
  • GIAC Continuous Monitoring Certification
    GIAC Continuous Monitoring Certification
    GIAC Certified Unix Security and Administration
    GIAC Certified Unix Security and Administration
    GIAC Certified Windows Security Administrator
    GIAC Certified Windows Security Administrator
    GIAC Critical Controls Certification
    GIAC Critical Controls Certification
    GIAC Security Essentials Certification
    GIAC Security Essentials Certification
    GIAC Defending Advanced Threats
    GIAC Defending Advanced Threats
    GIAC Law of Data Security & Investigation
    GIAC Law of Data Security & Investigation
    CompTIA Network+ Certified
    CompTIA Network+ Certified
    Scrum Alliance CSP-SM Certified
    Scrum Alliance CSP-SM Certified
    Microsoft MTA Security Fundamentals
    Microsoft MTA Security Fundamentals
  • Microsoft MTA Database Fundamentals
    Microsoft MTA Database Fundamentals
    CISCO Certified CCNA
    CISCO Certified CCNA
    AWS Certified Solutions Architect Associate
    AWS Certified Solutions Architect Associate
offsec
  • Home
  • Services
  • Partners
  • About
  • Contact
  • Contact

Copyright © 2023 Pulsar Security

|

Privacy Policy

|

Terms & Conditions

Website Design & Development by CommonPlaces Interactive