<img height="1" width="1" src="https://www.facebook.com/tr?id=3323484487762706&amp;ev=PageView&amp;noscript=1">
Blog Articles

The Preferred Network List (PNL) for Devices Connecting to Your Network

Nov 9, 2021
New call-to-action

Recent Content

Do you know the preferred network list (PNL) for the devices connecting to your network?


Before answering the question, let us first understand what a preferred network list is. The PNL is a historical record of all the network names (SSIDs) that a device has previously connected to, and trusts to automatically connect to again in the future.

User devices trying to connect to a Wi-Fi network watch for access points (APs) broadcasting its availability for a device to connect to its network. Within that information contains the network name, or Service Set Identifier (SSID). Wi-Fi enabled devices trying to connect to a wireless network, and using Active Service Discovery, will then broadcast its interest in connecting to the AP if the network name is in its PNL, which increases the connection speed.

For instance, if you connect to a Starbucks Wi-Fi network once, your device will remember and try to automatically connect to any network with the SSID Starbucks. This is true whether you go to the same Starbucks in the future, or a Starbucks 1,000 miles away. All the user device knows is the network name; no additional data is stored. Auto-connecting to wireless networks in PNL saves time and is convenient for the user, but it is a security risk. Therefore, it is important to identify all networks in the PNL and stop connecting automatically to Wi-Fi to stay safe.


Risks Related to NPL

The risk with PNLs is that if there are many SSIDs in a device’s PNL, an attacker can sniff that traffic and set up a fake access point with the same SSID. That way, the cybercriminal can easily trick the client’s device into connecting to the fake access point (AP). Your device cannot distinguish between networks sharing the same name. Sometimes, cybercriminals iterate through different SSIDs in PNL to automatically initiate a connection with a fake hotspot, thus disclosing sensitive information to an attacker.

More frequently, hackers create rogue access points that mimic the names of common Wi-Fi access points. Attack tools take advantage of the WLAN probing techniques used by wireless clients, because the information sent by wireless access points to/from user devices is sent unencrypted. When a station probes for a WLAN in their preferred network list (PNL), the station discloses the SSID to a listening attacker. The attacker’s tool uses the disclosed SSID to impersonate a legitimate WLAN, luring the station to the attacker.  

If you leave your laptop’s or smartphone’s Wi-Fi feature on in public, the device will automatically try to join any network with a name matching one in the PNL, even without warning you. Indeed, this is an easy way to track nearby devices and conduct widespread man-in-the-middle attacks.

If the impersonated SSID is an open network the user device will automatically connect. The attacker can then set up a proxy server that funnels all the data, including passwords used, applications accessed, and websites visited through their infrastructure, enabling all sorts of opportunities to compromise the device.

Once compromised with a backdoor, all the attacker needs to do is wait for the user device to rejoin the real network and pivot to other areas, successfully accessing the company’s network. Also, rogue access points make it easy for hackers to load phishing pages, track the sites you visit, and discover the apps and services you are using.

The attacker can also set up a network impersonating the corporate network SSID that is stored in the user device, requiring a password to authenticate. This would then give the attacker visibility into the corporate Wi-Fi password, allowing them to compromise the corporate network.

Apart from creating rogue APs, a hacker can probe for a WLAN in their preferred network list (PNL) to disclose the SSIDs, which are a particularly interesting source of private location information, as devices store a list of all previously used hotspots.


Purge Networks From PNL 

After Sonar identifies your PNL, we recommend that you purge networks you do not need from the list. You can delete your preferred networks on Windows by going to “Manage Known Networks” and clicking “Forget” on any Wi-Fi network that you don’t want your computer to connect to automatically. For enhanced security, you should consider removing all open Wi-Fi networks from the PNL.

Disable Auto-Connections on Windows

If you prefer to use Windows keyboard shortcuts, you can start by hitting Win + X on the keyboard, then select Network Connections > Wi-Fi. In the Wi-Fi settings area, click Manage Known Networks, then select your open Wi-Fi network and click Properties. Next, click the slide button for Connect Automatically When in Range from On to Off.

Disable Auto-Connections on Windows

With macOS, it is simple to disable auto connections. First, you click on the Wi-Fi icon on the top menu bar of the screen and click Open Network Preferences. Then click the Apple Icon on your screen (far left) and select System Preferences > Network. You can also click Settings Icon in your dock at the bottom of the screen, where you access the Network area.

If you are in the range of the network, select it under the Network Name drop-down menu and disable the Automatically Join this Network checkbox directly underneath. If you are not in range, you can click Wi-Fi > Advanced. Next, find the open Wi-Fi network in the list under the Auto-Join section, and then disable the network’s checkbox.

Unfortunately not all devices allow you to purge the PNL stored.


Use a VPN

Unquestionably, extra precautions should be taken when accessing Wi-Fi in public, as such networks are potential cybercrime hotspots. This post recommends removing open Wi-Fi networks from your device’s PNL or keeping your device’s Wi-Fi disabled to stay safe. However, suppose you still need to use a public Wi-Fi network for personal or work-related tasks involving sensitive and financial information. In that case, you can enhance your security by using a virtual private network (VPN). Typically, VPN adds another encryption layer to your traffic, effectively making it harder for attackers to intercept your communications.

With a VPN, the data directly sent to and received from the website is routed through a server owned by the VPN vendor/provider. In effect, the internet protocol (IP) address you use to access servers and websites is the VPN server’s address, rather than your device’s or Wi-Fi’s address. Changing the origin IP address and encrypting traffic ensures eavesdroppers cannot learn about the services you access online or data you send via the public internet.


Enhancing Security With Sonar

Sonar has built-in features that make it possible to dissect a client device’s PNL. This capability allows us to consult with the customer when we see a large PNL on a client’s device that also has the company’s corporate network.

You can leverage Sonar services to eliminate wireless as an entry point for hackers. With Sonar subscription service, you can detect and receive alerts on threats on your wireless network, such as a growing PNL on your devices and the associated risks.

The service gives you continuous 24/7/365 monitoring, presenting a unified view of your company’s wireless network. You can detect malicious threats to your Wi-Fi network, including rogue and fake access points mimicking network SSIDs in your device’s PNLs. Once we detect security problems, our security experts offer technical phone and email support, consultative services, and personalized recommendations to mitigate risks.

Corey Belanger

Corey Belanger

Corey is a Security Consultant and leads QA of product development, using his expertise in these dual roles to more effectively test and secure applications, whether while building enterprise applications or while performing penetration tests and vulnerability assessments for customers. An Army veteran with a tour of duty in Afghanistan, Corey has built a post-military career in security while earning Network+, Security+, GIAC Certified Incident Handler, GIAC Python Coder, GIAC Web App Penetration Testing, and GIAC Penetration Tester certifications. Corey is also a BsidesNH organizer and founding member of TechRamp, avenues which he uses to help others build their skills for careers in security and technology. Fun Fact: When not manning a terminal or watching the Bruins, Corey can often be found snowboarding or riding his motorcycle.