Cybersecurity researchers have released a new tool called “Snappy” that can help detect fake or malicious Wi-Fi hotspots that attempt to steal data from unsuspecting people.

Attackers can create fake hotspots in supermarkets, cafes, and malls that masquerade as real ones already established there. This is done to trick users into connecting to rogue access points and relaying sensitive data through attackers’ devices.

When threat actors control the router, they can capture and analyze the transferred data by performing man-in-the-middle attacks.

Trustwave Security Researcher and RF/Wireless Technology Enthusiast Tom Neaves explains that spoofing MAC addresses and SSIDs of legitimate access points on open networks is meaningless to determined attackers.

The devices of those who revisit the locations of open wireless networks to which they have previously connected will automatically attempt to reconnect to a saved access point, and their owners will be oblivious to the fact that they are connecting to a malicious device.

Snappy to the rescue

Neaves has developed a tool that addresses this common risk, helping people detect if the access point they’re using is the same one they used last time (and every time) or if it may be a fake or malicious device.

By analyzing beacon management frames, he found some static elements such as provider, BSSID, supported data rates, channel, country, maximum transmit power and others that vary between different data points. 802.11 wireless access but are consistent for a specific access point over time.

The researcher thought he could concatenate these elements and hash them with SHA256 to create a unique signature for each access point, which could be used by a scanning tool to generate matches and mismatches.

Matches mean that the access point is the same, therefore trustworthy, while signature inconsistencies would mean that something has changed and the access point could be malicious.

This functionality has been integrated into a Python script called Snappy which has been published on Trustwave’s GitHub repository and made available free of charge.

Besides the mechanism for generating SHA256 hashes of wireless hotspots, Snappy can also detect hotspots created by Airbase-ng, a tool used by attackers to create fake hotspots to capture packets connected users or even inject data into their network traffic.

Running Python scripts on laptops should be straightforward as long as Python is installed, but mobile device users will have to go the extra mile to find specific interpreters and emulators.

Android device owners can use pyrroid, QPythonNameOr termux to run Python scripts on their phones, while iOS users can choose between pythonist, NotebooksAnd Juno.

Hopefully Trustwave will soon consider releasing the tool in a more usable form for a wider audience.