While password cracking and WPS setup PIN attacks get a lot of attention, social engineering attacks are by far the fastest way of obtaining a Wi-Fi password. One of the most potent Wi-Fi social engineering attacks is Wifiphisher, a tool that blocks the internet until desperate users enter the Wi-Fi password to enable a fake router firmware update.
Social engineering attacks are powerful because they often completely bypass security. If you can trick an employee into entering a password into a fake login page, it doesn’t matter how strong the password is. It’s the opposite of cracking attacks, where you’re using a computer’s processing power to try a giant list of passwords quickly. But you cannot succeed if the password you are attacking is secure and not included in your password list.
Not knowing how strong the password you’re attacking is can be frustrating, because investing the time and processing power involved in a dictionary or brute-force attack can make coming up dry feel like a massive waste of resources. Instead, tools like Wifiphisher ask questions about the people behind those networks.
Does the average user know what their Wi-Fi router’s login page looks like? Would they notice if it was different? More importantly, would a busy user, cut off from the internet and stressed out but the disruption, still enter their password to enable a fake update even if they noticed the login page looked a little different?
Wifiphisher believes the answer is “yes.” The tool can select any nearby Wi-Fi network, de-authenticate all users (jam it), and create a cloned access point that requires no password to join. Any user that connects to the evil twin-like open network is served a convincing-looking phishing page demanding the Wi-Fi password to enable a firmware update, which is explained as the reason the Wi-Fi has stopped working.
The Firmware Update from Hell
To the target of a social engineering attack, the first signs of Wifiphisher look like a problem with the router. First, the Wi-Fi cuts out. They can still see the network, but every attempt to connect to it immediately fails. Other devices are unable to connect to the network as well, and they begin to notice that not just one device, but every Wi-Fi device, has lost connection to the network.
That’s when they notice a new network, with the same name as the old network, but requiring no password. After a few more attempts to join the protected network, they join the open network out of concern that their router is suddenly broadcasting a network without a password that anyone can join. As soon as they join, an official-looking webpage mentioning their router’s manufacturer opens and informs them that the router is undergoing a critical firmware update. Until they enter the password to apply the update, the internet will not work.