Wi-Fi is how most people connect to the internet most of the time — but from a security standpoint, it’s a remarkably wobbly foundation.
We treat Wi-Fi connections like hardened tunnels to wherever we’re connecting on the internet, but there’s nothing inherently private about the signal. Wi-Fi is just radio, and like any radio, the signals go out in all directions all the time. Anyone with the right antenna can listen to what’s being broadcast, and it’s nearly impossible to tell that they’re doing it. Even more dangerous, anyone can offer Wi-Fi, so it’s hard to be absolutely sure who you’re connecting to. This is why hardened systems like SecureDrop often pull out a computer’s Wi-Fi card completely. Without wireless capability, the attack surface of a device shrinks dramatically.
Actually exploiting those weaknesses is difficult, but it’s far from impossible… which is where devices like the WiFi Coconut come in.
What is it?
In simple terms, the WiFi Coconut is just a very powerful router. Where most routers make do with two to six antennas, the Coconut has 14, one for each channel in the 2.4GHz Wi-Fi spectrum. That lets the coconut listen and log every channel simultaneously, creating a scannable record of everything that happened on the Wi-Fi spectrum within listening range. One of the Coconut’s most basic functions is creating these recordings along with some basic packet analysis — the Wi-Fi equivalent of recording every station on the radio at once.
That recording alone doesn’t tell you very much. The vast majority of Wi-Fi traffic is encrypted, so without the keys, you won’t even be able to tell much about what people are doing. (This kind of nesting encryption system is one of the fundamental building blocks of the internet: similar key exchanges protect you from eavesdroppers at the ISP level and within the physical network itself.) But just because you can’t pull passwords out of the air in plain text doesn’t mean there isn’t serious mischief to be made.
What can it do?
The biggest threat is something called a KARMA attack in which attackers disguise themselves as a trusted Wi-Fi network. If you’ve ever been told to avoid open Wi-Fi networks in public places, this attack is the reason why — although surprisingly, it works even if you’re nowhere near an unsecured network.
The attack exploits the peculiar way computers connect with preferred Wi-Fi networks. When you set your computer to automatically connect, it starts proactively looking for that network, sending requests that also identify what network it’s looking for. As this post memorably put it, it’s as if your device is constantly shouting, “Is Starbucks WiFi here?” And unlike most Wi-Fi traffic, those signals are unencrypted.
In the KARMA attack, the attacker uses a device like the WiFi Coconut to pick up on those signals and give whatever answer your device is looking for. It will send back a message identifying itself as whatever you’re looking for, like Starbucks Wi-Fi, and invite your device to automatically join the network. Because of the seamless way devices switch between Wi-Fi networks, there’s a good chance it will happen without you even noticing. Suddenly, you’re connecting to the internet through someone else’s router, exposing you to all manner of malware injection attacks.
How much of a threat is it?
Many of the attacks we cover here are exotic or limited to espionage agencies — but this one has a clear enough payoff that it’s more common than you might think. It’s easy for a run-of-the-mill criminal to try this out in an airport lobby or a fancy hotel, hoping for a lead on some kind of ransomware scheme. They wouldn’t even need a WiFi Coconut; any suitably hackable router will do.
Having said that, there’s a simple way to protect yourself against a KARMA attack: tell your devices not to auto-join any public Wi-Fi networks. The specific path varies between operating systems, but if you poke around your Wi-Fi setting and preferences, it shouldn’t be too hard to find. (Don’t forget your phone; mobile devices are vulnerable to the same attack.)
If your device isn’t looking for any specific public networks, it won’t be sending out those KARMA-vulnerable signals. Failing that, you can set devices to ask you before they join a new network. It’s not absolutely foolproof, but it will go a long way toward keeping you safe.