Malicious WiFi Networks are a threat

Malicious WiFi Networks can be used to siphon sensitive data from organisations or hijack devices to collect access credentials, such as passwords, and steal information from organisations and individuals.

Types of malicious WiFi networks include

  • Man-in-the-middle (MITM)
  • Rogue access points
  • Evil twins
  • Captive portals
  • Wireless phishing attacks.

As an example, all devices, such as phones and laptops, store WiFi networks that have been accessed by the user. 

Unless they are deleted from the list, the device constantly searches for a connection to every stored network, sending out probe requests every few seconds:

    “Home WiFi, are you there?” 

    “Corporate WiFi, are you there?”

The device will automatically connect to the WiFi network that fits the criteria and responds – fake or real.

It doesn’t matter how much security you have on your organisation’s network.

Even certificate-based authentication will not stop your staff’s devices from creating a hotspot or sending out probe requests for stored WiFi networks and being hijacked by malicious WiFi networks.

It’s no longer just about securing your organisation’s WiFi. You now need to defend against attacks on all the endpoints, including your staff’s devices.

A malicious WiFi network can be set up using a hacking tool like a WiFi Pineapple, which can be bought for approximately $140 over the internet. 

The criminal listens to the device probe requests to see which real WiFi networks are being requested by the device.

The hacking tool is then programmed to mimic the real WiFi network. As it now looks exactly like the real WiFi, the device will automatically connect to the malicious WiFi network.

The criminal can then collect access credentials and information to hack corporate networks and bank accounts or steal an identity.

If your staff’s devices are set up to automatically connect to their home WiFi when they get home, or to other WiFi networks, their devices will be sending out probe requests continuously – they are all vulnerable.

The Challenge


For Security Compliance, Organisations need to know:

  • If they have any malicious WiFi networks in their organisation, including locations outside Head Office
  • The location of any malicious WiFi networks so they can be found and shut down.

Organisations typically conduct adhoc or annual ‘floor walks’ trying to find malicious access points. This satisfies PCI DSS compliance at a particular point in time, but how do you find malicious access points the other 364 days of the year?

Note: Standards such as PCI DSS and NIST / CSC specifically require organisations to check for malicious WiFi networks.


Many organisations have public-facing operations outside Head Office, such as retail stores, bank branches, entertainment venues, hospitals and education campuses.

Where locations are used by the public and the organisation, it is difficult to have visibility over what is happening with WiFi and other wireless protocols.

For example, a malicious WiFi network could be set up to intercept Point of Sale data in a store or interfere with medical devices in a hospital.


Utilities and Mining companies often operate remote sites with specialised industrial equipment or operational technology (OT).

These remote sites can easily be accessed by the public without the owner being aware. For example, a Mining company found that text messages were being sent from one of their remote sites where there were no staff – so who sent the text messages?

It is difficult to have visibility over what is happening with WiFi and other wireless protocols at these remote sites.


WiFi is commonly used for communications in maritime, air and road transport and is also often provided as a service to passengers.

Communications are critical for the safety of crew, cargo and passengers and ensuring their security is paramount. Passengers also demand WiFi and uptake is increasing.

As transport is publicly accessible, it is easy to set up a malicious WiFi network and difficult to have visibility without HackHunter.


Internet of Things (IoT) devices include medical (pacemakers, insulin pumps), communications (phone, laptop), autonomous vehicles and Smart City (street lights, traffic and waste management).

These devices communicate with their management and control systems using WiFi and other wireless protocols.

Visibility over their communications and ensuring they are not compromised will become even more important as they increasingly come into daily use.


Government offices are accessed by the public and it is easy to set up a malicious WiFi network to steal information or launch a denial of service attack.

Government Departments have a duty of care to protect the public.
Defence has specific requirements for deployments and visibility over WiFi (and other wireless) communications at overseas Joint Bases is problematic.

Security of Defence WiFi communications is vital at all times and visibility over malicious actors is imperative.



HackHunter’s passive sensor network continuously monitors, detects and alerts when a malicious WiFi network and/or hacking behaviour is identified.

SIEM Integration

HackHunter sends attack information in real-time to management systems such as a SIEM, Syslog, SOC or MSSP. If you don’t have your own SIEM, HackHunter includes a comprehensive dashboard with remote control and alert capability.


The portable tracker physically tracks down and locates malicious WiFi networks and hacking tools so they can be removed.



HackHunter sensors use inbuilt algorithms designed to detect the signatures and behaviour of hacking methods and tools in real-time.


Malicious WiFi networks are detected using safelist comparisons and beacon characteristics, while correlating other attack information such as deauthentication attempts to accurately identify an attack, its type and even the attacking tool used.


Real-time attack data is encrypted and relayed as JSON objects via our cloud MQTT server to the SOC, SIEM, Syslog or MSSP. Additional analysis can be performed at this stage. A separate dashboard, monitoring and alert service is available if required.


The signal strength of attacks is continuously measured, allowing the portable tracker, equipped with a highly sensitive directional antenna, to physically locate the attacker.

Note: On-premise server options are available. We are always researching attack methods and tools to ensure HackHunter stays a step ahead.

We Can Help

Malicious WiFi networks are a serious and growing problem and our reliance on WiFi is growing every day. Cisco predicts that WiFi usage will grow to over 50% of all internet traffic by 2021.

HackHunter specialises in products that protect organisations against information theft by malicious WiFi networks.

If you would like more information, please register below or contact us directly.

About Us

3 Accelerators in 12 months…

We’ve just finished our first 12 months full-time in start-up land and our third accelerator (!) with HackHunter and I’m feeling very fortunate, so I’m putting something out there to mark the occasion.