– Reading time: 7 minutes –
In the digital age we live in, Wi-Fi connectivity has become an integral part of our daily lives. Whether at home or in public places, we increasingly rely on wireless networks to access the internet, communicate with friends, and carry out our online activities. But are we truly secure when using such networks? Unfortunately, the answer is no. Today, you will learn about one of the most commonly employed techniques by hackers to compromise Wi-Fi network security and spy on all the activities of connected users: packet sniffing.
Before we begin, I want to clarify that everything I will tell you is for informational purposes only. Every day, billions of people use the internet, carrying a smartphone or computer with them, and it is important that everyone knows the risks associated with this world. However, I do not assume any responsibility for what you will do after reading this page, as a reminder, unauthorized access to someone else’s computer or network is a criminal offense that can be punished by law.
How does the Internet work?
Before explaining what packet sniffing is, however, it’s important to briefly clarify how the Internet network works. Have you ever wondered what happens when you connect from your smartphone/computer/tablet to any web page? For example, could you tell me how the content of this article was able to arrive on your device? Well, what happened when you connected to this site is that your smartphone/computer/tablet made a request to another computer located somewhere in the world that manages the site hack-blog.com and sent you the page you are viewing as a response. In this operation, your device that made the request is called the client, while the computer that manages hack-blog.com is called the server. Intuitively, you could imagine that a conversation like this took place:
Client: “Hey, I need the content of the page ‘When Wi-Fi is a threat: How hackers can spy on everything you do‘, could you please send it to me?”
Server: “Sure! Here’s the article: [article content]”
The request made by the client, before leaving, was enclosed in a “packet” together with other information which was then used for communication with the server.
Now, the server was probably somewhere else in the world, far away from you, and your request certainly didn’t reach it by magic. It all relied on a physical communication infrastructure that allowed the data in your packet to travel from your device to the server. This infrastructure, in particular, has been made available to you by your Internet Service Provider (ISP), the company you entrusted for your internet connection. It was your ISP who took care of taking your packet, sending it to the server and getting you a reply.
For example, let’s say you’re connected to any Wi-Fi network. A packet sent from any device connected to your same Wi-Fi will first have to pass through the router you are connected to. This router was specifically configured by the ISP when the internet connection was first installed. Therefore, every packet produced on your network will first pass through the Wi-Fi router, which will send it to the ISP, and the ISP will forward it to the correct server. The server will respond, and the response will be sent back to the ISP, which will then send it to your router, which will finally send it to the specific device that made the request. The packet sniffing technique that I mentioned earlier consists precisely in intercepting the packets during this process.
Packet sniffing
Although packet sniffing is also used for honest purposes, the technique is widely used by cybercriminals to conduct attacks and steal information. This type of attack is called Man in the Middle (MITM) precisely because the attacker tries to intercept all the traffic by placing himself between the honest parties. Specifically, the easiest area to enter is the initial one, when the packets travel from the devices to the Wi-Fi router. There are several ways to perform packet sniffing and carry out such an attack, in particular, we will analyze a technique called ARP poisoning. What does this technique consist of? Suppose I’m the attacker, I’m connected to the same Wi-Fi as you and I want to know which website you are currently visiting from your smartphone/computer. What I can do from my computer is send a message to your device saying:
“Hey, I’m the new Wi-Fi router. When you have to surf the internet, feel free to send me all the packages”.
At this point, your smartphone/computer/tablet won’t ask too many questions and will start sending me all the packets it would otherwise have sent to the real router. Furthermore, I will take care of sending them to the real router so that it can still forward your request, but it will think that I made it, so it will also give me the server’s response and, to not make you suspicious of anything, I will forward the response to you. This is what happens in practice. What will have changed for you? Nothing. Your device had made a request, will receive the response it wanted, and you can read your article peacefully. You won’t see any error messages or notifications, and everything will work as usual. In the meantime, I have placed myself in the middle, intercepting not only all the packets you sent but also those you received and now I know perfectly well that you are currently browsing the website hack-blog.com. It wasn’t necessary for you to download any programs, click on any links, or do anything else. The attack was possible simply because we were both on the same network. Scary, isn’t it?
Packet sniffing: HTTP vs HTTPS
Please note that if you were connected to a website that supports HTTPS, as an attacker using this technique, I could potentially see the website’s address you are visiting, some information about your device, and other connection data, but I wouldn’t be able to see the content of the packets you are sending or receiving. However, if you were connecting to a website that only supports HTTP, I could see every detail of your communication: your username, password, and any other information exchanged with the server as you browse that site. This is because, in a nutshell, the difference between HTTP and HTTPS is that with HTTPS, packets travel from you to the server in an encrypted manner, so only you and the server can see their content. With plain HTTP, on the other hand, the entire packet content travels in plain text, allowing anyone who can intercept and eavesdrop on your communications to fully access it.
To check if the website you are connecting to supports HTTPS, you can simply look at the address bar at the top. If there is a padlock icon next to the website’s URL, it means the site is using HTTPS. Your browser will often notify you if a website is “secure” or “not secure” in this regard. Warning, do not underestimate the fact that if you connect to websites with HTTPS the attacker can only know the address of the sites you connect to. Often, this information alone is sufficient for them to gather insights into your habits, the services you use, and plan further attacks accordingly.
I advise you to keep this in mind the next time you connect to Wi-Fi in a café, hotel, train, plane, or any other public place. You should also be aware that this is one of the simplest attacks that can be executed on a Wi-Fi network. There are more sophisticated attacks that can lead to even more “exciting” outcomes, but there isn’t enough space to discuss those here today. If you want to learn more, remember to come back in the future because I intend to publish more detailed articles on this topic.
With this, I hope you understand how easy it can be to be attacked sometimes. Thanks for reading this far, goodbye!