PiKarma tool

An open source project released in December 2017 has caught our eye due to its immense usefulness, especially for those users who travel a lot and who have to connect to many WiFi networks, a habit that may put them at a considerable risk of getting hacked.

The project is called PiKarma and it's a Python script created by Turkish security researcher Besim Altinok that can detect WiFi networks that are carrying KARMA attacks, a well-known form of WiFi Man-in-the-Middle attacks.

PiKarma protects against KARMA attacks

The principle behind a KARMA attack is simple. When users connect to WiFi networks, most devices will record the wireless network's settings, so the device will try to connect to it the next time WiFi is enabled on the device.

When this happens, the device sends WiFi probe requests to nearby access points, asking if a particular wireless network that the device previously used is nearby.

An attacker running a KARMA attack will configure his evil access point to change WiFi network settings and answer to all these probe requests with the information the device is looking for, fooling the victim device in thinking it's connecting to a previously known network.

KARMA attack

KARMA and MANA (KARMA variation) attacks are at the heart of most hardware or software WiFi interception toolkits currently available online, either free or commercial, such as FruityWifiMana, WiFi Pineapple, MANA Toolkit, and others.

These tools work because most devices automatically remember the details of all previous WiFi networks, and also because most users aren't aware this is happening. Even those who do, don't usually remove previous networks from their device's WiFi configuration section.

PiKarma disconnects users from suspicious WiFi networks

PiKarma allows users to test WiFi networks and determine if the WiFi network in a certain location is safe to use before carrying out any sensitive communications over them.

If the script detects a KARMA attack, it logs details and then automatically sends a deauth request, disconnecting the user from the malicious network.

The only downside to PiKarma is that users will need a second WiFi card to keep an eye on the main one.

"A secondary network card is needed. For monitor mode," the researcher told Bleeping Computer in a private conversation.

Altinok has only tested PiKarma on TP LINK TL-WN722N and Dark RangeMax but there's no reason to believe the script won't work with other USB-based plug-in WiFi cards.

Similarly, Altinok only tested PiKarma on Kali Linux, but the script should work on other platforms, such as Windows or Mac. "If the necessary modules are installed, it works on every system," the researcher says.

The WiPi-Hunter project

Altinok is also the main force behind WiPi-Hunter, a project that provides open-source tools for detecting various WiFi-based attacks.

Other previously released tools include the likes of PiSavar (detection of WiFi Pineapple attacks), PiDense (monitors suspicious or illegal wireless networks), and PiFinger (search for WiFi Pineapple traces and calculate wireless network security score).

The researcher also published a YouTube video (embedded below) showing the PiKarma script in action, detecting a KARMA attack.