Wolf in Sheep’s Clothing: Creating a Fake Access Point on ESP8266 to Collect Passwords
Free_Wi-Fi… It’s always nice to see this notification pop up on your smartphone or other gadget when you’re relaxing in a café, shopping mall, or airport before a flight. People are naturally drawn to anything free. But as everyone knows, free cheese is usually found in a mousetrap. What dangers does free Wi-Fi hide?
It’s no secret (at least for those in the know) that operators of open networks with internet access can easily intercept all traffic passing through them, gaining information about what you search for and which resources you visit. If this data is only passed to advertisers to study demand for goods and services, that’s not so bad—but there are many more dangers lurking for those who love free stuff.
What’s the Catch?
Recently, a law was passed in Russia requiring mandatory authorization via mobile phone or social networks for open public Wi-Fi. But, as often happens, “something went wrong,” and this well-intentioned measure led to new vulnerabilities that exploit human nature. This inspired a small project that clearly demonstrates the boundless gullibility of most people. Let’s break it down step by step.
What Is This Device?
The “beast” was invented and built by our Chinese colleagues. They created the skeleton of a predator, which we’ll disguise as a sheep. Its name is the ESP8266 controller, often mentioned on “Hacker” and GitHub. In this project, we’ll use it as a standalone access point and web server. The device will create an open access point named Free_Wifi, and most smartphones and other devices will notify their owners about the available open Wi-Fi, even if they haven’t checked the list of networks. This has been tested on Android 9 and the latest iOS.
The unsuspecting user, not relying on intuition or common sense, clicks the enticing notification and lands on a registration page (no need to open a browser). The screen displays a standard captive portal page, offering to log in with email, password, and phone number, or to enter an authorization code if they have one. The victim (usually without thinking) enters their data, receives a message to wait for an SMS with a code, and all the entered information is saved to the device’s SD card and displayed on the OLED screen.
How the Fake Access Point Works
Our device operates as a fake access point with an attractive name, luring nearby devices to connect. In reality, it simply collects users’ credentials.
What Happens Next?
In the simplest case, you’ll get a potentially valid email address and phone number. If you’re lucky, you’ll also get a password—possibly one the person uses elsewhere. Do you use different passwords for every service? Probably not. Even without a real password, you can learn about a person’s preferences and awareness. An email and phone number are valuable for further attacks, from sending spam and ads to hacking accounts and deanonymizing someone. At the very least, you could get the contact info of someone you’re interested in.
This clearly shows that open networks can be very unsafe.
Building the Device
We’ll use the ESP8266 NodeMCU or ESP32 (for ESP32, you’ll need to adjust the code). You’ll need a soldering iron, breadboard, and tools. The device also uses a microSD card adapter and a 128×32 pixel OLED display with an SSD1306 controller and I2C interface. You’ll also need a buzzer (a beeper from an old PC will work). Gather your components, follow the schematic below, and start assembling. You can solder or use a breadboard—the result will be the same.
Required Components
- NodeMCU module
- ESP-12 module
- OLED display 128×32
- SD card module
If you’re soldering with wires, it’s highly recommended to use MGTFE 0.12 wire—well-known since Soviet times for its excellent conductivity, strength, fire resistance, and durability.
Use a low-power soldering iron, ideally a temperature-controlled station with galvanic isolation. Static discharges can kill your controller instantly. It’s best to solder such devices wearing anti-static gloves or a grounded wrist strap.
First, connect all ground rails, then proceed with the other connections. Use gel or liquid flux (not active and never acid-based). Good flux gels can be found at electronics or cell phone repair shops.
After soldering, thoroughly clean the board with a soft brush and acetone, alcohol, or a special flux remover. Flux residue can cause strong parasitic connections, especially on analog inputs.
Double-check everything against the schematic. Pay special attention to power pins. NodeMCU boards have both 5V and 3.3V pins. SD card modules usually have their own voltage regulator, so you can power them from 5V, which is better than overloading the NodeMCU’s onboard regulator.
If you’re using a separate ESP module, connect it according to its datasheet (some pins need pull-up resistors). Without these, the module won’t start, and you won’t be able to flash it.
The buzzer should be passive (no built-in generator). The display uses the SSD1306 controller. The SD card adapter must have a 3.3V regulator, as both the controller and card require this voltage. If not, power it from the MCU’s 3.3V pin—never 5V, or you’ll destroy the module. The same goes for the display, even though it may tolerate 5V power, the I2C signal levels should be 3.3V.
As a bonus, you can add a cheap Li-Ion battery charging module with a built-in DC-DC step-up to 5V. One 18650 battery will last a long time, as the device draws about 120mA and 18650 batteries range from 1800 to 3200mAh. Power the NodeMCU via the VIN pin with 5V; powering via USB with a battery is impractical.
When using separate modules (not on a dev board), remember they also require 3.3V. Voltage converters are available at electronics stores for about $1.50 and are sufficient for 500mA. You might also consider adding voice notifications using a WTV020 board in the future.
Flashing the Firmware
The firmware is based on code by 0xRM, modified to comply with Russian regulations. The most important lines are commented. The notes file (sound codes for the buzzer) should be in the same folder as the firmware and will appear as a separate tab in the Arduino IDE.
The captive portal web page is embedded in the code and encoded in Base64. ESP can also read and execute code from the SD card, which could be used for future improvements, like hosting multiple phishing pages (Google, VK, Instagram) and letting users choose which to log in with. After entering data, you can show a realistic error page to avoid suspicion. Since the web server is on your device and not connected to the real internet, no security system will detect the trick. You can further develop this idea as you wish.
Authorization logs are stored on the SD card, and the screen shows only the latest credentials and the total number of victims. Don’t forget to insert a memory card, formatted in FAT32, or it won’t work. The code is available on the project’s GitHub page.
Controller Board Settings
When selecting the controller board in the Arduino IDE, pay attention to the settings for your board type. After launching, you’ll see a welcome message on the display, then the device will try to initialize the memory card. If it’s missing, you’ll hear three short warning beeps, and the program will continue. The program will display messages about current operations. When everything is ready, you’ll hear a melody indicating the access point is up and running. The screen will show battery level, the number of connected clients, and the number of users who have logged in. When a new victim enters data, you’ll hear another melody. The authorization log is saved to the memory card, which must be formatted in FAT32.
Conclusion
This project can be improved: for example, using ESP-07 modules with external antennas will greatly increase range. It becomes even more dangerous if the login page offers social network logins and displays a phishing form identical to the real one. This way, you can collect credentials for later use (not all uses are legal). There are also scripts that can take photos from device front cameras, which can be embedded in your web pages. You could even clone an existing open access point and disable the real one using ESP8266 modules. The possibilities are endless and limited only by your imagination.