Get Alerts When Your Wi-Fi Network Is Under Attack with This Espressif ESP8266-Powered Monitor

Pseudonymous security researcher "Mobile Hacker" has penned a guide to protecting your Wi-Fi networks from deauthentication attacks — by monitoring for malicious activity with an Espressif ESP8266 module and sending alerts to a smartphone.

"A Wi-Fi deauthentication attack, also known as a 'deauth attack' or 'disassociation attack,' is a type of denial-of-service that targets wireless networks," the researcher explains. "The primary goal of this attack is to disconnect or deauthenticate devices (such as smartphones, laptops, cameras, or IoT [Internet of Things] devices) from a Wi-Fi network. This can be done by anyone with a Wi-Fi enabled device and the right software. Fortunately, it is possible to detect such attack."

Being able to pop a wireless device off its network can range from being an annoyance to a serious security hazard: many homes and businesses are protected by Wi-Fi-based IP cameras and security systems which, at the cheaper end of the market, have no backup connectivity — meaning if they're kicked off the network you're unprotected, and many systems only alert on connectivity issues after the device has been offline for at least half an hour.

The solution, then, is a system which can watch for attacks — and rather than tie up an entire computer running Wireshark or similar packet-sniffing software, "Mobile Hacker" suggests using something cheaper and more power-efficient: an Espressif ESP8266-based microcontroller board.

"DeauthDetector created by Stefan Kremser […] works by monitoring the Wi-Fi network for deauthentication packets and alerting the user if one is detected by turning LED on," the reseracher explains. "[But the] user needs to be in the vicinity of the deauth attack [to see the] LED being enabled. Because of that, I implemented a communication of the ESP8266 with the cloud service that would push pop-ups on my smartphone, notifying me about deauthentication attack whenever I am."

It's a smart solution, though one which brings its own problems: if the ESP8266 is kicked off the network through a deauthentication attack, how can it use that same network to send its alerts? One option is to give it a separate backhaul connection — like a cellular modem — but "Mobile Hacker" opted for something cheaper: sending the alerts after the attack ends, rather than when it begins.

The full project write-up, including source code, is available on the Mobile Hacker website.