Wi-Fi Pineapple attacks: how rogue access points steal your data

Public Wi-Fi is one of the most persistent attack surfaces in everyday life. Coffee shops, airports, hotels, conference venues — any location where people connect to open or shared Wi-Fi networks is a potential environment for wireless interception. The Wi-Fi Pineapple is the tool most associated with this class of attack, and understanding how it works is the first step toward defending against it.

What a Wi-Fi Pineapple is

The Wi-Fi Pineapple is a commercial wireless auditing platform manufactured by Hak5, a security hardware company. It is sold legitimately for use in penetration testing and security research, and it is openly available for purchase. The device is purpose-built for wireless man-in-the-middle attacks: it creates rogue access points, intercepts traffic, and allows operators to inspect or modify data passing through it.

The hardware itself is a small form-factor router running a custom Linux-based OS with a web interface for configuration. What makes it dangerous is not novel technology — it uses standard 802.11 wireless protocols — but the degree to which it automates attacks that previously required significant technical expertise. Setting up a rogue access point that attracts victims and intercepts their traffic can be done in minutes by someone with no background in wireless security.

How the attack works: beacon flooding and PNL exploitation

Modern Wi-Fi clients maintain a Preferred Network List (PNL) — a list of SSIDs (network names) the device has previously connected to. When not connected, many devices probe for these networks by broadcasting the SSID name and waiting for a matching access point to respond.

The Pineapple's primary attack vector exploits this. The device broadcasts a large number of SSIDs simultaneously — potentially hundreds — in what is called a beacon flood. Any client probing for a network whose name matches one of these SSIDs receives a response and connects. From the client's perspective, it found the network it was looking for. In reality, it connected to the attacker's device.

The Karma attack takes this further: rather than broadcasting a fixed list of SSIDs, Karma listens for probe requests and responds to each one, dynamically impersonating whatever network the victim is looking for. A device that has connected to "Heathrow Airport Wi-Fi", "Starbucks", and "Home Network" will receive responses to all three probes, and connect to whichever responds first and strongest.

What a rogue AP can capture

Once a device is connected through the Pineapple, the attacker is positioned as a man in the middle — all traffic passes through their device before reaching the internet. What can actually be captured depends on the protocols in use:

• Unencrypted HTTP traffic: Any site not using HTTPS transmits data — including form submissions, login credentials, and session cookies — in cleartext. This is becoming rarer but still exists, particularly on internal or legacy systems.
• DNS queries: Even when HTTPS is in use, DNS lookups for the domains you're visiting are often unencrypted. An attacker operating the rogue AP can see every domain your device attempts to resolve, which reveals which sites you're visiting even if the content is protected.
• TLS Server Name Indication (SNI): When establishing a TLS (HTTPS) connection, clients send the target hostname in cleartext in the TLS ClientHello message. This is called SNI. An attacker positioned as a man-in-the-middle can read SNI headers and determine exactly which domains you're connecting to, even though the content is encrypted.
• SSL stripping: In some configurations, attackers can downgrade HTTPS connections to HTTP by intercepting the initial request and serving an HTTP version, capturing credentials before the user notices (or without them noticing at all).

Why HTTPS alone is not sufficient protection

HTTPS encrypts the content of your connections, but it leaves metadata exposed. SNI reveals the domain you're visiting. DNS queries (unless using DNS-over-HTTPS) reveal the same. The timing and size of connections can reveal usage patterns. An attacker operating a rogue AP can build a detailed picture of your online activity — what you're doing and when — without ever breaking TLS encryption.

Beyond metadata, HTTPS protections depend on certificate validation. Attacks that involve installing a rogue CA certificate on the target device — possible in managed corporate environments or through social engineering — can decrypt HTTPS traffic entirely. Most users would not detect this.

Who uses this and where

Penetration testers use the Pineapple legitimately, with authorisation, to assess wireless security in client environments. This is its intended use. But the same hardware and techniques are used by attackers in environments with high victim density: airports, international conference centres, hotels frequented by business travellers, and any location where people connect to untrusted networks while handling sensitive data.

The attacker profile is not sophisticated. The Pineapple's web interface abstracts away the technical complexity. Anyone willing to spend a few hundred euros and an afternoon reading documentation can execute these attacks.

Practical defences

Several measures significantly reduce exposure to rogue AP attacks:

• Turn off Wi-Fi when not in use: A device that isn't probing for networks cannot be targeted by Karma. Disabling Wi-Fi when walking through an airport or sitting in a coffee shop removes the attack surface entirely.
• Delete saved networks aggressively: The longer and more varied your PNL, the more probes your device broadcasts and the more likely one will match an attacker's setup. Delete saved networks for any public location — "Airport Wi-Fi", "Hotel Guest", "Costa Coffee" — after use.
• Use a VPN: A VPN encrypts all traffic between your device and the VPN server before it leaves your device. A rogue AP positioned between you and the internet sees only encrypted VPN traffic. DNS queries, SNI, and connection content are all protected. This is the most comprehensive mitigation for rogue AP attacks.
• Prefer cellular over Wi-Fi for sensitive activity: Mobile data does not route through local access points. Using cellular data for email, banking, and communications when on the move entirely bypasses the rogue AP threat model.
• Disable auto-join for open networks: Most mobile operating systems allow you to prevent automatic connection to open (non-password-protected) networks. Enable this setting — it prevents the most casual forms of the attack.

For router-level VPN that protects all devices connected to your home or travel network simultaneously, see Norypt encrypted routers. For sensitive connectivity while mobile, using a Norypt eSIM for cellular data instead of untrusted Wi-Fi eliminates the rogue AP threat entirely.