KARMA Attack
What is KARMA Attack?
KARMA AttackA rogue access point attack in which a malicious AP answers every probe request, masquerading as any preferred network a client is looking for.
KARMA was presented in 2004-2005 by Dino Dai Zovi and Shane Macaulay. Wi-Fi clients periodically broadcast probe requests listing the SSIDs of networks they have joined before. A KARMA-capable AP answers every probe with a matching probe response, so any phone or laptop with a saved 'coffeeshop' or 'Starbucks Wi-Fi' will silently associate and route traffic through the attacker. Once associated the attacker can sniff traffic, run TLS-stripping or evil-portal pages, and harvest credentials. Modern variants include MANA (Sensepost) and tools like hostapd-mana and wifiphisher. Defences include disabling auto-join for open networks, using HTTPS-only mode, and enabling 802.11w MFP plus enterprise authentication.
● Examples
- 01
A pen-tester running hostapd-mana so that nearby phones auto-connect to a phantom 'home' SSID.
- 02
Capturing corporate credentials when a laptop joins a fake 'CompanyWiFi' clone.
● Frequently asked questions
What is KARMA Attack?
A rogue access point attack in which a malicious AP answers every probe request, masquerading as any preferred network a client is looking for. It belongs to the Attacks & Threats category of cybersecurity.
What does KARMA Attack mean?
A rogue access point attack in which a malicious AP answers every probe request, masquerading as any preferred network a client is looking for.
How does KARMA Attack work?
KARMA was presented in 2004-2005 by Dino Dai Zovi and Shane Macaulay. Wi-Fi clients periodically broadcast probe requests listing the SSIDs of networks they have joined before. A KARMA-capable AP answers every probe with a matching probe response, so any phone or laptop with a saved 'coffeeshop' or 'Starbucks Wi-Fi' will silently associate and route traffic through the attacker. Once associated the attacker can sniff traffic, run TLS-stripping or evil-portal pages, and harvest credentials. Modern variants include MANA (Sensepost) and tools like hostapd-mana and wifiphisher. Defences include disabling auto-join for open networks, using HTTPS-only mode, and enabling 802.11w MFP plus enterprise authentication.
How do you defend against KARMA Attack?
Defences for KARMA Attack typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for KARMA Attack?
Common alternative names include: KARMA Wi-Fi attack, Probe-response rogue AP.
● Related terms
- attacks№ 943
Rogue Access Point
An unauthorised wireless access point connected to a network, either installed maliciously by an attacker or naively by an employee, that bypasses network security controls.
- attacks№ 1251
WPS Attack
An online brute-force attack on the eight-digit Wi-Fi Protected Setup PIN that recovers the WPA/WPA2 passphrase in hours.
- attacks№ 837
PMKID Attack
An offline WPA/WPA2-PSK cracking method that derives the passphrase from a single PMKID field captured from an access point, no client needed.
- attacks№ 595
KRACK Attack
A key reinstallation attack against WPA2 that forces nonce reuse in the four-way handshake, letting an attacker decrypt or replay Wi-Fi traffic.
● See also
- № 1223Wardriving