The Secret Life of Probe Requests Mitsubishi IoT Discovery a...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://innerfirez.github.io/posts/the-secret-life-of-probe-requests
• Blog Title: The Secret Life of Probe Requests: Mitsubishi IoT Discovery and Control via Setup-Mode Wi-Fi
• Suggested Section: Generic Methodologies & Resources > Pentesting Wifi — add a page or subsection for Probe Request Reconnaissance, Karma/Evil-Twin Attacks against IoT Setup Mode, WPA half-handshake capture, and SSID-set fingerprinting

🎯 Content Summary

The blog describes a Wi-Fi reconnaissance and exploitation chain against Mitsubishi Electric smart appliance Wi-Fi adapters, specifically identifying the air-conditioner Wi-Fi adapter MAC-577IF-2E. The issue was later confirmed by the vendor and associated in the post with CVE-2026-5667. The core weakness is that some appliances that have not been provisioned by their owner remain in setup mode and continuously search for a predefined Wi-Fi n...

🔧 Technical Details

Probe-request reconnaissance for IoT discovery: Devices in setup mode may continuously transmit 802.11 probe requests for a hardcoded or expected SSID. An attacker can passively collect these requests with portable Wi-Fi tooling and GPS, then search for repeated SSID patterns and vendor MAC prefixes. In the post, a rooted OnePlus 7 Pro running an Android NetHunter-style script collected probe requests around a city, filtered likely phone vendors where possible, and identified recurring IoT SSIDs such as DefaultSSID. This technique can be generalized to discover unconfigured or misconfigured IoT devices that reveal their provisioning SSID over the air.

Karma/evil-twin AP against fixed-SSID clients: When a client broadcasts that it is searching for a specific SSID, an attacker can create an AP with the same SSID and wait for the client to connect. If the target is an IoT device that trusts the presence of that SSID during setup, thi...

🤖 Agent Actions

Using repository inspection plus focused file reads to place the Wi‑Fi content in the best existing page.
Cross-checking the linked public sources so the added Wi‑Fi guidance stays accurate and references concrete tooling/vendor context.
Updated src/generic-methodologies-and-resources/pentesting-wifi/README.md.

Added:

• Probe-request reconnaissance for setup-mode IoT devices
• SSID-set fingerprinting despite MAC randomization
• Fixed-SSID setup-mode IoT takeover workflow

Also updated the file’s References with:

• the original blog
• Mitsubishi reverse-engineering blog
• pymitsubishi/mac-577if-e
• Mitsubishi advisory PDF

Validation:

• git diff --check ✅
• mdbook build could not run because mdbook isn’t installed in this environment (/bin/bash: mdbook: command not found)

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://innerfirez.github.io/posts/the-secret-life-of-probe-requests

Content Categories: Based on the analysis, this content was categorized under "Generic Methodologies & Resources > Pentesting Wifi — add a page or subsection for Probe Request Reconnaissance, Karma/Evil-Twin Attacks against IoT Setup Mode, WPA half-handshake capture, and SSID-set fingerprinting".

Repository Maintenance:

• MD Files Formatting: 977 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0