How Hackers Find Your Home Network: What You're Broadcasting
Your WiFi router broadcasts constantly, even when no one is using it. Your phone searches for known networks when you leave the house. Smart devices on your network announce their services to the local network every few seconds. Most of this happens without any visible indication, and the aggregate of what is being transmitted is more useful to an attacker than most people realize.
This article covers what your home network is actively broadcasting, what an attacker can learn from it passively, and which simple changes reduce your exposure.
Beacon frames: the constant announcement
Your WiFi router sends a beacon frame approximately 10 times per second. Every second, 10 small packets fly out of your router's antenna announcing its existence. These frames contain:
- SSID: Your network name. If it is "Smith-Family-Home" or "22 Oak Street WiFi," you have just told everyone nearby who lives there and potentially where.
- BSSID: The AP's MAC address. The first three bytes (OUI) identify the manufacturer. A BSSID starting with a known router manufacturer OUI confirms the hardware type.
- Channel: Which channel the AP is operating on.
- Security type: WPA2, WPA3, WEP, or open. An open network is visible to everyone scanning for it.
- Supported data rates and capabilities: Details about what the AP can do, useful for fingerprinting the specific model.
- Vendor-specific information elements: Many routers include manufacturer-specific data in beacon frames that can be used to identify the exact router model and sometimes firmware version.
All of this is transmitted in plaintext. No authentication is required to receive it. Anyone with a WiFi adapter in monitor mode - or a device like the BLEShark Nano running a WiFi scan - can collect this data passively from the street outside your house.
For most home users, the practical risk from beacon frame information is limited. But for someone who is specifically targeting you - a stalker, a targeted burglar who wants to know if you have a home security system, a neighbor with a grievance - SSID data combined with other passive sources builds a useful picture.
Probe requests: your phone's travel diary
This one surprises people. When your phone is not connected to a WiFi network, it actively scans for networks it knows. It sends out probe request frames that either ask generally ("is anyone there?") or specifically name a network it is looking for: "Is there a 'Smith-Family-Home' network nearby?"
Historically, probe requests included the full SSID list from the device's saved networks. Walking through a public space with a scanner would reveal every network a person's phone had ever connected to - their home network, their employer's network, the hotel in Paris, the conference WiFi from three years ago. That is a surprisingly detailed record of someone's movements.
Modern iOS and Android have largely addressed this with randomized MAC addresses and more restricted probe behavior. iOS randomizes the MAC address per network context, and probe requests for specific SSIDs are now less common in current implementations. But older devices, laptops, and many IoT devices still send directed probe requests with static MACs.
The implication for your home network: if your home SSID is unique and identifiable ("Smith-Family-Home"), then probe requests from your devices while you are out potentially reveal that you have a device associated with that network, in this location, at this time. More practically for home security: probe requests reveal when your devices are not home - and therefore when you are not home.
graph TD
PHONE["Your phone"] -->|"Probe requests"| AIR["WiFi airspace"]
AIR --> ATK["Attacker captures:
Device MAC
Saved network SSIDs
Probe timing patterns"]
ATK --> PROFILE["Build profile:
Where you've been
What networks you use"]
UPnP: the service you forgot was on
Universal Plug and Play (UPnP) is a network protocol that allows devices to automatically discover each other and configure network settings. Your gaming console uses UPnP to automatically open ports on your router for multiplayer. Your smart TV uses it to announce its presence to media server software on your PC.
The problem is that UPnP is unauthenticated by design. Any device on your local network can send a UPnP SSDP (Simple Service Discovery Protocol) broadcast and discover all UPnP-enabled devices. From inside your network, a query to 239.255.255.250:1900 returns a list of every UPnP device - model names, manufacturer, services, and sometimes management URLs.
This is an internal network protocol, so it is not directly accessible from outside. But if an attacker gains any access to your local network - through a compromised device, an exploited router, or access to your WiFi - UPnP discovery immediately gives them a comprehensive inventory of your home network. More directly: poorly implemented UPnP on routers has historically allowed internet-facing exploitation, with the Shodan search engine indexing millions of UPnP devices exposed to the internet.
The fix is simple: disable UPnP on your router. Most modern applications that used to depend on UPnP work fine without it or have alternative configuration methods. Log into your router admin interface and turn it off. You will likely never notice the difference.
mDNS and Bonjour: device discovery
Multicast DNS (mDNS) is the protocol Apple calls "Bonjour." It allows devices to announce services on a local network without a central DNS server. Your AirPrint printer announces itself via mDNS so your Mac can find it. Your Apple TV announces itself. Your Chromecast announces itself. Your NAS device announces available shares via mDNS.
These announcements happen continuously. Every mDNS-capable device on your local network is periodically broadcasting what it is and what services it offers to the multicast address 224.0.0.251. A passive listener on the same network can collect an inventory of every device type, its hostname, and its services without sending a single packet.
What gets announced: device hostnames (often include your name - "john-macbook-pro.local"), device types ("AppleTV"), services (AirPlay, SMB shares, printers, HTTP servers), and sometimes version information. From a security perspective, this is free reconnaissance data for anyone on the same network segment.
For a guest network that uses client isolation, mDNS traffic between guest devices is blocked - which is the correct behavior. For your main home network, all your devices can see each other's mDNS announcements. This is generally fine, but it is worth being aware that anyone who gains access to your home WiFi gets a fairly comprehensive device inventory immediately.
BLE: what your smart devices advertise
Bluetooth Low Energy devices broadcast advertisement packets continuously to announce their presence and services. This is how your smartwatch, fitness tracker, smart bulbs, wireless earbuds, and Bluetooth-enabled door locks announce themselves.
BLE advertisements are transmitted on three fixed channels (37, 38, 39) and are receivable by any BLE scanner within 10-30 meters. The advertisement payload can contain:
- Device name (often model name or custom name)
- Manufacturer-specific data (can identify the exact product)
- Service UUIDs (reveals what the device can do)
- TX power level (can estimate range)
A BLE scan of a typical home environment reveals a significant amount of information about what devices are present. A smart lock advertising its service UUID and manufacturer data from outside your front door tells an attacker what smart lock brand you have and potentially whether it uses "Just Works" BLE pairing with no authentication.
Running a BLE scan with the BLEShark Nano and OUI lookup shows you exactly what your devices are broadcasting. This is a useful exercise before a conversation about smart home device security - seeing your own home from an attacker's perspective makes the abstract concrete.
What an attacker learns from all of this
Combining passive collection from all of these sources, someone sitting outside your home for 15 minutes with basic tools can potentially learn:
- Your WiFi network name and whether it reveals identifying information
- Your router manufacturer and model (from BSSID OUI and beacon data)
- Whether your WiFi is encrypted and what security type it uses
- How many separate SSIDs you operate (main, guest, IoT)
- What devices your phone or laptop are probing for (if using older OS or non-randomized MAC)
- What BLE devices are active near the exterior of your home
- Indirectly, whether you are likely home (based on device activity patterns)
For a targeted attack on a specific household, this is useful pre-attack intelligence gathered without touching your network. For most home users, the realistic threat from this is low - random attackers do not do careful reconnaissance on residential targets. But targeted attacks do happen, and physical proximity-based information gathering requires no hacking skills, just a scanner.
Hardening steps that actually matter
In rough order of impact:
- Use a non-identifying SSID. "HomeNetwork5" reveals less than "Johnson-Family" or your address. You do not need to obscure it completely, but avoid putting names, addresses, or identifiable information in your SSID. This costs you nothing and reduces passive information leakage.
- Enable WPA3 if your router supports it. More resistant to offline dictionary attacks, requires PMF (Protected Management Frames), and uses SAE instead of PSK for better forward secrecy. If WPA3 is not available, use WPA2 with AES/CCMP only - disable TKIP.
- Disable WPS. WPS PIN authentication has a well-documented flaw that makes it brute-forceable in under an hour. Disable it in your router settings and leave it off. WPS QR code pairing and push-button connect are lower-risk but still not recommended.
- Disable UPnP. Most modern home users do not need it. If you are a gamer who relies on it for port forwarding, configure those ports manually instead - manual port forwarding gives you visibility and control over what is open.
- Use a separate SSID for IoT devices. Smart bulbs, cameras, thermostats, and other IoT devices often have poor security - old firmware, weak authentication, wide open local services. Putting them on a separate SSID with VLAN isolation means a compromised IoT device cannot reach your laptops, phones, and NAS. This is the most impactful network architecture change for home security.
- Keep router firmware updated. Router vulnerabilities get patched in firmware updates. Many home routers run the same firmware version they shipped with, which may be years old. Check for updates in your router admin interface and enable automatic updates if available.
- Audit BLE devices near entryways. If you have a Bluetooth smart lock, a BLE-enabled intercom, or other security-relevant BLE devices near exterior doors, understand what they broadcast and whether they use authenticated pairing. A BLE scanner (or the BLEShark Nano's BLE scan mode) lets you see what those devices are advertising to anyone who walks by.
- Change default router admin credentials. An obvious one, but still commonly missed. The default credentials for most consumer routers are publicly documented. Change both the username and password to something unique.
- Consider DNS filtering on the router. Services like NextDNS or Pi-hole block known malicious domains at the DNS level. This is separate from passive information leakage but relevant to overall home network security posture.
None of these require advanced technical skills. They are configuration changes in your router's admin interface, available on any consumer or prosumer router. The return on time invested is high - a few hours of configuration significantly raises the baseline security of your home network against opportunistic and targeted attacks alike.
The exercise of running a passive scan of your own home environment - with a tool like the BLEShark Nano's WiFi and BLE scanner - makes this more concrete. Seeing your network from the outside, with the same view an attacker would have, motivates the hardening steps in a way that abstract advice does not.