At almost every café, airport, coworking space, and tech event, you'll find a network called "Free Wi-Fi." Most people connect to it without thinking. And that's the exact mistake attackers rely on.

FREE ACCESS

In my latest video, I showed how shockingly easy it is to create a fake Wi-Fi network using a tiny M5StickC PLUS2 and a piece of open-source firmware called Bruce. No complex hacking. No elite skills. Just a name, a tap, and human curiosity.

This is a breakdown of how it works.

Booting the Device

The M5StickC boots into Bruce firmware with a simple screen animation. Nothing fancy — but inside the menu sits everything an attacker needs:

  • Fake AP
  • WiFi attacks
  • Evil Portal
  • Listeners
  • Telnet & SSH
  • Brucegotchi

This is not a toy. It's an awareness toolkit disguised as one.

Setting Up the Fake Access Point

The whole setup takes less than a minute.

  1. Open Evil Portal
  2. Select the default template
  3. Set SSID — I used "Free WiFi"
  4. Start AP
  5. Start Listener

Within seconds, the device begins broadcasting a fake hotspot. No extra equipment. No coding. No laptop.

Testing It on My Phone

I opened Wi-Fi settings on my mobile. "Free WiFi" appeared instantly.

I tapped it. It connected. And just like millions of people do every day, my phone redirected me to a login page.

To prove the concept, I entered fake credentials. A few seconds later, those credentials popped up on the M5StickC's tiny screen.

That's how simple this attack is.

No malware. No exploits. Just misplaced trust.

Modifying the Attack From the Browser

Bruce lets you manage the attack from any device on the network:

  • Change SSID
  • Start/Stop AP
  • View trapped credentials
  • Delete logs
  • Upload custom HTML templates

I changed the SSID from "Free WiFi" to something else, reconnected, and captured a second set of fake credentials.

This is how attackers evolve the deception in real time.

None

Custom HTML Portals

Bruce also allows:

  • Custom login pages
  • SD card hosting
  • FTP-based web templates

Which means an attacker can make their fake Google, Facebook, or corporate login pages look perfectly legitimate.

Again — the danger isn't the tool. It's how easily users trust what they see.

Exploring Other Modules

The device also features:

  • BLE toolkit
  • IR tools (built-in sensor)
  • nRF24 options (my next project)
  • RF utilities
  • Audio/Mic spectrum
  • UI themes
  • Games like Megalodon

This device is tiny, cheap, and dangerously educational.

Final Thoughts

If you remember one thing from this article, let it be this:

Stop connecting to open Wi-Fi. If someone like me can spin up a fake hotspot in under 60 seconds, imagine what a motivated attacker can do in a crowded public place.

Awareness isn't optional. It's survival.

None
None

Follow My Work

Buy Me a Coffee: https://www.buymeacoffee.com/satyampathania Thank you for supporting real hacking education.