M5StickC Plus 2 with NEMO Firmware: WiFi Evil Portal Attacks Explained

In the world of ethical hacking and cybersecurity, we are seeing more and more small tools that do really big things. One of the most striking ones lately is the M5StickC Plus 2: a mini device that, when loaded with NEMO firmware, can perform Evil Portal WiFi attacks quite effectively. But... what exactly is an Evil Portal? How does it all work and why should you know about it? Let's explain it in simple terms.

Imagine connecting to a public WiFi network with your cell phone, as you do every day. Everything seems normal... until a page appears asking you to log in. Without thinking twice, you enter your email and password. What you don't know is that you've just handed over your data to someone who isn't even nearby.

This type of deception is called an Evil Portal, and the surprising thing is that today you can set one up with a device that fits in the palm of your hand: the M5StickC Plus 2, along with firmware called NEMO.

What is the M5StickC Plus 2?

The M5StickC Plus 2 is a compact microcontroller based on the ESP32-PICO-V3-02 chip, a variant of the popular ESP32, widely used in IoT and ethical hacking projects. Despite its small size (similar to a pocket lighter), this device features a color LCD screen, physical buttons, WiFi and Bluetooth connectivity, a rechargeable battery, and expansion ports.

When you load the NEMO firmware (developed by 4x0nn), it becomes a fairly powerful tool for security testing, playing with technology, or even pulling the occasional geeky prank. Many compare it to the famous Flipper Zero, although it must be said: the M5Stick has fewer features... but it is also smaller, more affordable, and still very useful for certain tasks.

Its main features include:

1. 240 MHz dual-core processor

2. 512 KB RAM

3. 4 MB Flash storage

4. 1.14-inch TFT LCD screen

5. IMU (motion) sensor

6. USB-C port for charging and programming

Thanks to its size and power, the M5StickC Plus 2 is ideal for wireless security experiments, pentesting, and portable device development.

Read more: Terrifying New Use of Flipper Zero: Why Should You Be Worried?

What is the NEMO firmware?

NEMO is an open-source firmware specifically designed for the M5StickC Plus 2. It's based on the popular esp32-wifi-penetration-toolkit and allows this small device to be turned into a wireless attack tool. One of its most notable features is the ability to launch Evil Portals through a fake access point.

NEMO Firmware Features:

1. TV-B-Gone: Have you ever wanted to turn off a TV without anyone noticing? With NEMO, you can. This feature sends infrared signals to turn off compatible TVs or projectors. It’s similar to what the Flipper Zero does, but in a mini version. Just activate TV-B-Gone and... black screen. Fun guaranteed (in ethical contexts, of course).
   
   
2. AppleJuice / BadBT: Imagine flooding nearby iPhones with Bluetooth notifications. This feature makes it possible. It's essentially a Bluetooth advertising storm that overwhelms iOS devices. It doesn’t cause harm, but it definitely grabs attention.
   
   
3. Wi-Fi Spam: With this feature, you can generate multiple random or custom SSIDs that appear in the list of available networks.
   
   
4. Evil Portal: This is one of the most powerful (and sensitive) features. It creates a fake captive portal that mimics a login page to capture credentials through social engineering. It can even imitate real networks and force devices to disconnect and reconnect to the fake network.
   
   
5. Wi-Fi Deauthentication: Essentially, it disconnects devices from a specific network. Ideal for security testing or to see how well your network handles such attacks.
   
   
6. SSID Scanner: Scans all nearby 2.4 GHz Wi-Fi networks and shows details like network name, channel, and encryption type. Very useful for a quick analysis of the wireless environment.
   
   
7. Custom QR Codes: You can generate QR codes with the M5Stick, but be aware: the content has to be written directly into the source code, compiled, and then flashed to the device.
   
   
8. Digital Clock (24h): In addition to all of the above, the M5StickC Plus 2 can also function as a digital clock. It uses its real-time clock (RTC) to display the time, even in low-power mode. It's quite accurate and configurable.

What is an Evil Portal attack?

An Evil Portal is a type of social engineering attack that exploits fake Wi-Fi networks. The goal is to trick users into connecting to an access point that looks legitimate (e.g., “Free Starbucks WiFi”) and, upon connection, presents them with a fake web page that mimics a captive portal. One of the most striking (and powerful) features of the M5StickC Plus 2 with the NEMO firmware is its ability to launch a malicious portal or Evil Portal.

How does it work?

Read more: M1:What is Phishing?

Legitimate Use Cases for the M5StickC Plus 2 with NEMO

Although this type of tool may sound alarming, its use is not illegal by itself. In fact, it has very valuable applications within the field of ethical cybersecurity:

1. Penetration Testing (Pentesting): Security teams use this technique to assess employees' awareness and readiness against social engineering attacks. Deploying an Evil Portal in a controlled environment helps measure the effectiveness of security policies.

2. WiFi Security Audits: It helps detect whether users are connecting to unauthorized networks or if there are insecure configurations in the corporate network.

3. Cybersecurity Education: Ideal for workshops or practical demonstrations where the risks of connecting to public networks are taught, as well as the importance of verifying certificates and HTTPS sites.

How to Protect Yourself from an Evil Portal Attack

Understanding how this attack works is the first step toward protecting yourself. Here are some key tips:

1. Don’t Connect to Unknown Open WiFi Networks: Avoid connecting to networks that don’t require a password or have names suspiciously similar to known networks.

2. Check That the Page Uses HTTPS: A fake captive portal rarely has a valid certificate. If you see browser warnings, don’t enter any information.

4. Disable Auto-Connect to Open Networks: Many devices remember and automatically connect to open networks. Disable this feature in your device’s WiFi settings.

5. Use a Reliable VPN: If you need to connect to a public network, use a VPN (Virtual Private Network) to encrypt your traffic and prevent interception.

Conclusion

The M5StickC Plus 2 with NEMO firmware is a small but powerful tool. Its features range from tech pranks to testing the security of WiFi networks. And yes, it can also be used for more sensitive purposes if it ends up in the wrong hands.

That’s why it’s not just about learning how to use it, but also about understanding how to protect yourself from this type of attack. Knowing how it works gives you a significant advantage—whether to defend your devices or simply to be more aware of the risks out there when connecting to a public network.