Based on research done by Brendan O’Connor, we analyzed how our cellphone exposes certain data that can
Based on research done by Brendan O’Connor, we analyzed how our cellphone exposes certain data that can eventually be used to track our movements, and know information about our daily lives. Want to improve your privacy (or invade others)? Continue reading!
Devices that are able to connect to a network, either wired or WiFi, are identified using a MAC Address. Each MAC address (in practical terms) is unique and specific to a device. Meanwhile, WiFi devices use Probe Requests as a way to find known networks that have been connected before. Since this mechanism occurs prior to connecting to a network, they are not encrypted and are catalogued as “broadcast”, meaning the data from these requests travel in plain text and does not have a specific recipient.
This means that with any notebook or PC with a WiFi network card, you can “listen” to the probe requests sent by nearby devices.
By “listening” to the probe request, we can obtain and infer the following information:
- WiFi Networks list: Each probe requests contains a SSID that identifies the WiFi network that the device is trying to access.
- The networks’ meanings: It is normal to use meaningful names in the WiFi networks, and from them, one can identify where that person has been: For example, JohnSmithhouse, Hexacta, Disneyland, etc.
- Geolocation of WiFi networks: There are portals that keep information obtained from WarDriving, and from them, we can find the network’s SSID and obtain its geographic location. For example: https://wigle.net/
- Device’s brand: Each manufacturer is assigned a range of MAC Addresses. This information is public, meaning that from a MAC Address, we can infer the device’s manufacturer. For example: http://www.macvendorlookup.com/
- Device’s spatial location: The range of WiFi devices is limited, so if we can “see” probe requests, we can assume that the device is close by (and we know our location). Taking into account its signal level we can also have a more precise idea of their physical location.
- Device’s temporary location: We (obviously) know that we are currently seeing the device requests.
Pulling up the stakes
If we also:
- Listen to requests during a time range: We can leave a PC on for a long time listening to requests and storing historical information.
- Use more than one PC at the time to listen: We can have different PCs in different places listening to requests and also add that information.
Once we have assembled this infrastructure, we can be more creative when making inquiries. For example:
- Devices that coincide in time and place: we can assume that these two people are at the same location.
- There is a new network for a determined user: If I periodically log in the same networks on one device and at some point a new network appears, I can safely assume that the device’s owner was in this new location between the previous and final “listenings”.
- Same networks, different MAC, different times: It is most likely the same person that has the same behavior but with different devices (switched phones or computers).
- Device that sporadically appears in the same place and time that another device: the person most likely has a laptop that he/she uses for while in one location while having his/her cellphone on him/her.
And so on. One can create different queries based on this information collected.
As concept test, we developed an application with the following architecture:
From it, you can gather information from probe requests, catalog it and then consult.
How legal is this?
Although it may seem dubiously legal to “hear” this kind of information, remember that these type of requests are broadcasted.
Broadcast messages purpose is to be heard by all kind of devices. At the same time, this information is not encrypted or obfuscated by any means. It’s basically the same thing as listening to a person shouting to another who is nearby.
Here are some tips to mitigate this problem:
- Don’t use meaningful names in your WiFi networks. And if possible, use generic names that will confuse the person searching them, since they will get thousands of matches.
- Turn off your WiFi signal when you are not using it.
- Update your SO. The mobile devices SO’s latest versions SO are trying to avoid this problem by sending probe requests without the SSID of known networks.
- Use applications to enhance the security of our device. For example, Pry-Fi.
Finally, it is important to note that the exposure of sensitive information to connect to a WiFi network is a problem of the protocol itself, not of a particular vendor or platform.
- Test Application: https://github.com/emalvino/WiFiScanner
- Manufacturer from MAC: http://www.macvendorlookup.com/
- Geolocation from the SSID: https://wigle.net/
- Presentation: https://www.youtube.com/watch?v=ZFCE2HaG5pc
- Original presentation: https://www.youtube.com/watch?v=ubjuWqUE9wQ
- More info: http://maliceafterthought.com/