

Is looking for Wi-Fi access points purely passive? - lelf
http://superuser.com/questions/128166/is-looking-for-wi-fi-access-points-purely-passive/128200

======
gipsies
When you turn your WiFi on, you can be tracked and attacked very easily. This
is been known for a while, though not widely enough.

If at one time you connected to an open network, your devices continues to
scan for that network. I can spoof that network, you connect to it, and then I
intercept all traffic. A full framework has been created for this, complete
with the ability to fingerprint your browser/OS and send exploits to your
device [1]. Even if you only connect to password protected networks, it's
possible (without access to the real AP) to let your clients send parts of the
EAPOL handshake, and then perform a bruteforce attack. Weak passwords are
cracked, meaning I can again intercept all traffic and possibly exploit your
device.

So you only connect to one single network, strong password. Good. I can still
track your MAC address. Even with one single device I can estimate the
distance and the angle of your signal [2]. Hence I know your location, at all
times. So you prevent MAC address tracking by using an identifier-free link
layer protocol [3] (this doesn't exist in practice, only researchers made a
demo showing its possible). Though a lot better, even with such a system it's
possible to track the movement of devices purely based on the fingerprint of
the physical WiFi signal [4]. Given sufficient location data it's likely to
again (automatically) de-anonimize the dataset and track your movements (it's
more complicated, yes, but still possible).

[1]
[http://www.sensepost.com/blog/7557.html](http://www.sensepost.com/blog/7557.html)

[2] Avoiding Multipath to Revive Inbuilding WiFi Localization

[3] Improving Wireless Privacy with an Identifier-Free Link Layer Protocol Ben

[4] SecureArray: improving wifi security with fine-grained physical-layer
information

~~~
icebraining
_So you prevent MAC address tracking by using an identifier-free link layer
protocol [3] (this doesn 't exist in practice, only researchers made a demo
showing its possible)._

Or you could just randomize your MAC occasionally. If you're not even
connected to a network (which is the situation we're discussing), just
scanning, there's no reason for keeping a static MAC.

------
nmc
As mentioned in the top answer, not only will the AP know the MAC address of
your device, it will also know the SSID you are looking for.

There are exploits allowing an AP to dynamically switch SSID, in order to
impersonate the "known AP" you were scanning for. (Looking for a reference...)

EDIT: reference (student paper) ->
[https://www.os3.nl/_media/2012-2013/courses/ssn/open_wifi_ss...](https://www.os3.nl/_media/2012-2013/courses/ssn/open_wifi_ssid_broadcast_vulnerability.pdf)

~~~
noselasd
And it's even very easy to exploit. You connected your phone/whatever to an
open wifi network once ?

Well, now it'll probably go looking for that network wherever you go, since
the device will basically go and broadcast "Where is SSID XYZ ?". Making it
easy for anyone to switch the SSID on their AP, turn off authentication , and
your phone connects to it - and probably starts pulling updates from your
services. Just hope that's done over SSL/HTTPS and that the app validates the
certificates.

~~~
uptown
So with this technique, would someone be able to change the SSID of their
router to match that of another nearby router where devices are likely to be
attempting to connect in an effort to intercept the passwords being supplied
to establish the connection to the router originally using that SSID?

~~~
user24
Yes, doesn't have to be a nearby router though. The point is: your device
broadcasts the names of all routers it's connected to. You just need to
listen, then spoof the name, then the device will connect to you.

If the target device is already connected, you just need to DoS the router
it's connected to and the device will reset the connection and start looking
again. There are probably more elegant ways to force a reconnect than a simple
DoS attack too.

~~~
user24
repledit to mention that this only works for open routers.

------
zwieback
At the driver level it's totally possible to do a purely passive scan that
would be nearly impossible to detect, it's just not very practical so most
OSes don't even allow you to force your radio to do that.

I think there's s some theoretical possibility that you could "see" the
absorption of the RF energy in the antenna of a purely passive device but I
think that would be extremely hard unless you're in an RF shielded box.

I'd answer the question "it can be purely passive but it's not usually done
that way", which the top SU answer also states.

~~~
hershel
Why is passive mode not practical?

~~~
zwieback
Because you never know how often the AP will broadcast it's SSID so the
passive listener doesn't know how long to listen on any particular channel. In
the case where the AP doesn't broadcast the SSID it's even worse, the passive
listener relies on other clients actively scanning and the AP responding with
its SSID.

------
ChuckMcM
Personally I think this is an excellent way to turn your WAP into a burglar
alarm. Burglars are too stupid to put their phone in Airplane Mode before they
break into your house, so your WAP says "Hey unknown phone is in da house!"
and calls the cops.

~~~
zellyn
Or next door...

~~~
ChuckMcM
Perhaps, on my DD-WRT WAP its pretty easy to tell who is in the house and who
is next door with their signal strengths.

~~~
jasomill
Maybe so, but what about the UPS guy whose smartphone has an uncannily good
antenna?

~~~
ChuckMcM
Good question, how about a honey pot iPhone that you leave on the table and it
calls the cops if that one _stops_ being associated :-) Too bad you can't dial
by IMEI, then you use use a RasPi pretending to be a cell tower to pull the
IMEI and if it didn't recognize it, call the phone and say "please identify."

Ah the joys of a friday afternoon waiting for the next meeting to start ...

------
herf
Just a few years ago, this was different: devices would listen for the SSID
broadcast every few seconds. But that's too power-intensive for phones,
because they have to leave the wifi radio on for very long amounts of time.

Now instead they now beacon on all the channels in order to connect faster
(which gives you the included privacy issues.)

------
guidopallemans
check this guy's work out: he uses the SSID's of cellphones to route people on
mass events:

[https://uhdspace.uhasselt.be/dspace/report?type=author&id=24...](https://uhdspace.uhasselt.be/dspace/report?type=author&id=2454)

~~~
VMG
Link to pdf:
[https://uhdspace.uhasselt.be/dspace/bitstream/1942/15450/1/A...](https://uhdspace.uhasselt.be/dspace/bitstream/1942/15450/1/AOC13_wifipi_camready%20%281%29.pdf)

------
davedx
So for a secure WiFi connection that's saved in your phone: if you encounter
one of these WiFi pineapples/rogue routers, what does your phone do once the
router says "yes, that SSID is me, connect to me if you like!"? Does it try to
authenticate to what it thinks is the secured WiFi router? Is this another
vulnerability?

~~~
icebraining
If the WiFi network is WPA-protected, spoofing won't work, since during the
4-Way Handshake the client verifies that the AP knows the passphrase.

[http://stackoverflow.com/questions/17935197/authenticating-c...](http://stackoverflow.com/questions/17935197/authenticating-
client-to-fake-wpa-ap-without-valid-pmk)

------
gallamine
I was thinking it'd be a fun project to take my laptop with my as a commute
to-and-from work and log the Probe Request and MAC address that it sees from
cars around me. It would make for interesting data mining to see if I
regularly travel with the same cars.

Does anyone know a simple way to log this information via Python?

~~~
jasomill
No, but you could capture with Wireshark, export pertinent data, and process
it with Python.

------
cupcake-unicorn
I hadn't thought about this before until something came up about a British ad
agency using this to target personalized ads for the MAC ids of devices. I
think that got shut down.

But it did get me to thinking about why this isn't exploited more often or
that more people don't know about it. I thought of the example of having a
home break in, and having my router log all the MAC ids of the devices nearby.
Couldn't I effectively pinpoint the subject if I had a novel MAC id being
logged at the time of the crime? Even better, log the name of the network it's
looking for (or better yet a Wifi Pineapple), and maybe I could even track the
guy down myself.

------
dictum
Tangential:
[http://online.wsj.com/news/articles/SB1000142405270230345300...](http://online.wsj.com/news/articles/SB10001424052702303453004579290632128929194)
(HN:
[https://news.ycombinator.com/item?id=7055115](https://news.ycombinator.com/item?id=7055115))

------
Rabidgremlin
If you want to check this out for yourself try this python/scapy script
[http://pen-testing.sans.org/blog/2011/10/13/special-request-...](http://pen-
testing.sans.org/blog/2011/10/13/special-request-wireless-client-sniffing-
with-scapy/comment-page-1/)

------
technimad
It's active. Interesting article about mapping social graphs at events based
on wifi probes:
[http://conferences.sigcomm.org/imc/2013/papers/imc148-barber...](http://conferences.sigcomm.org/imc/2013/papers/imc148-barberaSP106.pdf)

