I made the following demo for a customer in the scope of a security awarenessevent. When speaking to non-technical people, its always difficult to demonstrate how easily attackers can abuse of their devices and data. If successfully popping up acalc.exe with an exploit makes a room full of security people crazy, its not the case for users. It is mandatory to demonstrate something that will ring a bell in their mind.
As people want to be constantly online, they (ab)use of wireless access points. By default, connected devices keepahistory of all used wireless networks and constantly tryto find them again. The idea of the demo is simple:
- Collect all the SSIDs broadcasted by mobile devices presentin theaudience
- Geolocate the SSIDs using the Wigle API
- Display them on a map
[Note: For privacy reason, this demo must be performed with the authorization of people in the audience]
First, collect SSID padding:5px 10px”>
# iwconfig $interface mode monitor
# ifconfig $interface up
# tshark -i $interface -n -l subtype probereq | tee -a /tmp/ssids.tmp
Feb 7 18:37:39 Probe Request from 08:ee:8b:xx:xx:xx for SSID xxxx Airport
Feb 7 18:36:54 20:a2:e4:xx:xx:xx trying to associate with Free Wireless
Feb 7 18:36:49 Probe Request from 20:a2:e4:xx:x:xx for SSID Free Wireless
Feb 7 18:36:25 Probe Request from 58:40:4e:xx:xx:xx for SSID Free Wireless
Feb 7 18:36:22 Probe Request from 0c:e7:25:xx:xx:xx for SSID Free
Feb 7 18:36:12 Probe Request from e8:50:8b:xx:xx:xx for SSID xxxxx-wifi
Feb 7 18:36:04 f0:25:b7:xx:xx:xx trying to associate with Airport_Free_xxxxxx
Feb 7 18:36:04 Probe Request from f0:25:b7:xx:xx:xx for SSID Airport_Free_WiFi_xxxxxx
Feb 7 18:35:46 64:9a:be:xx:xx:xx trying to associate with swisscom
Feb 7 18:35:46 Probe Request from 64:9a:be:xx:xx:xx for SSID swisscom
Feb 7 18:35:40 Probe Request from 24:77:03:xx:xx:xx for SSID UM
Feb 7 18:35:38 Probe Request from 24:77:03:xx:xx:xx for SSID UM
Feb 7 18:35:34 Probe Request from 20:a9:9b:xx:xx:xx for SSID xxxxx
Feb 7 18:35:31 Probe Request from 20:a2:e4:xx:xx:xx for SSID Free Wireless
Feb 7 18:35:15 Probe Request from 8c:00:6d:xx:xx:xx for SSID xxxxNET
Feb 7 18:35:15 Probe Request from 80:ea:96:xx:xx:xx for SSID Airport_Free_WiFi
Feb 7 18:35:10 38:ca:da:xx:xx:xx trying to associate with xxxxNET
Let tshark collect SSIDs for a few minutes (the list will quickly grow). The next step is to use the Wigle[1] API to get geolocation data. padding:5px 10px”>
# grep SSID /tmp/ssids.tmp | awk -F { print $(NF-1) }| sort -u width:801px” />
What about the accuracy of those maps? It relies on the Wigle database which is populated by volunteers. Generic SSIDs like Free Wifi or Guest wont give good results but a unique hotel name will make it perfectly. It is not possible to put the broadcasted SSIDs on a timeline to track the moves in the past but its easy to spot two people who met or visited the same place in the past.
Given that people keep their phone default name (iPhone of John Doe), this demogenerates always a little stress when you askthe victim: So, Mr Doe, How was your stay at the hotel La Playa?.
[1]https://wigle.net/index
[2]https://github.com/xme/toolbox/blob/master/wigle.py
Xavier Mertens (@xme)
ISC Handler – Freelance Security Consultant
PGP Key
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.