Many people may already know that all your devices try to broadcast your
previous connections. I expect that many more have no idea that’s happening.
There have been articles published about it before, but without specific examples.
WiFi probes
In order to connect to known networks which don’t broadcast their presence,
almost all your wifi-enabled devices: laptops, tablets, phones, etc. will try
to probe for networks they know about. You can see those probes by capturing
the traffic of your phone after it turns on, or after you disconnect from the
local wifi. These probes can be captured by the usual tools - airodump /
tcpdump. For example:
# airodump-ng -w wifi-dump wlan0
# tcpdump -n -l -e -r wifi-dump.cap |
grep 'Probe Request ([^)]'
In the output you’ll get the time, MAC of the the probing device and the
network name. For example:
16:32:26.628209 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:50:ea:d6:aa:bb:cc
Probe Request (SUBWAY) [1.0 2.0 5.5 11.0 Mbit]
Means that device 50:ea:d6:aa:bb:cc
was checking if network SUBWAY
is in range.
What’s bad about that?
So the device broadcasts the previous networks - what’s the big deal? The most
important thing to notice is that most of the local network names will be
relatively unique. Of course there’s going to be a lot of SUBWAY
s and other
generic names. But most homes will use either a ProviderNameDEADBEEF
auto-generated name, or a custom one which is also going to be relatively uncommon.
That means a usual list of probes consists of:
- home networks: often
ProviderNameXXXXX
, StreetNameWifi
, etc.
- work networks: often
Company
, CompanyCity
, etc.
- cafes, fast foods: these are standardised in most chains
- hotels: surprisingly, these are relatively unique, apart from chains
So what does it mean if you find someone broadcasting a list that contains
FooProvider123456
, BlahProviderABCDEF
, ACME-Fooville
, CafeAwesome
?
Usually that they work at Acme and one of the home networks is theirs, while
the other one belongs to their family / friend and they visit Cafe Awesome
often enough to save their network. This provides quite a lot of information
about a person without ever talking to them…
But these are only names!
What the devices broadcast is only the names of the networks. No specific
BSSID, location, or any other details are included, which is great. But that
doesn’t mean those details cannot be recovered… Enter WiGLE!
WiGLE is a service with tag line “All the networks. Found
by Everyone.” And that’s close enough to the truth - a lot of the networks
found in urban areas can be easily found on that website. What’s even better is
that you can find the networks you’re interested in, searching by their names.
Using that service, we can easily correlate the names we found above.
We can also add some guesses and approximation to make the work easier. For
example WiGLE will often return many networks for a single name - but if
there are more than 3-4 of them, then it’s probably some common name that we
can ignore… unless it’s close to some unique network we’ve found before! We
can delete matches which haven’t been seen for over a year… unless they’re
really unique and have been seen somewhere else later - this likely indicates
the access point has been moved.
Getting all the information together
What kind of information can be obtained about someone in the end? Let’s look
at a map automatically generated from WiGLE matches. The results have been
downloaded using wigle library and
processed with a bit of scripting. Here’s a map made using device probes:
The green markers are encrypted networks, red are open and blue are unknown.
Here the map is zoomed out, but in reality each marker points to a single
building in most cases. We can easily see the person living and working on the
US east coast (overlapping markers, not visible at this scale), traveling for
work to Japan (encrypted company wifi network) and taking holidays in Thailand
and area (specific hotel networks), as well as driving around New Zealand
(campsite networks). From the work network name you can find out the specific company.
In short - this problem makes it much easier to do social engineering,
spear-fishing, or even finding a person who works at company X in a completely
unrelated location. Combine that with the fact that the mac address can
identify what model of the phone is that person using and you can now spot the
right person in a group…
How can we stop the probing?
On Linux, you can configure the wpa_supplicant
networks with scan_ssid=0
.
This stops the probing behaviour and is actually the default. On other
systems… I don’t know. Mobile phones I know do not have any way to toggle the setting.
You can of course delete saved networks which are no longer in use, but that
just limits your list to those you use currently.
In practice, probably the only way to hide probes for your own network at the
moment is to call it “Airport Free Wifi”. Or any name which exists in over a
thousand places at the moment. For work and other places you normally visit,
there seems to be no solution for now.
Update: I’ve been pointed to a number of Android applications which prevent
disclosing all your WiFi connections. They use different means to achieve this
goal, but as far as I can tell all of those should be acceptable solutions:
Wi-Fi Privacy
Police,
WiFi Advanced Config
Editor,
Llama - Location
Profiles,
Wi-Fi Matic - Auto WiFi On
Off.