Signals as Landmarks - Part 3
Previously on den1zen...
In our last session, i demonstrated a simple approach to scanning Bluetooth BLE signals that produced some surprising results. In this session i will attempt to take the same journey using Wifi - Read On…
Wifi Signals as Landmarks
In today’s modern world, most of us use Wifi on a daily basis. From the networks we connect to in our offices and homes to the open Wifi networks we use but know we shouldn’t.
If you were to ask most people, their notion of Wifi would look something like this:
This is great but it is an incomplete view of the Wifi Space. The listing above is of what are known as Wifi Access Points or APs. These are setup specifically to accept connections and have a nifty name :) but unless you are sharing your mobile phone’s wifi as a Hotspot then you are not likely to appear on such a list.
What is interesting is that your phone (or other wifi connected device) needs to get a list of all of these somehow and it would take a long time to get that list if it just sat around and passively waited for every AP nearby to notify it! So, your device sends out a little beacon packet - it flashes its light so to speak, as a signal to any AP’s nearby that they might like to make themselves known so that the Wifi AP list can be kept up to date! This means there is a lot more going on in the Wifi space than most people know … lets dive deeper.
Promiscuous Sniffing sounds rude!
In this part of the story, we are going to have to get a little bit more technical - i will try to be kind ;) Also, its probably about this point that many of you will need to stop playing along at home as the tools used can be rather difficult to obtain on non-technical people’s hardware ;) Lastly, some of the tools and techniques here are the same tools that those Pesky “Hackers” use to try and perform their nefarious activities and it turns out that Enterprise IT Administrators and anti-virus software are on the lookout for this kind of thing and it’s pretty easy to earn yourself a visit from the IT Admin or CISO asking you to explain your activities please sir/ma’am!! Don’t say i haven’t warned you!
Wikipedia defines “Promiscuous Mode” in the following way:
…In computer networking, promiscuous mode is a mode for a wired network interface controller (NIC) or wireless network interface controller (WNIC) that causes the controller to pass all traffic it receives to the central processing unit (CPU) rather than passing only the frames that the controller is specifically programmed to receive. This mode is normally used for packet sniffing…
OK, so if i want to just sit back and listen to all of the traffic in the Wifi space it sounds like this is the mode for me! I want that please!
It is pretty easy to simply scan for Wifi APs - you can even do this with a simple batch, powershell or python script. To do that on an embedded device such as the ESP32 is also fairly simple and the results you get are regular packets which contain the SSID (WiFi AP Name) and the radio signal strength (RSSI) - these are good landmark signals as they are regular and don’t move but in terms of how interesting this is, that is another question. What i have found is that listening to the other wifi signals being broadcast paints a completely different picture. For the purposes of this article we will focus on the “other” signals and take it for granted that i am also recording and documenting all of those AP signals as well!
As you can see from the above image, wifi data also refers to the sender and recipient with a unique identifier and it turns out this is the same MAC address structure we saw when looking at Bluetooth! It even shares the same OUI MAC Manufacturer database so we can tell the manufacturer of the devices involved in the signals! Now things are starting to get interesting.
What? No Vendor!? WHY!!!
…One thing leading to another, i eventually pieced together all of the right components and code to promiscuously sniff Wifi traffic and BLE traffic, and transmit the results to my server via MQTT … i won’t go into the details of exactly how - that is the topic of another post. The following discusses the results of scanning with this nifty little creation…
.. And so the sniffing began - promiscuously nonetheless- and as each new MAC address appeared i would lookup the vendor in the OUI database and it suddenly became very clear that a very large number of lookups returned No or Unknown vendor! How could that be? Even my old Samsung S3 was coming up as No Vendor! Curiouser and Curiouser…
Over the last few years, Security Awareness in the general public has taken a marked leap forward. With the vast number of massive security breaches, people are becoming increasingly aware of their digital security and, in particular, Mobile Security. One of the first realisations consumers, governments and hackers soon became aware of was the fact that your SmartPhone has a unique MAC address and that it beams this address out everywhere you go! This is a privacy and tracking nightmare which has not yet been addressed by all Smart Device vendors! It does turn out, however, that both iPhone and Android devices (and most other brands) deal with this vulnerability at the OS (operating system) Software level by Randomizing your MAC address whenever you are not connected to a Wifi AP or Wifi device. AWESOME this effectively means that as you are roaming around and not connected to Wifi you are not traceable - sort of (more on that later).
There is even a standard around this approach but it turns out that not all vendors implement the standard exactly or the same way. When a Smart Wifi Device like your phone is using a “Private” or randomized MAC, it is supposed to randomize the MAC and then XOR the value 0x02 (2) to the first octet to indicate it is a private MAC. iOS does this correctly and so do some Android implementations but Samsung seem to randomize the MAC and then SET the first 3 octets to 02. This means that all Samsung devices in Private MAC mode have a MAC starting with 02 and no Vendor lookup! … OK, so maybe it takes hours of eyeballing this data to find these things but in the end it is possible to detect and identify MANY wifi devices, almost any Smart Device if it is Connected to an AP (or Device) and we can tell if a Device is made by Samsung even in Private MAC mode! That’s a lot of information available just floating around digitally in the ether around us!
Sparks and Sockets and Zebras - Oh My!
I managed to build and test my wonderful Wifi Denizen signal sniffer for extended periods by leaving it on a window-sill in a building opposite a School in my local area and i was amazed at the sheer number of Wifi devices and signals i was able to capture! In the first 8 hour period (spanning School drop-off time on a Monday morning) i tried, i captured 2059 unique packets (excluding Wireless APs) of which there were 1167 unique devices! From one scanner at a single, static location for 8 hours! And that is only Wifi! And that is not even all available wifi channels - only the most common/likely ones in Australia!… WOW!… Just WOW!
Let me show you a sneak peek at some of these results… just the good bits ;)
The above image is a screen-shot from a little “live feed” webpage i designed for this data and it shows some of the detected devices, the time of the detection, the RSSI, the MAC and the Vendor of the device as looked up in the OUI vendor DB.
This shot shows a Samsung SmartPhone, an Apple device (probably iPhone) - nothing much new here.. but what are the SparkLAN devices? and what is that Socket Inc. device that shows up at exactly the same time as one of the SparkLAN devices!!!???
Of course, no self respecting Tiggr would leave such a question unanswered so, a few searches and a little spelunking later i discover that the manufacturers of these devices happen to make Wifi enabled Commercial display units and Wifi Enabled RFID readers. It also turns out that our local Metro Bus system uses devices by these manufacturers for Digital Advertising displays and Tap-On-Tap-Off travel card readers!! WOW - we just managed to identify the presence of a local Bus from over 50m away inside a building without seeing it!! not just the presence of ANY bus but the presence of a unique, identifiable bus. You would have to be able to see the License plate to achieve this level of detail with human means.
Note that Timing is important surprisingly - what if we also found a SmartPhone device at the same time as one of these SparkLAN or Socket devices? well, if tht SmartPhone device is not in “Private MAC” mode it means that it is likely using the free Wifi on the Bus (and is therefore connected to an AP) or it is connected to a smart-watch or wifi headphones etc since it is broadcasting it’s actual MAC address … If this MAC address was being tracked by “An Agent” then they now know the device owner is on a certain bus, what route that bus has and will take and most probably where the device owner is going to or coming from! All from one device in one static location! from 50m+ away.. indoors … out of sight! Is that a little bit creepy and scary or is it just me?
Here is another…
Let’s see… Apple, Samsung and that Bus thingy from Socket (with a Samsung user on the Bus Wifi most likely)… wait… What is a Zebra Technologies Inc. !?
Looking into this - some Google searches and a few pages later we can find out that these guys make some fairly specific tech! Ruggedized devices, portable printers and Mobile Wifi Health-care components including Wifi Badges!? OK! that’s a bit interesting.
… nearby is a newly constructed teaching hospital, this signal was detected around school pickup or PTA meeting time and originated from the pedestrian crossing area in front of the school (more on how we get to that in another article)! It was detected at the same time as a number of other devices which hav eset their Private MAC setting on (iWatch, iPhone un-paired ??)
… Did we just see a Nurse or other HealthCare worker pick up their children from after-school care? Maybe. Creepy? yeah pretty much… Scary? just a lottle!… then again, it could be a receipt printer in a Cab/Taxi .. or perhaps a LineWorker from the local utility company who has a ruggedized tablet…Heck - if it were in the morning delivery times i might even suspect a parcel delivery agent with a ruggedized handheld device!
Show Me The Landmarks Already!!
OK, OK, i get it .. this is all incredibly interesting to me, especially from a Social Engineering and InfoSec perspective but this Post series is entitled “Signals as Landmarks”, i get it!
We already mentioned all of the Wireless AP landmarks available and, in my local area there are some 10-30 at any point in time. Around 5 of them are permanent access points which could be used as landmarks. Sadface :(
Let me show you something…
The two devices detected above which are interesting are made by Technicolor and Microsoft Corporation. Their signal strength places them at a location which is most likely within the School Office across the road from the sample location. Vendor information identifies these as a SmartBoard projector device and a Desktop computer both of which are used by the School and appear regularly in the scan data. These devices are not mobile, appear regularly and make excellent landmarks! but more importantly, they are not and are never likely to become AccessPoints (APs) so would have been completely missed if we weren’t so promiscuous!
Lastly, there is this:
These took me a little while to uncover… and it embarrassingly turns out to be my own doing. In the tradition of a great classic Horror film, if you have a look at the signal strength (RSSI) of these, they appear to be coming … FROM WITHIN MY OWN HOUSE!
Coming Full Circle
Remember my Father? Right back at the beginning, all “woke” with the tech of 1989 and so terribly cool in my young adoring eyes?
“Some Years” later, those eyes are now digital and looking around with the same child-like abandon. We all rebel and rail against it and our “parental units” tell us in old clichés that “what goes around…” but it is not until you have seen the Glow on your own child’s face as you introduce some new and awesome “tech” to the home:
Turns out that if you crack these impressive Sub-$20 babies open, this happens:
THAT right there, fellow denizens, is an ESP32 WROOM!! And so our story kind-of comes back around full circle. My youngest TwinBoyChild is obsessed with technology in a very similar way that i was and he has already shown his interest in the hackable world that “daddy” plays with as a job every day. By bringing the coolest new clap-clap, Alexa-and-GoogleHome-Enabled lighting to our home i have somehow illuminated the digital landscape.
Not only that, i have done so in such a way that i spray digital signals into the landscape that can be used in a meaningful way. The signal strength of these lights in the above scan allow me to tell which lamp belongs to each MAC address. This gives me enough signal information to be able to locate myself to within a meter-or-so, indoors, just by sampling the strength of these two signals - something which GPS fails at! Without Wires - take that 1986Dad!!!
All from one signal detector at a single static location. Without using all of the signals available. Without hacking.
Wow.
Thanks, Dad!
Signals as Landmarks
For a diatribe from a Geospatial “expert” entitled “Signals as Landmarks” it may seem auspicious that not a single map or reference to coordinate systems were included. I would hope, however that each of you whom has made it to this point has formulated an mental “map” and view of the world that i have described. In time, i will demonstrate the mapping capacity of this research but for now i implore you to investigate the possibilities that emerge if you entertain the notion of seeing the world through Digital Eyes.
Some things just Stand Out but others don’t…
- That Bus, Socket, SparkLan thing over there
- The APs around us
- The Zebra in the schoolyard
- That light-bulb you forgot about because …
in the words of Arthur C. Clarke: ”… Any technology sufficiently advanced to be indistinguishable from magic is indistinguishable from magic…”
“Hey, Google - Turn on the lights..”
Clap-Clap
Digital Signals are Magic and mapping them somehow gives us a real feeling of having a true “Marauders Map” of the world around us. Some of the signals are landmarks. Some are footprints of its’ denizens. All of them are indistinguishable from magic and are the stuff that young minds turn into careers in mere decades.
Next, on den1zen
In two streams i will dissect the questions we have explored in this series of posts. One will examine the cool technology behind this and the other will demonstrate the mapping capabilities which emerge. Stay tuned for the next post!