Published: Wed 11 March 2015 In misc. tags: wifi security privacy probes

Many people may already know that all your devices try to broadcast your previous connections. I expect that many more have no idea that’s happening. There have been articles published about it before, but without specific examples.

WiFi probes

In order to connect to known networks which don’t broadcast their presence, almost all your wifi-enabled devices: laptops, tablets, phones, etc. will try to probe for networks they know about. You can see those probes by capturing the traffic of your phone after it turns on, or after you disconnect from the local wifi. These probes can be captured by the usual tools - airodump / tcpdump. For example:

# airodump-ng -w wifi-dump wlan0 # tcpdump -n -l -e -r wifi-dump.cap | grep 'Probe Request ([^)]'

In the output you’ll get the time, MAC of the the probing device and the network name. For example:

16 : 32 : 26.628209 BSSID : ff : ff : ff : ff : ff : ff DA : ff : ff : ff : ff : ff : ff SA : 50 : ea : d6 : aa : bb : cc Probe Request ( SUBWAY ) [ 1.0 2.0 5.5 11.0 Mbit ]

Means that device 50:ea:d6:aa:bb:cc was checking if network SUBWAY is in range.

What’s bad about that?

So the device broadcasts the previous networks - what’s the big deal? The most important thing to notice is that most of the local network names will be relatively unique. Of course there’s going to be a lot of SUBWAY s and other generic names. But most homes will use either a ProviderNameDEADBEEF auto-generated name, or a custom one which is also going to be relatively uncommon.

That means a usual list of probes consists of:

home networks: often ProviderNameXXXXX , StreetNameWifi , etc.

, , etc. work networks: often Company , CompanyCity , etc.

, , etc. cafes, fast foods: these are standardised in most chains

hotels: surprisingly, these are relatively unique, apart from chains

So what does it mean if you find someone broadcasting a list that contains FooProvider123456 , BlahProviderABCDEF , ACME-Fooville , CafeAwesome ? Usually that they work at Acme and one of the home networks is theirs, while the other one belongs to their family / friend and they visit Cafe Awesome often enough to save their network. This provides quite a lot of information about a person without ever talking to them…

But these are only names!

What the devices broadcast is only the names of the networks. No specific BSSID, location, or any other details are included, which is great. But that doesn’t mean those details cannot be recovered… Enter WiGLE!

WiGLE is a service with tag line “All the networks. Found by Everyone.” And that’s close enough to the truth - a lot of the networks found in urban areas can be easily found on that website. What’s even better is that you can find the networks you’re interested in, searching by their names. Using that service, we can easily correlate the names we found above.

We can also add some guesses and approximation to make the work easier. For example WiGLE will often return many networks for a single name - but if there are more than 3-4 of them, then it’s probably some common name that we can ignore… unless it’s close to some unique network we’ve found before! We can delete matches which haven’t been seen for over a year… unless they’re really unique and have been seen somewhere else later - this likely indicates the access point has been moved.

Getting all the information together

What kind of information can be obtained about someone in the end? Let’s look at a map automatically generated from WiGLE matches. The results have been downloaded using wigle library and processed with a bit of scripting. Here’s a map made using device probes:

The green markers are encrypted networks, red are open and blue are unknown. Here the map is zoomed out, but in reality each marker points to a single building in most cases. We can easily see the person living and working on the US east coast (overlapping markers, not visible at this scale), traveling for work to Japan (encrypted company wifi network) and taking holidays in Thailand and area (specific hotel networks), as well as driving around New Zealand (campsite networks). From the work network name you can find out the specific company.

In short - this problem makes it much easier to do social engineering, spear-fishing, or even finding a person who works at company X in a completely unrelated location. Combine that with the fact that the mac address can identify what model of the phone is that person using and you can now spot the right person in a group…

How can we stop the probing?

On Linux, you can configure the wpa_supplicant networks with scan_ssid=0 . This stops the probing behaviour and is actually the default. On other systems… I don’t know. Mobile phones I know do not have any way to toggle the setting.

You can of course delete saved networks which are no longer in use, but that just limits your list to those you use currently.

In practice, probably the only way to hide probes for your own network at the moment is to call it “Airport Free Wifi”. Or any name which exists in over a thousand places at the moment. For work and other places you normally visit, there seems to be no solution for now.

Update: I’ve been pointed to a number of Android applications which prevent disclosing all your WiFi connections. They use different means to achieve this goal, but as far as I can tell all of those should be acceptable solutions: Wi-Fi Privacy Police, WiFi Advanced Config Editor, Llama - Location Profiles, Wi-Fi Matic - Auto WiFi On Off.