Wherever you find yourself in the world there always seems to be an open WiFi network; it’s a bad habit for many to actively search for and join these networks.

Common knowledge would dictate that this is an insecure, potentially lethal way of going about your business when connecting out to the Internet. However, what isn’t so well known is the information your device transmits when you aren't connected to a wireless network.

WiFi Probe Requests

When a wireless client such as your laptop or phone isn’t connected to a wireless router it will look to see if it can connect to any known networks. There are a two ways this can be accomplished:

The first involves the wireless client scanning for beacon frames, which wireless routers broadcast out to listening clients. If the wireless client happens to know the wireless network where the beacon frame has originated from as its previously been connected to it, it will then initiate a connection.

The second option involves the wireless client periodically broadcasting probe requests. These requests packets hold information including the MAC address of the client, and the SSID of networks it was previously connected to. This technique increases the speed of connections as the client is actively scanning for a known network, rather than waiting for a beacon frame from nearby wireless routers.

Analysis

Although this might be an improvement on the speed of initiating a connection, a hacker can use it to gather useful information to target a particular user within range.

For instance, someone working remotely has previously been connected to their corporate WiFi and is now unknowingly broadcasting probe requests containing their corporate SSID.

A hacker can gather that information quite easily. All that is needed is a wireless device and a free piece of software. Figure 1 shows the results of placing the wireless NIC into monitor mode, which will make the device stop advertising itself, and will then start to monitor any traffic within range.

Figure 1 - Wireless Monitoring Results

As you can see from Figure 1 we are able to see the MAC addresses of the wireless clients, as well as the SSIDs that are contained within their probe requests.

With this sort of information you are able to search particular SSIDs on a wireless geographic logging engine, which will show exactly where that hotspot is in the world.

A hacker will also be able to use that information to potentially exploit that user by various means. Whether its spoofing one of the clients know networks to execute a man-in-the-middle attack, or using this additional information for social engineering attacks.

How to protect/prevent this?

Due to the attackers' device not advertising itself when in monitor mode it can be difficult to establish if anyone is using this technique to gather information.

It is however relatively easy to protect yourself from being snooped on by this technique. All it comes down to is remembering to turn the WiFi off on your device whenever there isn’t a need to use it. So when you are away from either your home or the office you are no longer broadcasting those probe requests.

- Ryan Tate, Security Analyst at Emeiatec - CCNA, ISCP III