So yeah… that’s where we are at with Wi-Fi these days. The Probe request problem is an example of what happens when a wireless protocol released in 1998 is implemented as the standard almost a decade later when smartphones hit the market. These solutions that worked for stationary personal computers don’t scale well when nearly a third of the world’s population now walks around with a Wi-Fi device on their person. Protecting personal information from blanket collection and exploitation is only going to become a more challenging problem as the number of internet-connected devices expect to reach 75 billion by 2025. That’s nearly 10 devices per human on earth.

Wi-Fi is fucked, everything is broken, Donald J. Trump is president, and the earth is dying. Ok, taking a step back, you might be wondering what you can do to protect yourself. The solution is not without flaws; turn your Wi-Fi off when you aren’t connected to a known network. Doing so will prevent your device from leaking your network names and device fingerprint to the open world. The solution is awkward, easy to forget, and sub-par. But its what we’ve got.

If you’ve got an Android device, the Smart WiFi Toggle app claims to enable/disable your Wi-Fi based on location rules. I’ve never used it, and I’m cautious to provide a random app the admin permission that it requires, but its very highly rated on the Google Play store. I haven’t come across anything like this for iOS, and as of 2014, the programmatic control over Wi-Fi needed to do this was only available if a device was jailbroken.

What follows are a few continued musings on about creative exploitations of probe requests in the wild, followed by a short tutorial that shows you how you can collect your own probe requests, or rather, everyone else’s.

ProbeKit and Beyond

ProbeKit in the wild

Back in 2015, I worked with Branger_Briz to create ProbeKit, a critical software art project that addressed the probe request problem through a metaphor of butterfly collection. We developed an application that captured probing devices as unique, one-of-a-kind, butterflies. The software allowed the user to collect MAC addresses and network information from nearby devices as they wandered around the city on a “network data safari.” Once captured, you could inspect each butterfly’s “migration patterns” inferring information about where the device owner works, lives, and plays.

ProbeKit map view

Probekit habitat view

Linger

Jasper van Loenen recently created a wonderful response to the probe requests phenomenon called Linger. This small networked device constantly rebroadcasts the probe requests its collected, creating a virtual wireless environment made up of the ghost signals of every device its encountered. As the device travels, its collection grows, and the fragments of identity extracted from stray probes become implicitly integrated into the artwork and the spaces it inhabits.

Shenanigans

In a similar vain, artist David Rueter created Shenanigans, an attempt to introduce “information entropy” into the bulk collection surveillance systems that are increasingly using probe requests to identify and track people throughout their daily life. Shenanigans is a community-powered network of small battery-powered wireless routers that broadcast the probe requests of device owners who wish to introduce noise into Wi-Fi based tracking systems. Participants submit their device’s MAC address to be rebroadcast by each node in the network, in multiple locations all over the world. Doing so provides the participant with an arguable disassociation from the MAC address assigned to them by their device’s manufacturer. They are presented with a Certificate of De-identification, allowing them to prove that their unique device fingerprint is shared with everyone participating in the network.

Certificate of De-identification

Capturing Probe Requests

Probe requests can be captured by anyone with a computer and a wireless card that supports monitor mode. However, this brief tutorial is not for the faint of heart. The following instructions assume general comfortability with the unix command-line. This code has been written to run on debian-based linux operating system. For more information, see the GitHub repository.



git clone

cd sniff-probes # clone the repositorygit clone https://github.com/brannondorsey/sniff-probes cd sniff-probes # use iwconfig to list your wireless device names

iwconfig # sniff probes, replacing wlan0 with your device name

CHANNEL_HOP=1 IFACE=wlan0 ./sniff-probes.sh

If all goes well, you should begin to capture probe requests from nearby devices.

00:00:19 -88dBm 00:0a:e2:1f:28:ab "cvteststation01"

00:00:19 -89dBm 00:0a:e2:1f:28:ab "cvteststation01"

00:00:22 -85dBm 5c:aa:fd:20:23:41 "Sonos_pZkIex0zatRvhdJTAifLzmatdh"

00:00:42 -86dBm f4:f5:d8:28:bc:26 "NETGEAR85-5G"

00:00:46 -89dBm f4:f5:d8:28:bc:26 "NETGEAR85-5G"

00:00:48 -84dBm f4:f5:d8:06:19:40 "Pamplona Running Club"

00:01:00 -92dBm 54:60:09:40:56:32 "seawhale"

00:01:13 -87dBm 38:63:bb:d1:6a:b7 "offline"

00:01:25 -83dBm 5c:aa:fd:20:23:41 "Sonos_pZkIex0zatRvhdJTAifLzmatdh"