Category: Aircrack - MyHomeBroadband.com
 
Picture
So I decided that a little wifi social experiment was in order, to see if open and free wifi really makes people forget all common sense, when it comes to the Internet and their personal information.
No doubt most of you are familar with the likes of aircrack-ng, and maybe even the infamous Pineapple.Heck, you may even dabble in Backtrack and Kali.All these tools allow you to "sniff" the airwaves for wifi signals, and, depending on your motives, do something with said information. Problem is, most are what I would call promiscuous (you go out looking for something). I wanted to let the people come to me! :-)

Anyway, I digress. What if we set up an access point, or many access points,based on the most common names (SSID's I mean) people used? And what if we assumed that those mobile devices, without asking the end user, connected to these most common SSID's? Because when you walk into Costa, or MacDonalds, you've already connected once, so heh, free is free,you've used it before-why would your phone ask you again?

Also, the problem with some of the tools above depend on the mobile device giving up the SSID's it's used before. That assumption is now on the down slope, due to the vendors (Apple especially) implementing much stricter use of the PNL (Preferred Network List). Basically, in past years,your device would send out a broadcast looking for wifi-in this it broadcast all the other wifi's you had connected too in the past.Now, most just send out a broadcast beacon, without giving up your past wifi locations.This was/is the secret sauce that all the tools above would use to set up an "Evil" wifi access point. Now, its a pain.

But, and here's the upside (see, it's not all bad news), and with the explosion of free wifi (I'm in the UK so the main ones are BT, The Cloud, O2 etc etc) you not only have 1000's of access points, but these access points are being consolidated.But the real crown jewels are the broadband operators and BT (formerly British Telecom) should take a bow-they enable, by default, a "guest" wifi signal on EVERY home installation.In fact, you cant turn it off! This is so no matter where you are, and if you are a BT customer customer, you can connect as a guest to any other BT residential user
  SKY is not far behind (they bought out the Cloud) but dont do the same guest offering for a residential. I'm sure they are not that far behind, mind you.

So you have millions of people, who connect regularly to the same wifi signal, day after day. All we need to do is mimic these wifi points. As a great man once said "If you build it, he will come". Substitute he for them!

So how do you do it, and what can you see?

Step 1
You need an access point that has the ability to a) run OpenWRT and b) be able to transmit multiple hotspots. You could use DD-WRT,but the logging capabilities are pants-and you could use an AP with just one SSID that can be transmitted, but it takes a lot of flexibility (and fun) out of the exercise. I am using an AP from TP-Link-the TL-WR2543ND

I got it for £12 from Ebay-it has both 5Ghz and 2.4Ghz, it has detachable antennas (so you can put on bigger ones!) and it has an Atheros chipset-which means you can put up to 8 (eight!) SSID's on one physical AP. Stay away from Broadcom based chipsets, they are limited in their logging ability, especially around a Linux package called hostap
Step 2
Deploy Openwrt onto your router-I'm not going into that here, Google it. Get a decent 9dB omni antenna. Put the antenna as high as possible, and the access point as close to that antenna as well.If you dont, at these frequencies, you lose signal.
The reason for this is to make your SSID's go as afar as possible, to get as many devices to connect to it as possible.
Configure the access points with the most common SSID's you can think of-see my wifi config below for the ones I use
Step 3
Set up extended logging on the DD-WRT box-this will allow you to capture "rotating" logs. A few good web pages are here and here. I put them into /etc/logs/ directory- dont put them into /var, as they will be overwritten every time you reboot the device
Step 4
Sit back and wait for the suckers, sorry public at large, to connect to your access point. Now, I need to make something clear here-I did not set this up as a man-in-the-middle-attack, I did not sniff actual user data and I didn't use any sort of proxy to redirect traffic to a malicious site. That's not the aim here, it was social experiment to see how dumb both the end user, and their mobile device is. The way you connect to your home wifi when you walk in the front door, the way you connect to your work wifi- this is all this is trying to mimic. I'm not trying to hack someone's personal data.
Results
So over a period of a month, I collected daily logs of all people that connected to my 4 SSID's-both from a physical point of view (wifi authentication/de-authentication packets),and from a logical point of view (they aquired a IP address and surfed the web). See below-the first table is those devices/users who not only connected, but acquired an IP address from the router.The 2nd one is the physical connections (top 20 or so)

Picture

So I have hidden some of the personal details.But here's the highlights:

Just under 80 devices connected and surfed on my AP,some quite regularly,over the month. About 305 just connected physically, probably passing motorists (I live near a main road), which didn't have time to complete the DHCP process.
The added bonus is that when they connect, you also get the host name of the device-so Bobs iPhone or Julies-iPad -very revealing. Android is a bit more secure (!) but on the second list, I get the MAC address's (top 20 or so, the xls page is too big!)-the actual log files give you both, I just split it up into Excel and did a simple pivot.So now I know who it is, and what the device ID. It wouldn't take a genius, and big business is doing this right now, to put 3 or 4 AP's up, and track people.The individual wlan0-wlan0-7 columns are the individual AP SSID's I assigned-so you can see what the most popular SSID's are in use-it also serves as a confidence check that you have the right ones, or which ones to discard/replace.I know of no other method that gives you this check.
Summary
As I said before, I wanted to go a different route-not to use a wifi tool to work out who was out there,but make an assumption on what those devices had connected to before, and use that assumption to get information.One thing the logs gave me, which I didn't include here, was date time stamps, to the second, of when people connected.I wont show the graph but I did the same test in a local shopping mall, over a few hours, over different days.Not only did I see the "busy" patterns, I saw some of the same devices I saw on my AP! ;-) Device was a TP-Link 703, if your interested-fits in the palm of your hand and works off 5vdc-excellent little piece of kit!

Hopefully I've shown how stupid wifi is on modern devices, and how ridiculously easy it is to impersonate a legitimate wifi access point.Connect once, and your phone will connect to that wifi signal again and again, without your permission, regardless of who, or what is broadcasting that signal. It wouldn't be rocket science to make the AP sniff traffic, or re-direct to a bogus sign up page.

Cheers!!
 
If you've been following the news websites recently, you'll know there has been a breaking story detailing a breach on the corporate website of ACS:LAW
ACS:Law are a company who chase people, on behalf of the movie and record industry, who download content that they shouldn't be-in laymans terms, movies and music. Usually from illegal sources and distributed by Torrent sites and other P2P programs (Limewire is an example). **Update**-I had to link to the wiki article as the ACS:Law website is down-I wonder why?
The main thrust of the story is that a hacker group managed to get inside the servers of said company and obtain files detailing not only IP address's (the "fingerprint" of your broadband connection) but the customer details of who owns that connection. This group, being the charitable souls that they are, then put these files up on the web for anybody to download and view-ironically on the same Torrent systems that were used by the people fingered in the ACS:LAW files. They are still there-go to any Torrent site (here's one I am reliably informed that will point you in the right direction-I wouldn't know being an honest chap). You'll need a Torrent client to download the files-again, so I'm told.I still think Netscape is groundbreaking technology in action :-)

Just to rub salt on the wounds the UK's Information Commissioner has said the company may face a fine of up to £500,000 for this breach of the Data Protection Act. The irony increase as this has happened in the same week that the ICO have issued guidelines for small and medium business's to protect this sort of data-ouch!

Now, I've not seen these files as I keep away from torrents and all that but I'm reliably informed (I'm well informed me) that there are customer details, postcodes etc for each infringement of copyright. So if you download the files, you can look at the various peeps and see if your neighbour is one of the "bad people". Again, if I was betting man and reading the various articles on the web, I bet the files being downloaded, especially the movie ones, are not the type you would show your mother-more likely there's a mother in them-all the above is alledged of course.

So what's this got to do with wireless you say? What's you point matey? My point is, if you know about the likes of ACS:Law and what they do, and you still want to get these files, would you be likely to do it on your own broadband connection? Nope. You'd use someone else's (an open/unsecured wireless one) or you'd hack into a weakly configured wireless network (again, using the likes of aircrack facilitates this-so I'm told). This is probably the most high profile news story to date I can think of that demonstrates why you need to have a very high level of wireless security on your home broadband network.

So if you don't want a letter demanding £££'s for a copy of Debbie Does Dagenham because your wireless broadband connection is open to the world and his porn hound, drop us a line or look at some of the tutorials.
Happy downloading ;-)