Category: - MyHomeBroadband.com
 
Picture
So I decided that a little wifi social experiment was in order, to see if open and free wifi really makes people forget all common sense, when it comes to the Internet and their personal information.
No doubt most of you are familar with the likes of aircrack-ng, and maybe even the infamous Pineapple.Heck, you may even dabble in Backtrack and Kali.All these tools allow you to "sniff" the airwaves for wifi signals, and, depending on your motives, do something with said information. Problem is, most are what I would call promiscuous (you go out looking for something). I wanted to let the people come to me! :-)

Anyway, I digress. What if we set up an access point, or many access points,based on the most common names (SSID's I mean) people used? And what if we assumed that those mobile devices, without asking the end user, connected to these most common SSID's? Because when you walk into Costa, or MacDonalds, you've already connected once, so heh, free is free,you've used it before-why would your phone ask you again?

Also, the problem with some of the tools above depend on the mobile device giving up the SSID's it's used before. That assumption is now on the down slope, due to the vendors (Apple especially) implementing much stricter use of the PNL (Preferred Network List). Basically, in past years,your device would send out a broadcast looking for wifi-in this it broadcast all the other wifi's you had connected too in the past.Now, most just send out a broadcast beacon, without giving up your past wifi locations.This was/is the secret sauce that all the tools above would use to set up an "Evil" wifi access point. Now, its a pain.

But, and here's the upside (see, it's not all bad news), and with the explosion of free wifi (I'm in the UK so the main ones are BT, The Cloud, O2 etc etc) you not only have 1000's of access points, but these access points are being consolidated.But the real crown jewels are the broadband operators and BT (formerly British Telecom) should take a bow-they enable, by default, a "guest" wifi signal on EVERY home installation.In fact, you cant turn it off! This is so no matter where you are, and if you are a BT customer customer, you can connect as a guest to any other BT residential user
  SKY is not far behind (they bought out the Cloud) but dont do the same guest offering for a residential. I'm sure they are not that far behind, mind you.

So you have millions of people, who connect regularly to the same wifi signal, day after day. All we need to do is mimic these wifi points. As a great man once said "If you build it, he will come". Substitute he for them!

So how do you do it, and what can you see?

Step 1
You need an access point that has the ability to a) run OpenWRT and b) be able to transmit multiple hotspots. You could use DD-WRT,but the logging capabilities are pants-and you could use an AP with just one SSID that can be transmitted, but it takes a lot of flexibility (and fun) out of the exercise. I am using an AP from TP-Link-the TL-WR2543ND

I got it for £12 from Ebay-it has both 5Ghz and 2.4Ghz, it has detachable antennas (so you can put on bigger ones!) and it has an Atheros chipset-which means you can put up to 8 (eight!) SSID's on one physical AP. Stay away from Broadcom based chipsets, they are limited in their logging ability, especially around a Linux package called hostap
Step 2
Deploy Openwrt onto your router-I'm not going into that here, Google it. Get a decent 9dB omni antenna. Put the antenna as high as possible, and the access point as close to that antenna as well.If you dont, at these frequencies, you lose signal.
The reason for this is to make your SSID's go as afar as possible, to get as many devices to connect to it as possible.
Configure the access points with the most common SSID's you can think of-see my wifi config below for the ones I use
Step 3
Set up extended logging on the DD-WRT box-this will allow you to capture "rotating" logs. A few good web pages are here and here. I put them into /etc/logs/ directory- dont put them into /var, as they will be overwritten every time you reboot the device
Step 4
Sit back and wait for the suckers, sorry public at large, to connect to your access point. Now, I need to make something clear here-I did not set this up as a man-in-the-middle-attack, I did not sniff actual user data and I didn't use any sort of proxy to redirect traffic to a malicious site. That's not the aim here, it was social experiment to see how dumb both the end user, and their mobile device is. The way you connect to your home wifi when you walk in the front door, the way you connect to your work wifi- this is all this is trying to mimic. I'm not trying to hack someone's personal data.
Results
So over a period of a month, I collected daily logs of all people that connected to my 4 SSID's-both from a physical point of view (wifi authentication/de-authentication packets),and from a logical point of view (they aquired a IP address and surfed the web). See below-the first table is those devices/users who not only connected, but acquired an IP address from the router.The 2nd one is the physical connections (top 20 or so)

Picture

So I have hidden some of the personal details.But here's the highlights:

Just under 80 devices connected and surfed on my AP,some quite regularly,over the month. About 305 just connected physically, probably passing motorists (I live near a main road), which didn't have time to complete the DHCP process.
The added bonus is that when they connect, you also get the host name of the device-so Bobs iPhone or Julies-iPad -very revealing. Android is a bit more secure (!) but on the second list, I get the MAC address's (top 20 or so, the xls page is too big!)-the actual log files give you both, I just split it up into Excel and did a simple pivot.So now I know who it is, and what the device ID. It wouldn't take a genius, and big business is doing this right now, to put 3 or 4 AP's up, and track people.The individual wlan0-wlan0-7 columns are the individual AP SSID's I assigned-so you can see what the most popular SSID's are in use-it also serves as a confidence check that you have the right ones, or which ones to discard/replace.I know of no other method that gives you this check.
Summary
As I said before, I wanted to go a different route-not to use a wifi tool to work out who was out there,but make an assumption on what those devices had connected to before, and use that assumption to get information.One thing the logs gave me, which I didn't include here, was date time stamps, to the second, of when people connected.I wont show the graph but I did the same test in a local shopping mall, over a few hours, over different days.Not only did I see the "busy" patterns, I saw some of the same devices I saw on my AP! ;-) Device was a TP-Link 703, if your interested-fits in the palm of your hand and works off 5vdc-excellent little piece of kit!

Hopefully I've shown how stupid wifi is on modern devices, and how ridiculously easy it is to impersonate a legitimate wifi access point.Connect once, and your phone will connect to that wifi signal again and again, without your permission, regardless of who, or what is broadcasting that signal. It wouldn't be rocket science to make the AP sniff traffic, or re-direct to a bogus sign up page.

Cheers!!
 
First of all apoligies-I've not found the time to keep the blog up to date. It's a mixture of work and laziness :-)
I've been meaning to write about this for a while-BT FON. What's that then I hear you cry-and if your a BT customer, then that wouldn't surprise me! BT FON is a freebie that BT throw into your home broadband wi-fi connection. Essentially if you give a bit up of your wi-fi connection for public consumption, you can then use other BT FON users bandwidth when your out and about-sounds great. A massive source of untapped broadband supply, just waiting for you, the loyal BT user, to use. One problem-most users dont know they have signed up for this service.On all new users, the facilty is opt-in by default-that is, BT have it turned on on your router when it is shipped to you/ bought by you. Which is fine if you get your 8Mb/secs (lucky you) but not so if your getting a few Megs. I'm surprised more has not been made of this when you consider the Facebook row over privacy settings story.You would think a big company basically making decisons on what some people see as important as their gas, electricity and water-giving it away from free-would have eliicted some sort of response but no. I think a lot of just amplifies the general ambiliance and ignorance most broadband users have towards that home connection.Think of it this way-its like the Water company saying if you give up some water from your garden hose connection, you can use someone else's when your out. Thing is:
1) I doubt if you would sign up for it
2) you wont use it very often
3) the reason for 1 is 2
But they've stuck a big map up on the Web where all those free taps are-dont believe me? Try this and stick in your postcode-ok, here's one I did earlier
Picture
Random BT FON map
The large blue circles represent areas where the indivdual wi-fi hotspots are so many, BT need to show this as one big circle.Now I'm sorry, I know that the British are known for their generosity but I simple dont believe that all those people are 1) giving up their bandwidth and 2) are doing it of their own free will. Come on-the Brits are so paranoid  do you think they are going to let their neighbours onto their wi-fi? No chance. Not a Scooby Doo in hell's chance.

But I mentioned exploit in the header-now, the way BT FON works is it takes the "pie" that is your broadband connection and slices it up-with you keeping about 90% (based on a 8Mb/secs connection-lol) and the other 10% goes to Joe Bloggs looking for porn or some torrents under the radar, parked outside or next door. It is secure (WPA/WPA2), but secure comes with a caveat-WPA will be broken in the next few years, its only matter of time. As discussed in a previous post, there are now cloud services willing to do the job for you of finding that elusive password.Anyway I digress.Somebody will find a hole in this system and crack it wide open-if its not been been done already and the blackhats are just keeping Mum about it. And yes, you do need to sign in with your BT FON username and password-you know, that same one you ask your Mum and Dad for when you want to get your email......

The biggest shame about this is that in these day where we talk about the broadband poor, that BT havent worked out a way to build a super mesh network for the whole country-think about it-thousands,millions of wi-fi access points being combined together for the greater and common good.Now that's a good idea.