So I decided that a little wifi social experiment was in order, to see if open and free wifi really makes people forget all common sense, when it comes to the Internet and their personal information.
No doubt most of you are familar with the likes of aircrack-ng, and maybe even the infamous Pineapple.Heck, you may even dabble in Backtrack and Kali.All these tools allow you to "sniff" the airwaves for wifi signals, and, depending on your motives, do something with said information. Problem is, most are what I would call promiscuous (you go out looking for something). I wanted to let the people come to me! :-)
Anyway, I digress. What if we set up an access point, or many access points,based on the most common names (SSID's I mean) people used? And what if we assumed that those mobile devices, without asking the end user, connected to these most common SSID's? Because when you walk into Costa, or MacDonalds, you've already connected once, so heh, free is free,you've used it before-why would your phone ask you again?
Also, the problem with some of the tools above depend on the mobile device giving up the SSID's it's used before. That assumption is now on the down slope, due to the vendors (Apple especially) implementing much stricter use of the PNL (Preferred Network List). Basically, in past years,your device would send out a broadcast looking for wifi-in this it broadcast all the other wifi's you had connected too in the past.Now, most just send out a broadcast beacon, without giving up your past wifi locations.This was/is the secret sauce that all the tools above would use to set up an "Evil" wifi access point. Now, its a pain.
But, and here's the upside (see, it's not all bad news), and with the explosion of free wifi (I'm in the UK so the main ones are BT, The Cloud, O2 etc etc) you not only have 1000's of access points, but these access points are being consolidated.But the real crown jewels are the broadband operators and BT (formerly British Telecom) should take a bow-they enable, by default, a "guest" wifi signal on EVERY home installation.In fact, you cant turn it off! This is so no matter where you are, and if you are a BT customer customer, you can connect as a guest to any other BT residential user
SKY is not far behind (they bought out the Cloud) but dont do the same guest offering for a residential. I'm sure they are not that far behind, mind you.
So you have millions of people, who connect regularly to the same wifi signal, day after day. All we need to do is mimic these wifi points. As a great man once said "If you build it, he will come". Substitute he for them!
So how do you do it, and what can you see?
You need an access point that has the ability to a) run OpenWRT and b) be able to transmit multiple hotspots. You could use DD-WRT,but the logging capabilities are pants-and you could use an AP with just one SSID that can be transmitted, but it takes a lot of flexibility (and fun) out of the exercise. I am using an AP from TP-Link-the TL-WR2543ND
I got it for £12 from Ebay-it has both 5Ghz and 2.4Ghz, it has detachable antennas (so you can put on bigger ones!) and it has an Atheros chipset-which means you can put up to 8 (eight!) SSID's on one physical AP. Stay away from Broadcom based chipsets, they are limited in their logging ability, especially around a Linux package called hostap Step 2
Deploy Openwrt onto your router-I'm not going into that here, Google it. Get a decent 9dB omni antenna. Put the antenna as high as possible, and the access point as close to that antenna as well.If you dont, at these frequencies, you lose signal.
The reason for this is to make your SSID's go as afar as possible, to get as many devices to connect to it as possible.
Configure the access points with the most common SSID's you can think of-see my wifi config below for the ones I use
Set up extended logging on the DD-WRT box-this will allow you to capture "rotating" logs. A few good web pages are here and here. I put them into /etc/logs/ directory- dont put them into /var, as they will be overwritten every time you reboot the device
Sit back and wait for the suckers, sorry public at large, to connect to your access point. Now, I need to make something clear here-I did not set this up as a man-in-the-middle-attack, I did not sniff actual user data and I didn't use any sort of proxy to redirect traffic to a malicious site. That's not the aim here, it was social experiment to see how dumb both the end user, and their mobile device is. The way you connect to your home wifi when you walk in the front door, the way you connect to your work wifi- this is all this is trying to mimic. I'm not trying to hack someone's personal data.
So over a period of a month, I collected daily logs of all people that connected to my 4 SSID's-both from a physical point of view (wifi authentication/de-authentication packets),and from a logical point of view (they aquired a IP address and surfed the web). See below-the first table is those devices/users who not only connected, but acquired an IP address from the router.The 2nd one is the physical connections (top 20 or so)
So I have hidden some of the personal details.But here's the highlights:
Just under 80 devices connected and surfed on my AP,some quite regularly,over the month. About 305 just connected physically, probably passing motorists (I live near a main road), which didn't have time to complete the DHCP process.
The added bonus is that when they connect, you also get the host name of the device-so Bobs iPhone or Julies-iPad -very revealing. Android is a bit more secure (!) but on the second list, I get the MAC address's (top 20 or so, the xls page is too big!)-the actual log files give you both, I just split it up into Excel and did a simple pivot.So now I know who it is, and what the device ID. It wouldn't take a genius, and big business is doing this right now, to put 3 or 4 AP's up, and track people.The individual wlan0-wlan0-7 columns are the individual AP SSID's I assigned-so you can see what the most popular SSID's are in use-it also serves as a confidence check that you have the right ones, or which ones to discard/replace.I know of no other method that gives you this check.
As I said before, I wanted to go a different route-not to use a wifi tool to work out who was out there,but make an assumption on what those devices had connected to before, and use that assumption to get information.One thing the logs gave me, which I didn't include here, was date time stamps, to the second, of when people connected.I wont show the graph but I did the same test in a local shopping mall, over a few hours, over different days.Not only did I see the "busy" patterns, I saw some of the same devices I saw on my AP! ;-) Device was a TP-Link 703, if your interested-fits in the palm of your hand and works off 5vdc-excellent little piece of kit!
Hopefully I've shown how stupid wifi is on modern devices, and how ridiculously easy it is to impersonate a legitimate wifi access point.Connect once, and your phone will connect to that wifi signal again and again, without your permission, regardless of who, or what is broadcasting that signal. It wouldn't be rocket science to make the AP sniff traffic, or re-direct to a bogus sign up page.
Use an app called SmokePing to monitor your Superhub and the DOCSIS network that powers it.
This guide http://blog.kugelfish.com/2013/05/raspberry-pi-internet-access-monitor.html
is an excellent start, but I found it missing a few things, so here's my way:Install Smokeping onto the Pisudo apt-get install smokeping
This is a big download, and also installs the Apache2 web server, so be aware of this.I changed the default port of 80 (I will cover this later on)Once downloaded, and installed, you need to change the Targets and Probes-here's mine (you don't need to use it but they are more relevant to me)
So Targets are accessed by sudo nano /etc/smokeping/config.d/Targets
. I would delete everything in this file and cut and paste the following*** Targets ***
probe = FPing
menu = Top
title = Using a Raspberry Pi and SmokePing to Monitor DOCSIS Networks
remark = Latency to a few select sites and services in the Internet, via the VM DOCSIS network
menu = Internet
title = Outbound from the Pi to the Internet (using Ping)
title = Google
menu = Google
host = www.google.com
title = Facebook
menu = Facebook
host = www.facebook.com
title = BBC
menu = BBC
host = www.bbc.co.uk
title = ThinkBroadband
menu = ThinkBroadband
host = www.thinkbroadband.com
menu = Measuring DNS response times
title = Name Servers
title = Google public DNS
menu = Google public DNS
probe = EchoPingDNS
dns_request = www.google.com
host = 126.96.36.199
title = VirginMedia DNS
menu = VirginMedia DNS
probe = EchoPingDNS
dns_request = www.google.com
host = 192.168.0.1
menu = Cloud
title = Response of well known Cloud Services
title = Dropbox
menu = Dropbox
probe = EchoPingHttp
host = dl.dropboxusercontent.com
port = 80
url = /u/12770892/benchmark/raspberrypi.jpg
title = Google+ Photo
menu = Google
probe = EchoPingHttp
host = lh4.googleusercontent.com
port = 80
url = /UB5Y5yJKtj51bs2asd8kJGjOxwigev7JPQz3g9tw1C0=w614-h801-no
Note that the DNS host for the Virginmedia DNS check is the default IP address of the VM Superhub (192.168.0.1).I tried 188.8.131.52, but it wouldn't work.
now for the Probes sudo nano /etc/smokeping/config.d/Probes*** Probes ***
binary = /usr/bin/fping
step = 60
pings = 10
binary = /usr/bin/echoping
step = 300
pings = 5
binary = /usr/bin/echoping
step = 300
pings = 3
Again, I have changed the default polling for the ICMP checks from 300 seconds to 60 seconds.And the HTTP polling is down from 900 to 300.
What you want to do now is change the default port on the Apache web server, from port 80 to some other (I chose 6666).This is basically to add a bit of security if somebody port scans you. This web page is a good guidehttp://www.cyberciti.biz/faq/linux-apache2-change-default-port-ipbinding/
so:sudo nano /etc/apache2/ports.conf
save and come out.Commenting out the 80 port means its not used.I left the 443 port in for SSL, but to be honest, this is not super secret stuff we are pulling back here!! Onwards...
go intosudo nano /etc/apache2/sites-enabled/000-default
on the line
change it to<VirtualHost *:6666>
save and come out.
You should now have Smokeping installed, your Probes and Targets set up, pimped up the web page it will be displayed on, and changed the web server port.Now restart the Smoke ping servicesudo service smokeping restart
and restart Apachesudo /etc/init.d/apache2 restart
There shouldn't be any errors-you may get one about the loopback interface (127.0.0.1) but I found this can be ignored. To be on the safe side, you may want to reboot the Pi, but that's up to you.
Once you think it is all working type in the following to your favourite web browser:http://x.x.x.x:6666/cgi-bin/smokeping.cgi?
where x.x.x.x is the PUBLIC IP adress of your VirginMedia Superhub. However, before you do this, there is one final thing-you need to open up that port (port 6666, or whatever you choose, or if you have left it at the default of 80) on the Superhub diagnostic pages. I'm not going to go through it here, here is a link on how to do it http://goo.gl/szKTK4 If this doesn't work, just Google "open a port on virgin media superhub".
That should be it-if successful, you should get a web page up, and some links down the side-click on them.The page should update itself automatically every minute, so no need to refresh. Have a play, leave it for 30 mins or so, and you should see the graphs update themselves.Here's an example of what you should see:
I hope this helps someone, as I have found the incumbent,ThinkBroadband
, to be very mis-leading.Below is the Thinkbroadband graph, inbound
to the Superhub.The next one is SmokePing, outbound from
the Pi to Thinkbroadband
For those that don't know, ThinkBroadband pings the Superhub every second, and people then look at the yellow spikes as a measure of their performance.These yellow spikes are the highest PING time recorded in a 100 second period-so you could have 99 PING's at 20ms, and one at 140ms-it will be the 140ms one that is displayed!
With the launch of ever increasing broadband speeds
, I thought I’d do an anecdotal test on how fast your wireless connection is, when compared to wired.When I say wired, I mean using an Ethernet (CAT5) cable plugged into the wireless router.When I say wireless, sitting with the same laptop to the same router but connected by the wireless side of the router.On the same “side” of the router, a server, running some FTP download software
that allows me to download, and upload, files.
The reason for all this is that with the increasing use of wireless, attached to higher speeds courtesy of your ISP, people expect the same speeds for their bucks.They don’t care, or don’t know, why it would be different. To be fair, wireless has never been punted as a Very High Speed Medium (VHSM).Personally, I would only use it for general browsing and downloading and if you look at most companies, wireless is an add-on to the network, not a core function. So now we know how the test was performed, what were the results like? See below:
As you can see, the difference is enormous-now a few caveats before I get slaughtered by the technophiles. This is a 54G network, it is not a N network. G networks can only do theoretical speeds of 54Mb/sec but you can see it’s well down even on that.My laptop was only 2 foot from the wireless router and I had no competing signals. Also, and this I found surprising, was that there was no difference between using encryption and no encryption. The connections on the wired side are 100Mb/sec but some are half duplex so you wont get 100Mb/sec anyway. The point was not to see how fast I could go on wired but the difference between an average wired and wireless network.
I’m going to get a N router (and N adaptor) and do the same tests but I bet I get nowhere near the advertised 300-600Mb/sec. Think about it-you can make such outlandish claims but until you get a home connection that can supply you with VHSM , how do you test it? And even within the home environment, 15-20Mb/sec will quite happily stream HD video (this seems to be the litmus test at the moment) so why do you need N type? Sorry, I digress, the whole point is if you want a high speed home LAN network that doesn’t suffer from interference, that does what it says and gives you a constant and reliable service, don’t choose wireless.Get Ethernet.