Category: Wifi - MyHomeBroadband.com
 
Picture
So I decided that a little wifi social experiment was in order, to see if open and free wifi really makes people forget all common sense, when it comes to the Internet and their personal information.
No doubt most of you are familar with the likes of aircrack-ng, and maybe even the infamous Pineapple.Heck, you may even dabble in Backtrack and Kali.All these tools allow you to "sniff" the airwaves for wifi signals, and, depending on your motives, do something with said information. Problem is, most are what I would call promiscuous (you go out looking for something). I wanted to let the people come to me! :-)

Anyway, I digress. What if we set up an access point, or many access points,based on the most common names (SSID's I mean) people used? And what if we assumed that those mobile devices, without asking the end user, connected to these most common SSID's? Because when you walk into Costa, or MacDonalds, you've already connected once, so heh, free is free,you've used it before-why would your phone ask you again?

Also, the problem with some of the tools above depend on the mobile device giving up the SSID's it's used before. That assumption is now on the down slope, due to the vendors (Apple especially) implementing much stricter use of the PNL (Preferred Network List). Basically, in past years,your device would send out a broadcast looking for wifi-in this it broadcast all the other wifi's you had connected too in the past.Now, most just send out a broadcast beacon, without giving up your past wifi locations.This was/is the secret sauce that all the tools above would use to set up an "Evil" wifi access point. Now, its a pain.

But, and here's the upside (see, it's not all bad news), and with the explosion of free wifi (I'm in the UK so the main ones are BT, The Cloud, O2 etc etc) you not only have 1000's of access points, but these access points are being consolidated.But the real crown jewels are the broadband operators and BT (formerly British Telecom) should take a bow-they enable, by default, a "guest" wifi signal on EVERY home installation.In fact, you cant turn it off! This is so no matter where you are, and if you are a BT customer customer, you can connect as a guest to any other BT residential user
  SKY is not far behind (they bought out the Cloud) but dont do the same guest offering for a residential. I'm sure they are not that far behind, mind you.

So you have millions of people, who connect regularly to the same wifi signal, day after day. All we need to do is mimic these wifi points. As a great man once said "If you build it, he will come". Substitute he for them!

So how do you do it, and what can you see?

Step 1
You need an access point that has the ability to a) run OpenWRT and b) be able to transmit multiple hotspots. You could use DD-WRT,but the logging capabilities are pants-and you could use an AP with just one SSID that can be transmitted, but it takes a lot of flexibility (and fun) out of the exercise. I am using an AP from TP-Link-the TL-WR2543ND

I got it for £12 from Ebay-it has both 5Ghz and 2.4Ghz, it has detachable antennas (so you can put on bigger ones!) and it has an Atheros chipset-which means you can put up to 8 (eight!) SSID's on one physical AP. Stay away from Broadcom based chipsets, they are limited in their logging ability, especially around a Linux package called hostap
Step 2
Deploy Openwrt onto your router-I'm not going into that here, Google it. Get a decent 9dB omni antenna. Put the antenna as high as possible, and the access point as close to that antenna as well.If you dont, at these frequencies, you lose signal.
The reason for this is to make your SSID's go as afar as possible, to get as many devices to connect to it as possible.
Configure the access points with the most common SSID's you can think of-see my wifi config below for the ones I use
Step 3
Set up extended logging on the DD-WRT box-this will allow you to capture "rotating" logs. A few good web pages are here and here. I put them into /etc/logs/ directory- dont put them into /var, as they will be overwritten every time you reboot the device
Step 4
Sit back and wait for the suckers, sorry public at large, to connect to your access point. Now, I need to make something clear here-I did not set this up as a man-in-the-middle-attack, I did not sniff actual user data and I didn't use any sort of proxy to redirect traffic to a malicious site. That's not the aim here, it was social experiment to see how dumb both the end user, and their mobile device is. The way you connect to your home wifi when you walk in the front door, the way you connect to your work wifi- this is all this is trying to mimic. I'm not trying to hack someone's personal data.
Results
So over a period of a month, I collected daily logs of all people that connected to my 4 SSID's-both from a physical point of view (wifi authentication/de-authentication packets),and from a logical point of view (they aquired a IP address and surfed the web). See below-the first table is those devices/users who not only connected, but acquired an IP address from the router.The 2nd one is the physical connections (top 20 or so)

Picture

So I have hidden some of the personal details.But here's the highlights:

Just under 80 devices connected and surfed on my AP,some quite regularly,over the month. About 305 just connected physically, probably passing motorists (I live near a main road), which didn't have time to complete the DHCP process.
The added bonus is that when they connect, you also get the host name of the device-so Bobs iPhone or Julies-iPad -very revealing. Android is a bit more secure (!) but on the second list, I get the MAC address's (top 20 or so, the xls page is too big!)-the actual log files give you both, I just split it up into Excel and did a simple pivot.So now I know who it is, and what the device ID. It wouldn't take a genius, and big business is doing this right now, to put 3 or 4 AP's up, and track people.The individual wlan0-wlan0-7 columns are the individual AP SSID's I assigned-so you can see what the most popular SSID's are in use-it also serves as a confidence check that you have the right ones, or which ones to discard/replace.I know of no other method that gives you this check.
Summary
As I said before, I wanted to go a different route-not to use a wifi tool to work out who was out there,but make an assumption on what those devices had connected to before, and use that assumption to get information.One thing the logs gave me, which I didn't include here, was date time stamps, to the second, of when people connected.I wont show the graph but I did the same test in a local shopping mall, over a few hours, over different days.Not only did I see the "busy" patterns, I saw some of the same devices I saw on my AP! ;-) Device was a TP-Link 703, if your interested-fits in the palm of your hand and works off 5vdc-excellent little piece of kit!

Hopefully I've shown how stupid wifi is on modern devices, and how ridiculously easy it is to impersonate a legitimate wifi access point.Connect once, and your phone will connect to that wifi signal again and again, without your permission, regardless of who, or what is broadcasting that signal. It wouldn't be rocket science to make the AP sniff traffic, or re-direct to a bogus sign up page.

Cheers!!
 
Picture
There is a lot on the Net about using DD-WRT with Linksys routers. I've got about 5 of these routers, running all the way form v1 to v5. If you've found this blog via Google, looking for information on this firmware, then your probably looking for some answers on is it right to use it or is it right to keep it. I've thought about using Tomato but what disturbed me was the lack of defence for DD-WRT
Now don't get me wrong-I'm not a DD-WRT fanboy, or any of the firmware variants. I nearly got kicked off the Sveasoft forums for questioning the great man-if you want to really feel the pain of non-delivery, crap GUI, broken promises then go over there-he excels in that.I waited 2 years for a hotspot solution-never got one and found DD-WRT. To charge $20 is an affront to commercial business sense but that's another story
Anyway, I digress-DD-WRT is a firmware that exploits the various versions of the Linksys router set (and a few more). It is feature rich (some would say too much but you can never have enough of a good thing).The very first thing that struck me about the DD-WRT stuff was the GUI-it was so much cleaner than anything I had seen before-and you can have it in different colours!
Here my thoughts on some of the crtitcal comments I have seen:
  • You have to reboot when you apply new settings-well, if your setting it up, you shouldn't have live traffic on it anyway-and once it is set up, why would you be constantly having to fiddle with it? Not a big problem in my case.
  • Its become commercialised and its against the GPL-so what? I'm not into the Linux thing (ohhh-that's going to upset a few people!), I just want something that works.I made a donation through Paypal as it did the job.Pay somebody for a good product if it works-every router I've flashed has worked a treat, even the micro version.Its miles better than the Linksys.
  • It is great for extending wireless networks-through WDS, repeater function, whatever-works a treat
  • It can be a bit slow when getting an IP address-but as long as you know to wait a while, your sorted
In short, its not for the faint hearted in upgrading it but if you can get one for £20 off Ebay, what have you got to lose? Stick a few 9dB omni aerials on it and you have a cracking SOHO router.Hopefully this counteracts some of the comments on the web-it's only my opinion but as is the way these days, if your top of the pile, the only way is down!

 
Picture
With the launch of ever increasing broadband speeds, I thought I’d do an anecdotal test on how fast your wireless connection is, when compared to wired.When I say wired, I mean using an Ethernet (CAT5) cable plugged into the wireless router.When I say wireless, sitting with the same laptop to the same router but connected by the wireless side of the router.On the same “side” of the router, a server, running some FTP download software that allows me to  download, and upload, files.
The reason for all this is that with the increasing use of wireless, attached to higher speeds courtesy of your ISP, people expect the same speeds for their bucks.They don’t care, or don’t know, why it would be different. To be fair, wireless has never been punted as a Very High Speed Medium (VHSM).Personally, I would only use it for general browsing and downloading and if you look at most companies, wireless is an add-on to the network, not a core function. So now we know how the test was performed, what were the results like? See below:

Picture
As you can see, the difference is enormous-now a few caveats before I get slaughtered by the technophiles. This is a 54G network, it is not a N network. G networks can only do theoretical speeds of 54Mb/sec but you can see it’s well down even on that.My laptop was only 2 foot from the wireless router and I had no competing signals. Also, and this I found surprising, was that there was no difference between using encryption and no encryption. The connections on the wired side are 100Mb/sec but some are half duplex so you wont get 100Mb/sec anyway. The point was not to see how fast I could go on wired but the difference between an average wired and wireless network.

I’m going to get a N router (and N adaptor) and do the same tests but I bet I get nowhere near the advertised 300-600Mb/sec. Think about it-you can make such outlandish claims but until you get a home connection that can supply you with VHSM , how do you test it? And even within the home environment, 15-20Mb/sec will quite happily stream HD video (this seems to be the litmus test at the moment) so why do you need N type? Sorry, I digress, the whole point is if you want a high speed home LAN network that doesn’t suffer from interference, that does what it says and gives you a constant and reliable service, don’t choose wireless.Get Ethernet.