Hack Demo Videos:

Wireless Probe Snooping

18 Sep 2013

This short video gives a hands-on, live demonstration of snooping out the home access points of wireless devices.

If you’re looking to get to grips with WiFi Stumbling, or understand more about the risks of keeping default SSIDs on access points then just click Play.

Today I’ll show you why it’s so important to turn off the wireless chipset on your mobile or laptop when you’re not using it.

What we have here are some tools that we’ll use to look for wireless access points. These are the few that I can see from my laptop near here [monitor displays a list of APs] but there’s nothing particularly interesting there. What I find a lot more interesting is this- instead of looking for access points I want to look for their wireless clients. That means the mobile phones, laptops, and other wireless devices that are sending out packets, searching for an access point.

What interests me is the probe’s name, here on the right hand side [of the monitor display]. That tells what the access point name is that the client is looking for, and that is where things start to get a little bit interesting.

Now, from here it wouldn’t take too much to work out that the names of these are related to companies. Instead what I can do is use some really cool tools. This is a database called Wigle, you can find it at wigle.net. Essentially it’s a data collected by lot of people who’ve been out and about “stumbling” or picking up data from wireless devices probing for an access point. The information is used to generate GPS correlated maps of access point names, and then map them onto Google maps. You can see all those little red dots [on the monitor display], those are points where people have picked up an access point from.

That happened to be across a town, all very interesting. What I find more interesting is if you pick up a unique access point name when you’re out and about, you can then use that information to work out where someone might live based on the probing that their wireless device is doing

I’ve got a great example of this, this is one from my local town. Using Wigle I can do a simple “search by SSID”. I found the SSID I’m using on one of my own Stumbles and let’s see if we can find it… Yes, we get one hit, and the SSID is unique- in this case “Orange” with a hex address afterwards.

I can then pull up the map and a make a guess as to where that person lives. It’s a physical address that I can drive past. So, while I was out and about in my local city I found someone who’d walked past me with a mobile device probing for access point names, and it’s not unreasonable to assume that’s where they live.

It takes very little more to go from there to street view and I’ve got a picture of where they might live. You could start tracking people based upon their wireless devices’ movements around the country. There are various retailers who have set up little access points that are actually listening to see how you move around a shop. Big brother IS tracking you when you’re moving around the world.

So please, when you’re not using it turn off the wireless chipset on your phone and your laptop. Your battery will last longer and you can’t be tracked in this way.

Something else that’s worth doing is thinking about what you call your access point. Now this is a completely generic, default name that’s come straight out of the box. The user hasn’t bothered to change it. As a result of that it’s only got one hit globally on this database so I know exactly where it is. Now I’ll do a slightly different search. What if someone had actually thought about what they’d call their access point at home and changed it to “access point”?

Let’s have a look to see how many people have got an access point called “access point”. All of a sudden you see that there are hundreds and hundreds and hundreds of people with an access point of that name. Why? Because they’ve changed it and now lost in all that noise. There’s no way I can work out where this person lives because there are far too many access points called access point.

Have a think about changing your access point name.