Wi-Fi, as it is implemented in smartphones and other mobile devices today, has a number of security vulnerabilities that could make it easy to track, and even intercept data from a device.
To raise awareness about these problems, SensePost, an information security firm headquartered in South Africa, built Snoopy.
Snoopy developer Glenn Wilkinson describes it as a “distributed tracking, profiling, and data interception framework”. Currently it shows what kind of mischief is possible with Wi-Fi, but Wilkinson said that since Snoopy is modular it could easily be extended to Bluetooth, RFID, and NFC.
Wilkinson, a Zimbabwean working out of SensePost’s London offices as lead security analyst, has been working on the technology with his colleagues since 2012, when he and Daniel Cuthbert gave a talk at 44con about the privacy implications of the vulnerabilities in Wi-Fi.
How your smartphone blabs about where you’ve been
To understand what Snoopy does, SensePost’s chief technology officer Dominic White said one must first have an idea of how Wi-Fi works.
White explained that there are two “management frames” Snoopy is interested in: beacons, and probes.
Access points (APs) – the networking equipment to which your smartphone, tablet, or laptop wirelessly connects – send out messages called beacons on a certain interval.
These beacons identify the wireless network and also help Wi-Fi connected devices avoid “collisions” which occur if they send data at the same time.
(For a great overview on Wi-Fi beacons, White recommended the following article: 802.11 Beacons revealed)
APs also send out probe responses, a message sent in reply to a probe request sent by a device.
Together, beacons and probe responses let “wardrivers” (or companies like Google and Skyhook, for that matter) identify wireless networks and upload the identifying information and location of the access point to a database.
Identifying information may consist of the basic service set identification (BSSID), or MAC address of the access point, as well as the extended SSID (ESSID, or just “SSID” for short).
An example of a freely available database that contains such information is Wigle.net, which is what Wilkinson used in his demonstration of Snoopy.
The other “management” message in Wi-Fi Snoopy relies on is the probe request, which is the message devices send out to join a Wi-Fi network.
These probe requests contain the ESSID of the wireless access point the device is trying to join.
Where things get interesting, White explained, is that most devices actively scan for Wi-Fi networks by sending out probe requests on a regular interval for networks they have previously joined, or have been instructed to “remember”.
By simply listening for and recording these probe requests, anyone can build up a list of Wi-Fi devices in the areas and which networks they connected to.
At first this may not seem so scary, until you realise what the networks you have joined in the past may reveal about you.
Don’t manually turn off your Wi-Fi? You probably should
To demonstrate what can be done with Snoopy, Wilkinson wrote a number of “transforms” for Maltego, a tool developed by another South African company, Paterva.
Wilkinson explained that Maltego lets you visualise data and the relationships between the various entities you might be analysing.
He showed that you can select multiple Snoopy sensors (called “drones”), then simply right click to activate a transform and bring up a list of Wi-Fi devices in the vicinity of those sensors.
From there you can get the networks all those devices have been probing for.
Another transform uses the public Wi-Fi access point database Wigle.net to geolocate the access points.
If your access point at home or work has a unique name and a “wardriver” had uploaded its details to Wigle.net, then it could very well be used to pin-point exactly where the user of a particular device works or lives.
This data can also be used to analyse whether devices (and perhaps people) were in the same place at one time or another.
Another Maltego transform lets you easily perform this analysis by right clicking on a location and looking up all the devices your sensors have seen that have been at that place.
From Wi-Fi tracking to hacking
While some may not be too concerned about the privacy implications of the vulnerabilities in Wi-Fi, the potential to exploit them for data interception (“hacking”) purposes should worry everyone that uses the technology.
Armed with the knowledge of which Wi-Fi networks you are probing for, a hacker can pretend to be that Wi-Fi network and trick you into connecting to them.
White said that these attacks are called “karma”-type attacks and are also nothing new – dating back to at least 2005.
Wilkinson demonstrated that with Maltego, Snoopy can see which services a device is logged into and hijack your session, or exploit vulnerabilities such as SSL degradation to execute man-in-the-middle attacks.
In simple terms, a hacker could get access to everything from your Facebook to sensitive data you’re sending out over the Wi-Fi network.
If your browser is not up-to-date it is even possible to gain access to your PayPal account, Wilkinson said.
White said that modern browsers and websites that use HTTP Strict Transport Security (HSTS) are protected from this kind of attack. Most of Google’s authenticated sites are protected in this way, White said.
As an example of the contrary, Wilkinson said that companies like Facebook have to stop sending their authentication cookies out over unencrypted channels.
Drone-mounted Wi-Fi sensor
The most recent addition to SensePost’s Snoopy project is a remote-controlled quadrotor helicopter that has been mounted with a Wi-Fi sensor that can act as a Snoopy client.
Asked what the quadcopter adds to the demonstration that a network of Snoopy clients doesn’t already provide (besides “cool” factor), Wilkinson said that it:
- Lets you cover a large area very quickly and is less impeded than walking around with a snooping Wi-Fi access point in your pocket;
- can get past physical security more easily; and
- is effectively out of video and audio range (his video above shows that at a height of about 80m you can’t see or hear the drone, Wilkinson said).
Defending against Wi-Fi tracking and hacking
If the vulnerability is in the very standard for which the Institute for Electrical and Electronic (IEEE) engineers is responsible, what can be done to mitigate its effects?
White said that one of the points of concerns is that there is no clear visible work to change how probe requests work.
“Maybe there’s stuff happening in the background,” White said.
However, a new Wi-Fi standard being discussed which further encourages the active sending of probe requests seems to contradict this.
This will let a device request a particular service or quality of service and have a network with those parameters respond. If you’re looking for a Wi-Fi network that can handle a voice over IP call your device can then send out a probe request to that effect, White explained.
However, the existing pitfalls inherent in the probe request would then remain unchanged.
The only thing users can do about this is to switch off their Wi-Fi when they move out of their office or home, Wilkinson said.
He added that it is also good practice to delete open Wi-Fi networks from the list of networks your device remembers when you are about to move out of its hotspot. On phones you usually select “forget network” to do this.
You can also make sure your access point is called something generic (such as “Internet”), so the name doesn’t make the location clear, White said.
To prevent hackers from using Karma attacks against users, White said that there are already additional security measures higher up in the networking stack that web services can use.
HSTS, a standard ratified in 2009, can defeat SSL degradation attacks and is relatively easy to implement, White said.
To defeat man-in-the-middle attacks, White said that web services can use SSL certificate pinning.
Certificate pinning lets an app or web browser expect a specific SSL certificate from a server rather than just checking if the certificate is valid and comes from a trusted authority.
While Chrome has limited support for certificate pinning, it is not something any website can just do, White said.
If you have an app, however, you can specifically certificate pinning into it.
“Good apps use certificate pinning,” Wilkinson said.
White said that the new version of Snoopy will be made available soon under a non-commercial copyleft license.