3

Mr Paranoid walks from one secure location to another. Mid-journey, he panicks -- his wireless device (laptop, iPad, or other common consumer electronics) is turned on! If it sent any information to an enemy-controlled access point, the enemy could identify him, or become aware of the fact that he is in this location, or perhaps deduce this from the fact that someone was in this location and everyone else is accounted-for! Oh no!

His WiFi device is some off-the-shelf 802.11 item, its software does not establish any connections automatically, but it was turned on and at the very least it was listening for access points.

The enemy has not installed any specialist detection hardware, but can run their own software (rootkits or whatever) on any other people's standard WiFi access points that happen to be in the area.

Will Mr Paranoid's device send any messages to these access points, or can it be tricked into doing so? Can the Enemy track Mr Paranoid in any way by virtue of the fact that his WiFi is turned on?

Anders
  • 64,406
  • 24
  • 178
  • 215
spraff
  • 305
  • 2
  • 9
  • Somewhat related: https://security.stackexchange.com/questions/62124/phones-broadcast-the-ssids-of-all-networks-they-have-ever-connected-to-how-can – Arminius Dec 16 '16 at 11:13

1 Answers1

1

Mr. Paranoid's device will do two things to scan for networks: passively listen for beacon frames and send probe requests to a null BSSID. The second technique is active and therefore detectable. Windows 10 (1611) and iOS 8, for example, randomize the MAC addresses used in these probes to decrease the ability to track users, but one could certainly detect that someone was probing for APs.

Reid Rankin
  • 1,062
  • 5
  • 10
  • And what about Android? If it doesn't randomize these MACs, what risks this brings to the Mr. Paranoid? – Suncatcher Jun 19 '17 at 05:26
  • Is [collecting all used SSIDs](https://security.stackexchange.com/questions/62124/phones-broadcast-the-ssids-of-all-networks-they-have-ever-connected-to-how-can) is the only risk associated with *always-on* wi-fi? How that info can be used against the victim? – Suncatcher Jun 19 '17 at 05:32
  • If the phone uses its real MAC when sending probe requests, anything in range can log it. If there are multiple attacker-controlled devices in range, they can roughly triangulate the position of the phone using the received signal strength. If the attacker knows (or ever discovers) that that MAC belongs to Mr. Paranoid, the jig is up. Otherwise, they can at least tell that an unauthorized MAC was in the area, and build a log of his movements over days and weeks. – Reid Rankin Jun 19 '17 at 05:35
  • So it is about of identifying Mr. Paranoid movements, which wouldn't be easy to accomplish without binding that MAC with Mr. Paranoid. And what SSIDs collecting gives to attacker? – Suncatcher Jun 19 '17 at 06:02