1

It is known that another way to determine the position is through WPS (Wi-Fi Positioning System). This uses the Wi-Fi networks available in the area, if any, to dermine the position. But according to this, it requires that the network had been previously gathered and stored in a database through a process called wardriving, it stores the SSID and the MAC Address, so I was wondering how it is possible that this wardriving applications can obtain the MAC Address of the Wi-Fi network (access point)? Is it possible to obtain it even though your network is password protected (WEP, WPA2, etc)?

Alfredo Osorio
  • 113
  • 1
  • 6
  • 1
    I'm not sure what you mean by a WPS database? – Scott Helme Aug 20 '13 at 15:19
  • @ScottHelme updated my question. – Alfredo Osorio Aug 20 '13 at 15:27
  • got it, will write an answer now. – Scott Helme Aug 20 '13 at 15:33
  • 4
    Long story short: Source & destination MAC addresses are always sent in the clear, regardless of Wi-Fi network security configurations. (Even if you have WPA2 properly configured, MAC address filtering enabled, and SSID broadcasting off.) Current protocols do not support full encryption of headers and management frames. – Iszi Aug 20 '13 at 16:08

2 Answers2

5

Wardriving is now out of date, if you're a corporation that sells phones. Google used to perform wardriving with their Street View trucks, but they no longer do. You might describe the modern tactic as "distributed war-usering". A ZDNet article entitled "How Google--and everyone else--gets Wi-Fi location data" describes the process:

How it works, according to Google, is that the Android Location Services periodically checks on your location using GPS, Cell-ID, and Wi-Fi to locate your device. When it does this, your Android phone will send back publicly broadcast Wi-Fi access points' Service set identifier (SSID) and Media Access Control (MAC) data. Again, this isn't just how Google does it; it's how everyone does it. It's Industry practice for location database vendors.

To describe a simple case: your Android phone has GPS and Wifi turned on. Your phone sends a message to Google saying, "I am at long/lat location (X,Y), and I can see two Wifi networks; one with SSID Foobar (with MAC 11:22:...) and another with SSID Bazzle (with MAC address 33:44:...)." Google uses this information to learn that networks with those particular SSIDs and MACs are near geographic location (X,Y).

Thus, when a user without GPS wants to know his location, his phone can say to Google, "I see Bazzle with MAC 33:44:..." and Google can respond that he is probably near location (X,Y).

EDIT

The MAC address of an access point is no more private than its SSID. Wifi encryption can protect the information above the media-exchange level, but currently no Wifi protocols encrypt the Level 2 communication. The advertised MAC addresses of participants in any Wifi communication is public information to anyone nearby.

apsillers
  • 5,780
  • 27
  • 33
  • Thanks very helpful +1, but still doesn't answer how they are able to obtain the MAC address of those Wi-Fi access points if those are password protected. – Alfredo Osorio Aug 20 '13 at 15:52
  • @AlfredoOsorio Ah, yes, your latest edit makes the password concern much clearer; I think I started my answer before that edit. I'll look up IEEE 802.11 rules and make an edit. – apsillers Aug 20 '13 at 15:58
  • 1
    In other words, if you don't potentially want the world to know your home WAP's MAC address, don't broadcast its SSID. – KeithS Aug 20 '13 at 16:34
  • Speaking of : "_I am at long/lat location (X,Y), and I can see two Wifi networks; one with SSID Foobar (with MAC 11:22:...)..._ — this wifi network is from a router which got its IP from an ISP provider which is at least 20km from it. so does google knows the ISP location **or** the router location ? I don't think that ISP tell google : "_I gave this IP address to Router1 which is 20kn north from me_" – Royi Namir Oct 20 '14 at 10:21
3

I think the first confusion is that it is not your MAC address, as in the MAC address of your device, but it's actually the MAC address of the Access Point. The access point generally has a fixed location where a WiFi device, such as your phone or laptop, may not.

Even so, moving on from that you can also still obtain the MAC address of all the WiFi clients in range without being connected to their respective WiFi Access Point. The source and destination MAC address of any packet are clearly visible.

You can use tools like Backtrack which is a Linux distro that contains a wide range of penetration testing tools. Airodump can tell you all Access Points in range, which WiFi clients are connected to them and the MAC addresses of all of them.

Scott Helme
  • 3,178
  • 3
  • 21
  • 32