Is looking for Wi-Fi access points purely passive?

Say I carry a Wi-Fi enabled phone or laptop through an area where there are WAPs. Assuming that I don't actively try to connect to them or otherwise interact with them, is it possible for the owner of that WAP to know that I was there?

I'm asking this in the context of my earlier question: Looking for MACs on the network

I was talking with a friend about my newfound ability to detect phones (and other devices with MAC addresses) on the network, and he pointed out that it might be useful to detect unknown phones on the network; I could use that data to track down anyone who was in my house and brought a Wi-Fi phone with them.

So, if I set up a logging fake WAP with no security or encryption, can I glean any useful information about the devices that come into the house? Assuming that the thief doesn't actively try to connect...

Aric TenEyck

Posted 2010-04-06T22:27:32.083

Reputation: 1 007

Answers

No, looking for 802.11 APs is primarily active. When you bring up a list of visible APs in the area, your 802.11 client most likely does what's known as an "active scan", where it tunes its radio to each supported channel in turn, transmits a Probe Request frame, and waits perhaps 20-40ms to gather Probe Response frames from any APs on that channel before moving on to the next channel. This allows it to scan all the channels much faster than a "passive scan".

A "passive scan" is possible, but isn't used very often because it takes longer. To do a passive scan, the client tunes to each channel in turn, and waits a typical Beacon Interval (usually about 100ms, but could be more) to gather Beacons.

Some channels in 5GHz in some regulatory regions require that you scan passively first, until you know that the channel is not in use by nearby radar installations. But most clients, as soon as they see a Beacon on a passive-scan channel, will switch to an active scan to speed up the process.

If your client device is on, and hasn't given up looking for your recently-joined/preferred/remembered networks, it will almost certainly be broadcasting Probe Requests which give away not only your wireless MAC address and some of the capabilities of your card, but often also the name the network it's looking for. This is necessary in case the network is a "hidden" (a.k.a. "non-broadcast SSID", a.k.a. "closed") network.

It's pretty trivial to learn people's wireless client MAC addresses and also the names of their home and work networks just by hanging out at the office or a coffee shop or airport terminal with an 802.11 monitor mode packet sniffer, recording Probe Requests.

Spiff

Posted 2010-04-06T22:27:32.083

Reputation: 84 656

2Is it just the name of the network that's in the probe request (e.g. the string "Apple Store"), or does the request also contain something that's potentially more identifiable such as the access point's unique id? – mjs – 2014-10-25T10:57:08.647

@Spiff, Doesn't this seem to contradict Legend's post below?

– Pacerier – 2015-02-16T07:59:44.840

@Pacerier [Weird, posted this comment from earlier phone and it seems like you got notified, but it looks like the comment didn't actually show up. Anyway here's the gist of it again.] No, this doesn't contradict Legend's post, it reinforces it. Actively scanning clients transmit Probe Requests that can have privacy implications. Passively scanning clients would be silent, listening for Beacons from the APs. As I said, scanning for APs is mostly active, involving transmitting Probe Requests, so you can discover that those clients are there. Maybe I'm misunderstanding your contradiction? – Spiff – 2015-02-16T21:55:30.067

2Thanks for the info. A logging fake WAP might make an interesting DD-WRT project... – Aric TenEyck – 2010-04-07T04:44:14.920

3Also, a passive scan would take more power, because the radio would need to stay on for longer. In wireless communication, counterintuitively, receiving requires more power than sending, because you won't typically know when a transmission will come. – rix0rrr – 2014-01-17T12:22:44.190

6@rix0rrr Be careful how you word that. Receiving one packet takes less power than transmitting one packet, but over the course of a Wi-Fi session (without any power save mode enabled) you may burn more total power in the receiver than the transmitter, because the receiver is basically on all the time, while the transmitter is only on when transmitting a packet. Passive scans only run the receiver 2.5x as long per channel as active scans do, but they don't run the transmitter at all. It may turn out to be a wash. – Spiff – 2014-01-18T00:02:24.000

There is a system called Jasager that detects WiFi probes that most clients shout out ("Hello, is linksys there", etc), pretends to be it, lets them automatically connect as if they are 'at home', with that lovely 'public' networking option Windows now has.

Lo and behold, all their public fileshares, web traffic (and there are extensions for it that let you MITM attack SSL sessions) and anything else you can think of.

Enjoy and don't get caught.

Andrew Bolster

Posted 2010-04-06T22:27:32.083

Reputation: 1 198

How's this answering the question? – Pacerier – 2015-02-16T07:30:43.113

This recent paper presented at the Internet Measurement Conference 2013 might be interesting to you:

Signals from the Crowd: Uncovering Social Relationships through Smartphone Probes

Abstract:

The ever increasing ubiquitousness of WiFi access points, coupled with the diffusion of smartphones, suggest that Internet every time and everywhere will soon (if not already has) become a reality. Even in presence of 3G connectivity, our devices are built to switch automatically to WiFi networks so to improve user ex-perience. Most of the times, this is achieved by recurrently broadcasting automatic connectivity requests (known as Probe Requests) to known access points (APs), like, e.g., “Home WiFi”, “Campus WiFi”, and so on. In a large gathering of people, the number of these probes can be very high. This scenario rises a natural question: “Can significant information on the social structure of a large crowd and on its socioeconomic status be inferred by looking at smartphone probes?”.

In this work we give a positive answer to this question. We organized a 3-months long campaign, through which we collected around 11M probes sent by more than 160K different devices. During the campaign we targeted national and international events that attracted large crowds as well as other gatherings of people. Then, we present a simple and automatic methodology to build the underlying social graph of the smartphone users, starting from their probes. We do so for each of our target events, and find that they all feature social-network properties. In addition, we show that, by looking at the probes in an event, we can learn important sociological aspects of its participants language, vendor adoption, and so on

Legend

Posted 2010-04-06T22:27:32.083

Reputation: 704

I recommend you get hold of Backtrack and try running airodump-ng (or else install aircrack if on Linux). That'll show you what's going on with the devices and whether they are visible / probing for network addresses. You can use airbase-ng to act as an access point.

Note there may be legal issues around doing this depending on what country you live in.

user26996

Posted 2010-04-06T22:27:32.083

Reputation:

Please explain how does this work? – Pacerier – 2015-02-16T21:19:18.397

Unless you have a hotspot server or some other server running. A wireless antenna turned on merely passively listens for SSIDs that are broadcasting. But if you have a hidden network that you connect to, there are some emissions you are transmitting and perhaps that could be exploited.

Hypothetically, say someone knows you automatically connect to an SSID that is hidden, and they know the credentials (perhaps they saw this on your computer). That is enough now to make a connection. From there the possibilities are endless.

grummbunger

Posted 2010-04-06T22:27:32.083

Reputation: 9

a cool i see guy has another interesting exploit described above. – grummbunger – 2014-03-19T02:20:32.147