We know our devices leak data, but some of
the ways they do so may surprise you. Today we’re going to talk about Wifi, in particular
something called a “WiFi Probe Request”.
Have you ever noticed that when you return
home, your phone automatically connects to your home wifi? Or
when you go to a friend’s house or familiar coffee shop, your phone
remembers and joins their network?
What is this magic??
The way this automatic connection works is actually incredibly stupid, and leaves
your device open to all kinds of attacks. It can also allow someone to fingerprint and
track you, to see where you’ve previously been, to help hackers get access to your device.
In this video I’ll explain what wifi probe requests are
Why they’re a privacy nightmare
Things that have been done to
try to make them more private, and why they’re still a privacy nightmare
The ways you might be in danger
And of course what you can
do to protect yourself
I’ll give you the TLDR right now
Turn your wifi off when you’re not using it, and you’re going to want to pay close attention
to your wifi settings when you do use it.
Let’s get started with understanding
how WiFi connections work
If we have 2 devices, a phone on one hand, and
a wifi access point or router on the other.
Both kind of have to discover
each other in order for a connection between them to be established.
Johanna Ansohn McDougall is an IT Security research associate at the University of Hamburg,
who focuses on wireless security. She explained to me that There are basically 2 ways for this
discovery between a phone and a router to occur. The first is called “Passive Discovery”.
This is where the phone sits passively listening, and the wifi router is constantly sending
out beacons, basically shouting out “I am a wifi access point!”
In that beacon, the router includes
information like its SSID,
or Service Set Identifier.
This is just a technical term
for the wifi name.
Your SSID might be “Naomi’s home wifi”, “joe’s
coffee shop”, Liberland airport wifi.
Whatever that network is named, that’s what
the router is going to shout out.
If the phone hears an SSID that it recognizes,
then it will connect to it. How does the phone know whether it recognizes a name?
Well it’s been secretly storing every wifi name you’ve ever connected to.
Wuuuuuuut?
Your phone contains a list of all the
known networks it's called the PNL, the Preferred Network List,
So unless you’ve been actively forgetting networks after connecting to them,
they’re all being saved up in your phone.
Well that’s embarrassing, I hope no
one ever gets hold of THAT list.
And that brings us to the second way that
discovery between a phone and a wifi network happens: “Active Discovery”.
This is where your phone is actively sending out probe requests asking which
wifi networks are around.
A wifi probe request is a little packet
of information that your device will broadcast via radio waves, and you
can think of it as the equivalent of your PHONE shouting out publicly
‘Hey Is anybody there?” every few seconds. And any routers around it will respond:
We are here! We are here!
Now exactly what information these wifi probe
requests contain and how often they’re sent out, will vary depending on your device.
But it’s important to know that
Some wifi probe requests will broadcast
your entire list of SSIDs.
Wait, What?
That’s right. Everywhere you go. That entire list of every wifi network you’ve ever connected to.
Shouted out publicly for everyone to hear.
As long as your wifi is turned on, your
phone is basically shouting out
“Here are all the networks I know of, are any of
you around”, and if one of these specific networks IS around, It’ll respond
“hey I’m here!”,
and your phone will connect to it.
That’s a terrible idea, right?
Oh we’re all in agreement. It’s a terrible
idea. And actually some phone manufacturers have changed how they handle active
discovery, so that whenever possible,
instead of sending out the whole list
of SSIDs, they will instead send out something called a Wildcard, where they
essentially leaving the SSID field blank.
Now any nearby routers will just hear
a generic wifi probe request asking “Anyone around”, and the router will
respond with their wifi network name
“Yes I’m here and my name
is Naomi’s wifi”,
and then the phone will cross check that name
against their PNL to see if it’s a network they recognize, and if so they’ll say
“Naomi’s wifi is on my list! Let’s connect!”
Now a few caveats,
First, it’s alarming how many phones still actually broadcast their SSID list.
Johanna just co-wrote a research paper where wifi probe requests were collected in
a busy area, and they determined that 23% of phones were broadcasting SSIDs.
Second, even with newer phones, sometimes a phone HAS to broadcast an SSID, for example when
trying to connect to a hidden network.
If you have set your home wifi
network as a “hidden” network, the router doesn’t announce itself, so it won’t
show up on your list of available wifi networks.
And if your phone sends out one of these
generic requests like “is anyone there?”, the router won’t announce its name back.
So in order to connect to a hidden network, you have to specifically shout out
the hidden network’s SSID.
You’ll type it manually into your phone,
and your phone will announce
“Hey, Naomi’s hidden network are you there”,
the network will respond and then you can connect to it.
But unless you specifically forget that wifi network,
that’s now in your preferred network list, which means that forever after your
phone will go around shouting all day
“Hey, Naomi’s hidden network, are you here?
Naomi’s hidden network? Has anyone seen Naomi’s hidden network?” knowing that this is
the only way to connect to the network.
Hilariously ironic for a network that
was trying to remain hidden.
But on top of that, your phone doesn’t even
stop broadcasting the name once when it’s connected to that hidden network.
The mobile phone will continue actively probing for that network with just that
SS I D in case there are various access points with the same SS I D to connect
to the one with the best signal.
So your phone is sitting there shouting: “Hey
Naomi’s hidden network! Do you have any networks with a better signal?” the whole time you’re
connected to this hidden network.
Now why is broadcasting SSIDs a problem?
First: tracking
Now I know what some of you are going to
say. You can’t track people using wifi anymore because
phones now do things like randomize MAC addresses.
A MAC address is a unique identifier for your device, and a few years ago phone manufacturers
would broadcast it in wifi probe requests. Obviously this was terrible for privacy because if
you’re shouting out your unique ID everywhere you go it allows people to easily track you.
Now most manufacturers send out randomized mac addresses instead of the real one.
Another thing that manufacturers started to randomize are sequence numbers, which also
made it more difficult to use wifi probe requests to track people.
But a few of caveats.
If you have an older device or older operating
system, your phone might still be broadcasting your real mac address and sequence number.
Also,there are other ways these probe requests can become unique fingerprints your devices.
For example through the “information elements” that are broadcast to advertise
various attributes of a phone.
Finally, your SSID list itself can make
it possible to track your device.
Think about it, you’re probably the only person
in the world who has your exact list of wifi networks remembered their phone.
The list of SS IDs. That's a very, very identifying, uh, fingerprint,
It can be used to identify individual devices and track location.
Places like shopping malls can do this with incredible accuracy. They
know exactly which stores you visit, how much time you spent there. How fast you walked
from one end of the building to another.
Airports can do the same thing, they can tell
if you have gone through security yet, whether you’re going to make it to the gate on time.
It’s common at trade fairs, and sometimes wifi tracking is used simply to collect data.
In one of the pedestrians zone we walked through, um, there was a sign saying, uh, wifi tracking
in progress.Apparently they wanted to, um, use wifi tracking in order to kind of
estimate the pedestrian flow.
The second reason that broadcasting
SSIDs is a problem is because it can expose identifying information about a
person. Wifi networks usually have revealing names like “Blockchain week conference 2019”,
“Verizon 1234”, “Go-go-dance- -hall”.
These names might reveal who your employer is,
your Internet service provider, where you go out dancing, which conferences you’ve attended.
The most personal thing I think I found, um, was an S S I D for a burlesque
theater. I am almost sure that you wouldn't want to transmit that.
Some people make the wifi name of their holiday home their address, not realizing that this
might then be broadcast publicly. Johanna once set up an experiment during a science night
where she projected onto a wall the SSIDs that were being publicly broadcast around her.
People would look at the wall and would say, oh my God, that's my home network. Why is the name
of my home network here? I think it's just so, um, interesting to look at, uh, what is being
sent and how easy it is to receive all this too. Like you, all you need is a wifi dongle
and then you can monitor everything.
This information might not just be revealing,
but might also have dangerous consequences. They can allow someone to tell if
you have returned to your house yet, or if you are alone in an office building.
A hacker might scan their surroundings and see that someone previously connected to a particular
hotel wifi. By sending them a rogue email that appears to be from that hotel, they might dupe
someone into clicking on a malicious link.
Now for the elephant in the room about this
automatic wifi connection apparatus.
Our devices are determining whether they trust
networks and want to automatically connect to them based on their SSID. But here’s the thing
You can choose whatever name you want as an SS I D.
Phones aren’t looking for some secret handshake before automatically
connecting to a wifi network. They’re just looking for a name that they recognize, and
then automatically connecting to it.
Which makes it really easy for attackers
to pretend to be known wifi networks and trick phones into connecting to them. These
attacks are scarily easy, especially with tools like the wifi pineapple.
The WiFi Pineapple is basically a hot spot honey pot and it's a man in
the middle attack for wireless.
First, you scan your surroundings and see which
wifi names all the nearby phones, computers, and iot devices are broadcasting.
So these are all different SSIDs that your phone is currently trying to connect to. It's
things that your phone has previously connected to in the past and it's looking for those.
You can also make pretty good guesses about these. Almost all of us have connected to a Starbucks
wifi before. Unless you intentionally asked your phone to forget that network,
It now considers any network called “starbucks wifi” to be a known network.
Can you pretend to be Starbucks?
Yes I can.
In this video security expert Shannon Morse just created an open network on her
wifi pineapple called “starbucks wifi”, and phones automatically started connecting to it.
Okay so right now, I'm connected what looks like to Starbucks, even
though there's no Starbucks.
But actually, it's the WiFi Pineapple,
Now the attacker has intercepted all your internet traffic. They can see any unencrypted internet
activity, certificates from websites you visit, cookies that aren’t secured properly.
I can't believe you're able to see all of this.
And it's just scraping. That's hilarious.
Pictures and stuff. Oh yeah, it's scraping
images from all these different websites.
Let’s repeat what we’ve learn from this. If
your wifi is turned on as you walk around, you could be auto-connecting to malicious
networks around you without even realizing.
So here are the steps you need
to take to protect yourself.
The best advice would be to just turn off
your wifi when you're not using it.
Switch it off.
On android, there are 2 settings you need to flip.
First turn your wifi off
You won't be connecting to a wifi device anymore,
but probe requests are still gonna be sent.
So then you have to also switch
off “scanning via wifi”.