Wednesday, May 12, 2010

More "the air is full of packets"

I've posted on this topic before, I thought I'd mention it again.

I've been a bar for a few hours today, monitoring wifi broadcasts. Here is what I see for access-points:


Only three access-points are visible.

But what about wifi devices, like phones and laptops?

There are 59 devices in this list, 35 of which are "Apple" (almost all are iPhones, but some might be iPads or MacBooks) [I've sorted the list above, and let the Apple devices fall off the end].

Some of these devices are in the bar, some are further away. The devices looking for "attwifi" are probably down the block hanging out at Starbucks (which uses AT&T access points).

I regularly see the lesser phones like HTC, Samsung, and Palm, but the overwhelming majority of wifi devices I typically see are Blackberries and Apple phones, which Apple always accounting for more than 50% of devices. That's the strange thing in the world we live in: monitor wifi broadcasts almost anywhere, and more than 50% of the devices you see are likely to be from Apple computer.

I like criticizing Apple security but they have implemented one of the most fantastically important security features ever: they don't broadcast the SSID they are looking for.

The SSID is the name of the access-point, like "linksys", "attwifi", or "Bob's Home". The normal operation is for devices to send out a broadcast looking for an access-point. For example, if you are connected to "Bob's Home" network most of the time, as you travel with your laptop, it will regularly send out a broadcast looking for "Bob's Home".

One of the evil things a hacker can do is set up a hostile access-point also called "Bob's Home". Let's say you are in an airport, and a hacker sees that your notebook is looking for that access-point. The hacker will quickly reconfigure an access-point to same name. Within moments, your laptop will connect to that, and start sending things across the network - such as passwords or private e-mails - that that the hacker can intercept.

Apple does something clever. Instead of broadcasting the access-points it's interested in, it sends out a broadcast looking for ANY access-point. It will only connect if an access-point has the correct name.

Thus, let's say that an Apple iPhone is looking for "Bob's Home". A hacker won't know this. Instead, the hacker will see the blank broadcast. The hacker attempt to guess the access-point your phone is looking for, such as by responding back with "linksys" or "attwifi" (very common names), but if the guess fails, then he cannot trick your phone.

We see names in the list above from Apple devices, but only when they've discovered a local access-point they are interested. In the list above, I see Apple devices trying to connect to "attwifi", "quiznos8699", and "Royal Oak 1", because they have actively tried to connect to these access-points. I have no idea what the names of their home networks are.

The Blackberry's with "tmobile" and "@Home" probes are interesting. They will reroute calls through your home access-point (if close) so you won't use cellphone minutes. That's gotta be insecure as heck - I need to buy one and find out what the security problems are.

It's not just the phones that are interesting, but other mobile devices. For example, you see a "Cisco" device in the list looking for "BR6#wlan". That's not a phone, or a laptop. Instead, it's a bus (or at least, a device in a bus). In Atlanta, as in many cities, the local metro system puts computers on every bus, that communicate via wifi. When they get back home to the bus yards, they will likely hook up with the home system, and transfer information. Meanwhile, sitting in bar in Atlanta monitoring broadcasts, you'll know when a bus drives by when you see one of these appear in your list.

The same is true of deliver vans and such. Also, many automobile manufacturers like Ford have announced wifi for automobiles, that will automatically communicate both with the home network via wifi, as well as phones/laptops within the car.

5 comments:

Nathan Keltner said...

"Apple does something clever. Instead of broadcasting the access-points it's interested in, it sends out a broadcast looking for ANY access-point. It will only connect if an access-point has the correct name."

Windows does this in XP SP2/3+. Also, it obviously only works if the SSID is broadcasting. If its 'cloaked', then the device will constantly look for it.

Unknown said...

Just out of interest, what software did you use to gather this data?

Robert Graham said...

>Just out of interest, what software did you use to gather this data?

It's my own tool. I wrote it to have features similar to existing tools, plus a bunch of features of my own.

Unknown said...

But windows is better in that it defaults to no client-side broadcasting. You don't need client-side broadcast if the AP has beaconing on, which it should. Disabling AP-side beaconing and forcing client-side beaconing is plain just stupid. It's like trying to hide a military base but asking each soldier to go out in the field to scream out for the base every second.

Now calling out "ANY" would only work if a non-beaconing AP responds to "ANY" SSID. But APs should always be beconing anyways.

Unknown said...

I believe that T-Mobile @Home uses IPsec for their VoIP communication. I can't remember if it is ESP or just AH though. Hopefully the former with encryption.