When we go to DEF CON in Vegas, hundreds of us bring our WiFi tools to look at the world. Actually, no special hardware is necessary, as modern laptops/phones have WiFi built-in, while the operating system (Windows, macOS, Linux) enables “monitor mode”. Software is widely available and free. We still love our specialized WiFi dongles and directional antennas, but they aren’t really needed anymore.
It’s also legal, as long as you are just grabbing header information and broadcasts. Which is about all that’s useful anymore as encryption has become the norm -- we can pretty much only see what we are allowed to see. The days of grabbing somebody’s session-cookie and hijacking their web email are long gone (though the was a fun period). There are still a few targets around if you want to WiFi hack, but most are gone.
So naturally I wanted to do a survey of what Caesar’s Palace has for WiFi during the DEF CON hacker conference located there.
Here is a list of access-points (on channel 1 only) sorted by popularity, the number of stations using them. These have mind-blowing high numbers in the ~3000 range for “CAESARS”. I think something is wrong with the data.
I click on the first one to drill down, and I find a source of the problem. I’m seeing only “Data Out” packets from these devices, not “Data In”.
These are almost entirely ARP packets from devices, associated with other access-points, not actually associated with this access-point. The hotel has bridged (via Ethernet) all the access-points together. We can see this in the raw ARP packets, such as the one shown below:
WiFi packets have three MAC addresses, the source and destination (as expected) and also the address of the access-point involved. The access point is the actual transmitter, but it's bridging the packet from some other location on the local Ethernet network.
Apparently, CAESARS dumps all the guests into the address range 10.10.x.x, all going out through the router 10.10.0.1. We can see this from the ARP traffic, as everyone seems to be ARPing that router.
I'm probably seeing all the devices on the CAESARS WiFi. In other words, if I sit next to another access-point, such as one on a different channel, I'm likely to see the same list. Each broadcast appears to be transmitted by all access-points, carried via the backend bridged Ethernet network.
The reason Caesars does it this way is so that you can roam, so that you can call somebody on FaceTime and walk to the end of the Forum shops on back and not drop the phone call. At least in theory, I haven’t tested it to see if things actually work out this way. It’s the way massive complexes like Caesars ought to work, but which many fail at doing well. Like most "scale" problems, it sounds easy and straightforward until you encounter all the gotchas along the way.
Apple’s market share for these devices is huge, with roughly 2/3rds of all devices being Apple. Samsung has 10% Apple’s share. Here's a list of vendor IDs (the first 3 bytes of the MAC address) by popularity, that I'm seeing on that one access-point:
- 2327 Apple
- 257 Samsung
- 166 Intel
- 132 Murata
- 55 Huawei
- 29 LG
- 27 HTC-phone
- 23 Motorola
- 21 Foxconn
- 20 Microsoft
- 17 Amazon
- 16 Lite-On
- 13 OnePlus
- 12 Rivet Networks (Killer)
- 11 (random)
- 10 Sony Mobile
- 10 Microsoft
- 8 AsusTek
- 7 Xiaomi
- 7 Nintendo
Apparently, 17 people can't bear to part with their Amazon Echo/Alexa devices during their trip to Vegas and brought the devices with them. Or maybe those are Kindle devices.
Remember that these are found by tracking the vendor ID from the hardware MAC addresses built into every phone/laptop/device. Historically, we could also track these MAC addresses via “probe” WiFi broadcasts from devices looking for access-points. As I’ve blogged before, modern iPhones and Androids randomize these addresses so we can no longer track the phones when they are just wandering around unconnected. Only once they connect do they use their real MAC addresses.
In the above sample, I’ve found ~1300 probers, ~90% of whose MAC addresses are randomized. As you can see, because of the way Caesars sets up their network, I can track MAC addresses better because of ARP broadcasts than I can with tracking WiFi probe broadcasts.
While mobile devices are the biggest source of MAC addresses, they also identify the fixed infrastructure. For example, some of the suites in Caesars have devices with a “Creston” MAC address. Somebody is releasing an exploit at BlackHat for Creston devices. There’s a patch available, but chances are good that hackers will start hacking these devices before Caesars gets around to patching them.
WPA-3 is promising to get rid of the open WiFi hotspots like CAESARS, but doing "optimistic encryption" by default. This is better, preventing me from even seeing the contents of ARP packets passively. However, as I understand the standard, it'll still allow me to collect the MAC addresses passively, as in this example.
Conclusion
This post doesn't contain any big hack. It's fascinating how big WiFi has become ,as everyone seems to be walking around with a WiFi device, and most are connecting to the hotel WiFi. Yet, with ubiquitous SSL and WPA encryption, there's much less opportunity for mischief, even though there's a lot more to see.
The biggest takeaway is that even from a single point on the big network on the CAESARS compound, I can get a record of some identifier that can in ideal circumstances be traced back to you. In theory, I could sit an airport, or drive around your neighborhood, an match up those records with these records. However, because of address randomization in probes, I can only do this is you've actually connected to the networks.
Finally, for me, the most interesting bit is to appreciate how the huge CAESARS networks actually works to drop everyone on the same WiFi connection.
Do they jam device radios in the casino areas? (Never been to Vegas.)
ReplyDelete