Phones broadcast the SSIDs of all networks they have ever connected to. How can these be obtained by an attacker?

  • I just watched an interesting talk from Glen Glenn Wilkinson titled: The Machines that Betrayed their Masters.

    He said that your phone is constantly broadcasting all the SSIDs it has ever connected to. How would an attacker be able to capture these wifi requests?

    What research have you done? What have you tried? Are you familiar with Wireshark? Trying to gauge the appropriate level of the response for your personal situation...

    I am highly skeptical of the claim that any device is "constantly broadcasting all the SSIDs it has ever connected to".

    It is not constantly broadcasting the SSIDs it has connected to. If it is connected to a network, it does not. However, if an iPhone is _not_ connected to a network, it will attempt to probe for networks it knows.

    This actually go beyond simply broadcast. Newer models of Android phones also keep WiFi constantly on and scanning, even though you may think it is disabled, since there's no active wifi indicator shown. This is why Chainfire came up with Pry-Fi which also use MAC randomization to prevent MAC collection as "Dog eat..." mention below.

    I asked a similar question a while ago on the Android site. I heard about a hacker using this to setup a fake network with same name where users would connect to, after which he could track what they did on the web.

  • BadSkillz

    BadSkillz Correct answer

    7 years ago

    Fairly easy to be honest, all you need is to do is listen for Probe Requests. There is a nice blog explaining how to go about setting up a computer with BT5 to listen for them here.

    With a networking card that supports "Monitor mode", you are able to pick up so called "Probe requests". Once the networking card is set up to be in monitor mode you can use something like aircrack, wireshark or hoover to capture the probe requests.

    For example when using ubuntu and wireshark, set the network card in monitor mode:

    sudo ifconfig wlan0 down
    sudo iwconfig wlan0 mode monitor
    sudo ifconfig wlan0 up

    Now start wireshark and set the filter for "wlan.fc.type_subtype eq 4".

    That's it, now you can see all the SSIDs being probed for around you.

    Just out of curiosity, could you use Google's network mapping project to get a history of every place someone has ever connected to the internet? Because that sounds kinda creepy - but also pretty cool..

    In theory, yes. If the SSID and MAC are collected by google, one could find the location of this AP.

    +1. This is the point where technology becomes scary to me. Being a computer science major, I know exactly how far this stuff can go. This is ridiculous! There are lots of cool and interesting uses for this type of data (Google's network mapping project), but just imagine if I were the creepy stalker type. One could map out behavioral patterns and use it to harm others. I understand why phones probe for previous networks, but this is kind of sick if you think about the possibilities for social engineering...

    Not only can you collect information; you can also create a malicious access point that mimics an access point the victim will automatically connect to, then immediately have access to any non-encrypted network traffic their apps use as well as an open channel for remote attacks on the device.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM