What does your phone say about you?
Ken Munro, partner at Pen Test Partners
Wireless sniffing tools can tell you – and potential wrongdoers – a lot about users of mobile devices.
Have you ever fired up a wireless sniffing tool such as Airodump to listen to wireless client probe requests in your office? Ever actually looked at the SSIDs being probed for?
If so, have you considered how interesting that information might be? It might be very amusing to find out that a board member's mobile is probing for an SSID of Spearmint Rhino. However, it might be rather more concerning to find out that the CEO is probing for an SSID relating to your largest competitor.
What could that mean? They must have been to that competitor's office, and they must have been given permission to connect to that access point. Were they there for an industry meeting, or to discuss a merger? Anyone in wireless range of that device could see it had probed for those access points. Insider trading, anyone?
What if the mobile device was probing for an access point relating to a consultancy that advises on M&A activity? Wouldn't take long to build a potentially valuable profile.
It doesn't stop there though. Websites such as wigle.net collate the GPS coordinates of known AP SSIDs from the results of others' ‘war-drives'. All you have to do is look up the SSID in their database, and you've got the potential to trace the movements of that exec, just from the probe packets on their mobile.
You'll probably find their home address, office and numerous other sites they've visited. Some of that information is available elsewhere, but certainly not all, and definitely not so closely linked to one device.
Indeed, if one could set up a network of SSIDs that ‘listen' for a particular MAC address of a particular device, then you've potentially got real-time tracing of individual devices using Wi-Fi emissions. That's pretty much what the Snoopy project presented by Dan Cuthbert and Glenn Wilkinson at the last 44Con is about: a distributed set of sniffing devices that listen to wireless probes to map the travels of devices. Fascinating stuff, but not devastating.
However, if a nefarious hacker was prepared to go further, breaking all sorts of laws in the process, then the gains could be significant. Those same listening devices could be used to easily steal domain credentials over Wi-Fi, trivially steal Facebook and other passwords and much more. Complete compromise of an individual's online business and personal life, plus reasonably accurate tracing of their movements. Big Brother, anyone?
I've written before that one should turn off wireless clients when they're not required. Leaving it on drains battery power and reduces your security. Turning Wi-Fi off is a start at least.
However, when you do need Wi-Fi running, those probe packets are still being sent. On most devices, it's fairly easy to remove the cached associations from the wireless client, though few bother. However, removing them from an iPhone or iPad can be troublesome. Last time I tried it on one, I had to be connected to the access point in order to ‘forget' it.
It's possible after jailbreaking, but I haven't yet found a method of removing access point associations on an un-jailbroken ‘iDevice' when not in range of the access point.
Consider sniffing wireless probes in your office – there are sufficient tools to do so in any recent Backtrack image. Try mapping the access point IDs on wigle.net and see what you come up with. A map of the CEO's travels might be of great interest to him, and might help you get the message of security across in a way they actually understand.