Where have you been? Mobile phone wi-fi threatens you!

as wi-fi and the growing popularity of smartphones, has free wi-fi in some public places, many people have used mobile phones or laptops wireless Internet access. However, such a “free lunch” is not delicious, public wi-fi security crisis, it will store your past location information. Not only that, hacker with some simple equipment, can steal the user’s privacy.

“this noisy where samsung mobile phone to say, don’t asked my opinion, expose all my privacy.” My colleague Sean Gallagher when mention about mobile phone wi-fi, such complains.

wi-fi to document the site activity

every time when you use Google or apple mobile phone location function, absolutely is not only you submit your personal location information. If you follow the advice of Google and apple, open wi-fi to obtain a higher positioning accuracy, so you will send many places have you been to the location of the information, because there, someone else may have accidentally detected your signal.

now wi-fi everywhere. It is because of this characteristic, wi-fi access point in the 21st century has become a beacon light, it makes you location-based services on cell phones can get you the exact location. But it is because the wi-fi deal works, wi-fi communication is a two-way street. Like your phone network information surrounding the scan for navigation, but at the same time, even if not hotspots, your cell phone can still show you had connected the name of the hot spots.

the wi-fi detection request problem caused by that question already is nothing new. Two years ago my colleague Dan Goodin reported wi-fi weakness. In some cases, this weakness has caused significant security problems, especially for AT& T of the users, when detecting requests received reply after their phone automatically add network called “attiwifi”. Before we in controllability tests confirm this.

by a simple test, we hope to know, when we are covered by the user’s wi-fi, we can actually get what information from there. In this short test, we have submitted some volunteer’s mobile phone as sample, we open the phone, to ensure that the open wi-fi, low-power via wi-fi adapter for mobile monitor, capture their packets, to see how they submit the address.

we get the information more than expected. In the process of test, we are glad that there is nothing special big noise interference, we captured some signals: cell phone signals of adjacent buildings, vehicles signal even express PDA signal generated by the driver. We immediately remove them after the test data.

in the subsequent to WP to HTC and BlackBerry Passport tests, WP no send will make its show network name detection request, but used the radio (a one-to-many communication mode). However, under any conditions, WP will continue to broadcast the same MAC address, this will allow the address of the device was captured. Passport issued with a probe request network name, before the request is sent, however, its signal has been captured.

the result is not surprising, but eye-opening, this shows that even if you don’t have to connect to the hotspot, open wi-fi spots will bring security and privacy concerns. Use public wi-fi base station data, we can understand mobile phone users in the near future, some even are not recent) range of motion, where they work, where they live, and even they recently where to go shopping, these can be detected.

wi-fi data collection

Google using data collected wi-fi cars this behavior, in many countries led to a wave of privacy issues. Then, Google was taken to court directly, the FCC to vehicle detection behavior made a $25000 fine decision, the reason is that Google store unencrypted wi-fi network information. Supreme Court refused to Google of lawsuits in June, and Google can’t collect the payload data.

Google data collection plan is unlikely to pose a threat to privacy, however, Google is still in collecting wi-fi base station’s MAC address and SSID name (i.e. user assigned to the router’s name, in order to authenticate user), but now for the owner of the wi-fi hotspots, there is a way for Google’s database to input their wi-fi data. They just on the SSID name add a suffix “_nomap” can be achieved.

the apple is in the collection with wi-fi data. Now Google and apple to no longer rely on mobile devices that are similar to cars to collect data, only the user’s mobile phone, for them is the small mobile information platform. When positioning function open, not only the retrieval of the base station database, at the same time they collect data and carries on the localization of the new base station, even within the floors can achieve this effect.

apple location-based services support pages made the following instructions, “if the location service open, your device will be anonymous and encrypted way, regularly send nearby wi-fi hotspots and base station location information to apple’s server, in order to expand apple crowdsourcing wi-fi base station hot spot and the position of the signal tower.”

is not merely a apple and Google in collecting the data. Now there are a variety of storage wi-fi database of geographic data, some is private, some are public. So, if you live in a relatively dense region, your wi-fi has been positioning to some people.

WIGLE, for one, it is a public wi-fi access to database and cellular base station; Was originally a group of “wireless eavesdroppers” brings the idea of this, when they walk or by bus, on the use of computers and mobile phones need wi-fi to match the location of the application of information, to find the network. Skyhook Wireless to provide a large number of business services based on their own database of wi-fi. Skyhook was just recently TruePosition acquisition, TruePosition is a Philadelphia company, it is a leading global positioning and information solutions provider, they adopt the method of cellular location, for the E911 (American mobile operators to provide users with emergency services) and national security staff to provide services.


in order to analyze what we capture the data, we use Wireshark to filter out the request signal detection. Captured request according to the request of mobile phone’s MAC address, looking for the SSID name and other associated with the mobile phone access to a wireless network signal user data. We are testing the phones from different suppliers, including apple, samsung, HTC and MOTOROLA.

now in all cases, the probe request to eliminate a original SSID broadcast signal exposed by the question: is that it hides the BSSID for base station by name or Mac address. In fact, all the mobile phones detect hidden SSID name in the request. A user equipment shows the following information:

network name, where I work WIGLE can be found;

the name of the home network, WIGLE for geographic location;

swimming club SSID;

when shopping to the two stores SSID;

auto dealers SSID;

the SSID hotel and airport;

overseas travel SSID.

so under this condition, as long as the attacker make wireless traffic overload, then he can screen out a batch of smartphones can continue to track. Then, he will try to deceive the known network, to target cell phone launch man-in-the-middle attack (MITM). In addition, these data can also be used for social engineering attacks, or identify further track user’s phone.

so, positioning function is more accurate but not to do nothing.

for Android users could install a wi-fi in open places set up fences, in case your cell phone has been searching for connection. Enterprise mobile policy allow wi-fi open public facilities can also build fences, they don’t have to hide the name of the internal interface, so on some sensitive application still exist man-in-the-middle attack threat.

apple has been actively trying to on the iOS 8, by randomized MAC address to reduce the risk of the mobile phone was detected. But AirTight Network’s Bhupinder Misra, said the method failed to achieve good results. Problem is this randomized restricted by three aspects: one, to the phone’s screen is in sleep mode; Second, the geographical position service to shut down; Three is, wi-fi to open.

for most people, directly closed wi-fi is perhaps the best choice. When you reach some open wi-fi, you can’t be tracked; But it also means that you will not be able to connect to any network along the way.

Source: Ars


You may also like...