Smartphone location tracking

Another great talk at the mobile cyber security conference a few weeks ago was by Glenn Wilkinson who talked about his software called snoopy which is able to track and profile mobile devices based on their wifi. He has a very cool drone which he flies over areas to probe the mobile phones in the area below. Sadly no demo at the conference of the drone in action! When a wifi-enabled device looks to connect to a network there are two options:

  1. Scan for packets (called beacon frames) broadcasted by wifi routers to advertise their presence. The device will connect to a network when they receive a beacon from a network they have already connected to. This is used by laptops.
  2. Periodically broadcast packets (called probe requests) which contain the MAC address of the device to a specific or all wifi networks in the area. This can be compared to a message like “Hey! It’s xxx here, network xxx are you there?”

The difference is that by sending a probe request the device is actively scanning networks, where as simply listening for beacon frames is passive. Therefore probe requests are used by smartphones because it is faster. However, it also makes it possible to gather and track data from these requests, as the MAC address is unique to a device.

Attackers are able to monitor the requests and profile a person based on the networks that device has connected to in the past – what countries have they visited (airport lounges & foreign country wifi); favourite cafes; and where they live and work. Given a wifi network name, you can do a search for it for free at the Wireless Geographic Logging Engine: a publicly-accessible database (you just need to sign-up to search) of wifi and cellular station geo-location data, to build up a nice picture of that person’s lifestyle. Secondly, attackers are able to use this data as a presence detection method: you can monitor when people are within a certain area e.g. when your neighbour gets home from work. The data can be used non-maliciously to target advertising, or maliciously to create a very custom spear-phishing email for example.

Apple & Google already use other geo-locational data for advertising. According to Apple’s About privacy and Location Services for iOS 8 and iOS 9 page, “When you turn on Location Services…Your iOS device will periodically send locations of where you have purchased or used apps in an anonymous and encrypted form to Apple to improve a crowd-sourced database. This database may be used to offer geographically relevant apps and other products and services.” You can see what geo-locational data Google has on you here.

How do you monitor these requests? You need a wifi network card that supports monitoring mode and a piece of software that can capture the requests, such as wireshark or hoover to capture the probe requests. To see what your own (Windows) laptop has connected to, enter the following into a command line prompt: netsh wlan show profiles. To see the password for any of these, type: netsh wlan show profile name=”[NETWORK NAME]” key=clear

To prevent third parties from using the MAC address to track devices, several vendors have implemented MAC address randomization. For iDevices with iOS9 onwards and Android devices with 6.0 onwards, MAC randomization has been implemented for probe request frames. The iDevices also no longer show SSIDs in the probe frames, so it should be pretty tricky to track such a device.

Extra things you can do to minimise tracking is to tell your phone to ‘forget’ networks you no longer use and turn off locational services. Android users can download something like Kismet Smarter Wi-Fi Manager which makes it possible to only turn on wifi in geographical locations the user trusts.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s