When you turn your WiFi on, you can be tracked and attacked very easily. This is been known for a while, though not widely enough.
If at one time you connected to an open network, your devices continues to scan for that network. I can spoof that network, you connect to it, and then I intercept all traffic. A full framework has been created for this, complete with the ability to fingerprint your browser/OS and send exploits to your device [1]. Even if you only connect to password protected networks, it's possible (without access to the real AP) to let your clients send parts of the EAPOL handshake, and then perform a bruteforce attack. Weak passwords are cracked, meaning I can again intercept all traffic and possibly exploit your device.
So you only connect to one single network, strong password. Good. I can still track your MAC address. Even with one single device I can estimate the distance and the angle of your signal [2]. Hence I know your location, at all times. So you prevent MAC address tracking by using an identifier-free link layer protocol [3] (this doesn't exist in practice, only researchers made a demo showing its possible). Though a lot better, even with such a system it's possible to track the movement of devices purely based on the fingerprint of the physical WiFi signal [4]. Given sufficient location data it's likely to again (automatically) de-anonimize the dataset and track your movements (it's more complicated, yes, but still possible).
So you prevent MAC address tracking by using an identifier-free link layer protocol [3] (this doesn't exist in practice, only researchers made a demo showing its possible).
Or you could just randomize your MAC occasionally. If you're not even connected to a network (which is the situation we're discussing), just scanning, there's no reason for keeping a static MAC.
As mentioned in the top answer, not only will the AP know the MAC address of your device, it will also know the SSID you are looking for.
There are exploits allowing an AP to dynamically switch SSID, in order to impersonate the "known AP" you were scanning for. (Looking for a reference...)
And it's even very easy to exploit. You connected your phone/whatever to an open wifi network once ?
Well, now it'll probably go looking for that network wherever you go, since the device will basically go and broadcast "Where is SSID XYZ ?". Making it easy for anyone to switch the SSID on their AP, turn off authentication , and your phone connects to it - and probably starts pulling updates from your services. Just hope that's done over SSL/HTTPS and that the app validates the certificates.
Not only that but also, as SSIDs are often unique, it's possible to completely passively track all the locations your device has been. More info in this talk: https://www.youtube.com/watch?v=03iEaKPRb9A
If you're trusting the network you've already lost. It's not like the open internet is safe.
If we assume all connections are over SSL/SSH with certificate checking, what can a malicious AP do to you? (Another comment points out your location can be tracked by your device's radio; anything else?)
So with this technique, would someone be able to change the SSID of their router to match that of another nearby router where devices are likely to be attempting to connect in an effort to intercept the passwords being supplied to establish the connection to the router originally using that SSID?
Yes, doesn't have to be a nearby router though. The point is: your device broadcasts the names of all routers it's connected to. You just need to listen, then spoof the name, then the device will connect to you.
If the target device is already connected, you just need to DoS the router it's connected to and the device will reset the connection and start looking again. There are probably more elegant ways to force a reconnect than a simple DoS attack too.
It normally is. I mentioned open wifi networks specifically - i.e. the ones with no authentication, one you consciously connected to last year at a party/conference/bus stop/... and forgot about. Your device is still looking for its SSID.
And here's a neat trick: as soon as you detect a device from overhearing its probe request, spam it with CTS messages. As per 802.11 spec, it will have to reply with an RTS as long as its not associated.
You'll be able to track devices if you have multiple APs deployed, or just detect whether someone is within a ~100-meter radius.
It's called Wi-fi Indoor Positioning. Last I heard, the state of the art uses triangulation of signal strengths between multiple access points. This gives it 'aisle-level accuracy', or about 5-10m.
It's pseudo-anonymous in that they can get a unique identifier for your device (and thus know how often the device returns to the store) but can't tie it to your real identity without more information.
And given the mediocre accuracy of the technology it would be hard to correlate it with, for example, their point of sale system (e.g. 'device XYZ was near checkout 3 at the same time that John Smith's loyalty card was used there, therefore device XYZ is owned by John Smith').
I've been asked for an address when making a $5 cash purchase. I have the baseless impression that it is marketing seminar advice that small specialty businesses get (That is, collecting addresses).
It would be interesting to build something to detect an impersonating AP. You could just search for a random non-existent SSID and log when a connection is made.
This would be a good honeypot. Randomly generate a 32-character SSID and send out a probe request with that. To have greater confidence, you could randomly generate another SSID and send out another probe request. If both are accepted with a similar signal and noise level, perhaps it is one of these karma APs. (The process could be fine-tuned, generating N number of random SSIDs and specifying the range for signal noise levels)
You could then war drive to amass a location of suspected karma APs.
At the driver level it's totally possible to do a purely passive scan that would be nearly impossible to detect, it's just not very practical so most OSes don't even allow you to force your radio to do that.
I think there's s some theoretical possibility that you could "see" the absorption of the RF energy in the antenna of a purely passive device but I think that would be extremely hard unless you're in an RF shielded box.
I'd answer the question "it can be purely passive but it's not usually done that way", which the top SU answer also states.
Because you never know how often the AP will broadcast it's SSID so the passive listener doesn't know how long to listen on any particular channel. In the case where the AP doesn't broadcast the SSID it's even worse, the passive listener relies on other clients actively scanning and the AP responding with its SSID.
Personally I think this is an excellent way to turn your WAP into a burglar alarm. Burglars are too stupid to put their phone in Airplane Mode before they break into your house, so your WAP says "Hey unknown phone is in da house!" and calls the cops.
Good question, how about a honey pot iPhone that you leave on the table and it calls the cops if that one stops being associated :-) Too bad you can't dial by IMEI, then you use use a RasPi pretending to be a cell tower to pull the IMEI and if it didn't recognize it, call the phone and say "please identify."
Ah the joys of a friday afternoon waiting for the next meeting to start ...
Just a few years ago, this was different: devices would listen for the SSID broadcast every few seconds. But that's too power-intensive for phones, because they have to leave the wifi radio on for very long amounts of time.
Now instead they now beacon on all the channels in order to connect faster (which gives you the included privacy issues.)
So for a secure WiFi connection that's saved in your phone: if you encounter one of these WiFi pineapples/rogue routers, what does your phone do once the router says "yes, that SSID is me, connect to me if you like!"? Does it try to authenticate to what it thinks is the secured WiFi router? Is this another vulnerability?
I was thinking it'd be a fun project to take my laptop with my as a commute to-and-from work and log the Probe Request and MAC address that it sees from cars around me. It would make for interesting data mining to see if I regularly travel with the same cars.
Does anyone know a simple way to log this information via Python?
I hadn't thought about this before until something came up about a British ad agency using this to target personalized ads for the MAC ids of devices. I think that got shut down.
But it did get me to thinking about why this isn't exploited more often or that more people don't know about it. I thought of the example of having a home break in, and having my router log all the MAC ids of the devices nearby. Couldn't I effectively pinpoint the subject if I had a novel MAC id being logged at the time of the crime? Even better, log the name of the network it's looking for (or better yet a Wifi Pineapple), and maybe I could even track the guy down myself.
If at one time you connected to an open network, your devices continues to scan for that network. I can spoof that network, you connect to it, and then I intercept all traffic. A full framework has been created for this, complete with the ability to fingerprint your browser/OS and send exploits to your device [1]. Even if you only connect to password protected networks, it's possible (without access to the real AP) to let your clients send parts of the EAPOL handshake, and then perform a bruteforce attack. Weak passwords are cracked, meaning I can again intercept all traffic and possibly exploit your device.
So you only connect to one single network, strong password. Good. I can still track your MAC address. Even with one single device I can estimate the distance and the angle of your signal [2]. Hence I know your location, at all times. So you prevent MAC address tracking by using an identifier-free link layer protocol [3] (this doesn't exist in practice, only researchers made a demo showing its possible). Though a lot better, even with such a system it's possible to track the movement of devices purely based on the fingerprint of the physical WiFi signal [4]. Given sufficient location data it's likely to again (automatically) de-anonimize the dataset and track your movements (it's more complicated, yes, but still possible).
[1] http://www.sensepost.com/blog/7557.html
[2] Avoiding Multipath to Revive Inbuilding WiFi Localization
[3] Improving Wireless Privacy with an Identifier-Free Link Layer Protocol Ben
[4] SecureArray: improving wifi security with fine-grained physical-layer information