The Perils of Probe Requests

All of the Wi-Fi devices you own are constantly broadcasting the name of every networks they’ve ever connected to. Turn them off.

You know how your phone automagically connects to any Wi-Fi network its seen before? Ever wondered how that works? It’s blatantly stupid. Whenever your phone’s Wi-Fi is turned on, but not connected to a network, it openly broadcasts the SSIDs (network names) of all previously-associated networks in an attempt to connect to one of them. These small packets, called probe requests, are publicly viewable by anyone in the area running trivially simple sniffing software, and you’d be surprised how unique your list of networks are.

Whats worse, probe requests include a unique device fingerprint called a MAC address that can be used to specifically identify each device. So we’ve got a situation where:

  1. Each device openly broadcasts incredibly identifiable network name history (names like “Jenny’s iPhone”, “UChicago”, “my favorite coffee shop”, etc…).
  2. Included in those messages is a unique fingerprint that can be collected and used to track you in public.
  3. Collecting these probe requests is easy from a consumer laptop.
Sniffing probe requests (time stamp, signal strength, MAC address, SSID)

The information gathered from probe requests can be combined with wardriving datasets, geo-tagged wireless networks databases, to map the physical location of these networks in a city. Popular community-driven wardriving website WiGLE provides publicly accessible data for over 350 million wireless access points collected by volunteers. This is an incredibly small subset of the wardriving data that Apple and Google have freely collected from your Android or iPhone. In fact, your smartphone is constantly scanning for Beacon frames broadcast by wireless access points and using your GPS to associate those network’s MAC addresses with your location. This information is then uploaded to GOOG or AAPL, amassing the two largest collections of wireless network maps in the world. Has your phone ever prompted you to “Turn on Wi-Fi for better location accuracy?” This feature uses your phone’s wireless card to scan and upload nearby access points to leverage these proprietary datasets, collected en masse (without payment), to offer highly-accurate geolocation information that can be derived from these network fingerprints.

WiGLE wardriving data from Chicago, IL, USA

Probe requests have been known to be collected at hotels, malls, airports and other public locations in order to track and identify unknowing passersby. Companies can sell this data or use it for their own market research. I’ve personally sniffed probes at O’Hare Int’l Airport, collecting fingerprints from thousands of devices and tens of thousands of network names; Enough probes to crash my Macbook Pro waiting for my flight to board.

WiGLE data showing the same location with and without geo-tagged wireless networks overlayed

So yeah… that’s where we are at with Wi-Fi these days. The Probe request problem is an example of what happens when a wireless protocol released in 1998 is implemented as the standard almost a decade later when smartphones hit the market. These solutions that worked for stationary personal computers don’t scale well when nearly a third of the world’s population now walks around with a Wi-Fi device on their person. Protecting personal information from blanket collection and exploitation is only going to become a more challenging problem as the number of internet-connected devices expect to reach 75 billion by 2025. That’s nearly 10 devices per human on earth.

Wi-Fi is fucked, everything is broken, Donald J. Trump is president, and the earth is dying. Ok, taking a step back, you might be wondering what you can do to protect yourself. The solution is not without flaws; turn your Wi-Fi off when you aren’t connected to a known network. Doing so will prevent your device from leaking your network names and device fingerprint to the open world. The solution is awkward, easy to forget, and sub-par. But its what we’ve got.

If you’ve got an Android device, the Smart WiFi Toggle app claims to enable/disable your Wi-Fi based on location rules. I’ve never used it, and I’m cautious to provide a random app the admin permission that it requires, but its very highly rated on the Google Play store. I haven’t come across anything like this for iOS, and as of 2014, the programmatic control over Wi-Fi needed to do this was only available if a device was jailbroken.

What follows are a few continued musings on about creative exploitations of probe requests in the wild, followed by a short tutorial that shows you how you can collect your own probe requests, or rather, everyone else’s.

ProbeKit and Beyond

ProbeKit in the wild

Back in 2015, I worked with Branger_Briz to create ProbeKit, a critical software art project that addressed the probe request problem through a metaphor of butterfly collection. We developed an application that captured probing devices as unique, one-of-a-kind, butterflies. The software allowed the user to collect MAC addresses and network information from nearby devices as they wandered around the city on a “network data safari.” Once captured, you could inspect each butterfly’s “migration patterns” inferring information about where the device owner works, lives, and plays.

ProbeKit map view
Probekit habitat view

Linger

Jasper van Loenen recently created a wonderful response to the probe requests phenomenon called Linger. This small networked device constantly rebroadcasts the probe requests its collected, creating a virtual wireless environment made up of the ghost signals of every device its encountered. As the device travels, its collection grows, and the fragments of identity extracted from stray probes become implicitly integrated into the artwork and the spaces it inhabits.

Shenanigans

In a similar vain, artist David Rueter created Shenanigans, an attempt to introduce “information entropy” into the bulk collection surveillance systems that are increasingly using probe requests to identify and track people throughout their daily life. Shenanigans is a community-powered network of small battery-powered wireless routers that broadcast the probe requests of device owners who wish to introduce noise into Wi-Fi based tracking systems. Participants submit their device’s MAC address to be rebroadcast by each node in the network, in multiple locations all over the world. Doing so provides the participant with an arguable disassociation from the MAC address assigned to them by their device’s manufacturer. They are presented with a Certificate of De-identification, allowing them to prove that their unique device fingerprint is shared with everyone participating in the network.

Certificate of De-identification

Capturing Probe Requests

Probe requests can be captured by anyone with a computer and a wireless card that supports monitor mode. However, this brief tutorial is not for the faint of heart. The following instructions assume general comfortability with the unix command-line. This code has been written to run on debian-based linux operating system. For more information, see the GitHub repository.

# clone the repository
git clone https://github.com/brannondorsey/sniff-probes
cd sniff-probes
# use iwconfig to list your wireless device names
iwconfig
# sniff probes, replacing wlan0 with your device name
CHANNEL_HOP=1 IFACE=wlan0 ./sniff-probes.sh

If all goes well, you should begin to capture probe requests from nearby devices.

00:00:19 -88dBm 00:0a:e2:1f:28:ab "cvteststation01"
00:00:19 -89dBm 00:0a:e2:1f:28:ab "cvteststation01"
00:00:22 -85dBm 5c:aa:fd:20:23:41 "Sonos_pZkIex0zatRvhdJTAifLzmatdh"
00:00:42 -86dBm f4:f5:d8:28:bc:26 "NETGEAR85-5G"
00:00:46 -89dBm f4:f5:d8:28:bc:26 "NETGEAR85-5G"
00:00:48 -84dBm f4:f5:d8:06:19:40 "Pamplona Running Club"
00:01:00 -92dBm 54:60:09:40:56:32 "seawhale"
00:01:13 -87dBm 38:63:bb:d1:6a:b7 "offline"
00:01:25 -83dBm 5c:aa:fd:20:23:41 "Sonos_pZkIex0zatRvhdJTAifLzmatdh"

Probe requests are saved as a space-delimeted “csv” to probes.txt by default. This can be changed using the OUTPUT environment variable. CHANNEL_HOPING cycles the wireless card’s channel settings in an attempt to capture more probe requests, but can be disabled by omitting the environment variable or setting its value to 0. If you have any questions or problems, please create an issue on the GitHub issues page.