Using a Raspberry Pi as a WiFi Access Point to Capture Amazon Echo Network Traffic.

In this article I will provide a tutorial on setting up a Raspberry Pi as a wireless access point in order to capture network traffic originating from or destined for wireless smart home devices, specifically the Amazon Echo smart speaker.

Sean Kennedy
Oct 8, 2018 · 6 min read

Recently, I have been interested in capturing and analyzing Amazon Echo traffic data. I struggled to capture the traffic data in my home WiFi environment due to a variety of complications I won’t elaborate on, but I did eventually find a solution that will work for anyone who is having similar problems capturing Amazon Echo traffic data. Before I get into specifics first let’s get the preliminaries out of the way.

Some things you will need:

  • An Amazon Echo device
  • A Raspberry Pi model 3 or newer, or an older model raspberry pi with a USB WiFi adapter.
  • A minimum 16 GB microSD card, recommended at least class 10.
  • A way to get a Raspbian OS image on the microSD card.
  • A 2.5A micro-USB power supply, keyboard, mouse, HDMI cable, and monitor for your Raspberry Pi
  • A wired ethernet connection to your Raspberry Pi.
  • A phone with the Amazon Alexa app installed.

Overview

The first step in this process is to set up your Raspberry Pi as a wireless access point. After that you need to install wireshark on the Raspberry Pi. Then, you will need to connect your phone and then the Amazon Echo to the Raspberry Pi wireless access point. Now that the Amazon Echo is successfully connected to the access point, you can start a wireshark or your preferred network traffic capture tool to start capturing the Amazon Echo traffic

Step 1: Set Up Rasberry Pi As Wireless Access Point .

Install Raspbian OS and Update it.

Use etcher (https://etcher.io/), or your preferred SD card flashing application, to flash a Rasbpian OS image on the microSD card. Insert the microSD card into the microSD card port on the Raspberry pi. Insert the HDMI cable, mouse, keyboard, power supply, ethernet cable, and the WiFi adapter (if you are using an older model Raspberry Pi) into their respective ports on the Raspberry Pi. Plug the HDMI cable into your monitor and the power supply into a power source to turn on the Raspberry Pi. Go through the startup process as instructed by Raspbian. Raspbian should perform an update, but just in case it fails, start up a terminal and enter in:

sudo apt-get update
sudo apt-get upgrade

Install the access point server program hostapd and the DHCP server program dnsmasq

Two programs we are going to need are hostapd and dnsmasq. To install them type these lines into a terminal session:

sudo apt-get install hostapd
sudo apt-get install dnsmasq

If prompted for a y/n continue with installation, type y and hit enter.

After the programs are installed stop the processes by entering:

sudo systemctl stop hostapd
sudo systemctl stop dnsmasq

Set up a static IP for the wireless interface

In order to set up a wireless access point we need to set a static IP address for the wireless interface on the Raspberry Pi. This interface should be labeled wlan0 (if not, see note below). Enter the following to edit the dhpcd config file to set a static IP address for the wlan0 interface:

sudo nano /etc/dhcpcd.conf

Once this opens the config file in the terminal edit the file by adding this text to the end:

interface wlan0
static ip_address=192.168.0.10/24
denyinterfaces eth0
denyinterfaces wlan0

Hit ctrl-x to exit and y and then enter to confirm the changes

  • Note: If you are using an older model Pi and a WiFi adapter, you can run a iwconfig command to check the name of the WiFi interface and continue with the tutorial, replacing wlan0 with whatever your WiFi interface is called

Use dnsmasq to configure a DHCP server

We need a DHCP server to dynamically configure our network, and we will use dnsmasq to do this. First edit the necessary config files by entering:

sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.orig
sudo nano /etc/dnsmasq.conf

Add this to the empty file:

interface=wlan0
dhcp-range=192.168.0.11,192.168.0.30,255.255.255.0,24h

Now our access point will provide the IP addresses in this range to devices trying to connect to it.

Use hostapd to create a WiFi access point.

We need to set up the access point info in the hostapd config file by opening it:

sudo nano /etc/hostapd/hostapd.conf

…and editing it by adding:

interface=wlan0
bridge=br0
hw_mode=g
channel=7
wmm_enabled=0
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
ssid=SSID_NAME
wpa_passphrase=PASSWORD123

Change the ssid and wpa_passphrase to your desired name and password values for your access point.

Enter the following to edit the hostapd file:

sudo nano /etc/default/hostapd

And replace the line that starts with #DAEMON_CONF=”” to:

DAEMON_CONF="/etc/hostapd/hostapd.conf"

Forward the wlan0 traffic to the ethernet cable

In order to forward the wireless traffic to the ethernet cable enter:

sudo nano /etc/sysctl.conf

And replace the line starting with #net.ipv4.ip_forward=1 with:

net.ipv4.ip_forward=1

Alternatively, just uncomment the line.

Set up the correct iptables

The next thing to do is to add the iptables rules by entering:

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"

Next we need to make sure these rules load when booting by editing the rc.local file:

sudo nano /etc/rc.local

And adding the following above the line starting with exit 0:

iptables-restore < /etc/iptables.ipv4.nat

exit and save the changes.

Add a bridge between wlan0 and eth0

In order for the wireless traffic to access the internet we need to add a bridge that will transfer the traffic to the eth0 interface (the physical interface). We need to install a package called bridge-utils in order to accomplish this:

sudo apt-get install bridge-utils

Next, we add the bridge and connect eth0 to the bridge:

sudo brctl addbr br0
sudo brctl addif br0 eth0

Next we need to edit one last config file:

sudo nano /etc/network/interfaces

And add this text to the end of the file:

auto br0
iface br0 inet manual
bridge_ports eth0 wlan0

Now we are good to go. Go ahead an shutdown the Raspberry Pi for now, or you can reboot to confirm it is working by connecting your phone to the newly created WiFi access point and verifying it has internet connectivity.

Step 2: Set up wireshark.

On your newly created Raspberry Pi WiFi access point, open up a terminal and install wireshark:

sudo apt-get install wireshark

Enter y when prompted to finish installation.

Step 3: Connect your Amazon Echo to the Raspberry Pi WiFi access point.

In order to connect the Echo to the access point, connect your phone to the access point, open up the Alexa app and begin to setup the Amazon Echo device. When prompted connect to the newly created Raspberry Pi WiFi access point.

Step 4: Capture the Amazon Echo traffic.

Obtain the Echo’s MAC address.

Finally, we can accomplish the task we set out to do: capture Amazon Echo network traffic. Before we open up wireshark, let’s get the Echo’s MAC address. Once again, open up the Alexa app on your phone. Click the home icon in the bottom left-hand corner. You should see the your Amazon Echo device in the upper left-hand corner. Select the device to go into the device settings. The last option on this page is about. Tap on this, and you will see some information about your Echo device including the MAC address. Copy this down.

Start up wireshark and commence with capturing the traffic.

Open up wireshark as root on your Raspberry Pi by entering:

sudo wireshark

Start a capture without any capture filter on the br0 interface. Once the capture has started enter the following in the display filter:

mac.addr == 00:00:00:00:00:00

Replacing 00:00:00:00:00:00 with the MAC address you copied down in the last step. You should see the incoming and outgoing traffic for your Amazon Echo device now.

Now, you can capture and analyze all of the traffic related to your Amazon Echo, have at it!

This general process will also work for other wireless devices you wish to capture traffic from like the Google Home speaker, Apple HomePod, and all those other IoT devices you want to analyze.

Think Secure

Analysis of current trends in cybersecurity, machine…