1 Demonstration of Mobile Device WiFi Operational (In)Security, 11 September 2017

2 Anonymity loves Crowds – Spies are snooping on MobilePhones#Snowden doc – NSA Co-Traveller https://assets.documentcloud.org/documents/888734/cotraveler-tracking-redacted.pdf

3 Anonymity loves Crowds – Spies are snooping on Airport WiFi#Snowden doc - Canada’s CSEC

4 Anonymity loves CrowdsDomestic or Foreign intelligence agencies usually do not spy on you directly, they use & abuse the massive Commercial / Private Sector / Domestic WiFi infrastructure Provided you do not exceed the radio transmission power levels, there is no regulation of WiFi i.e. snoopers have equal rights to use the same WiFi signals & protocols that you do

5 2013 City of London WiFi binshttps://qz.com/112873/this-recycling-bin-is-following-you/

6 TfL Tube WiFi snooping pilot Nov – Dec 2016

7 TfL Tube WiFi snooping pilot Nov – Dec 2016

8 There are lots of WiFi Access PointsPrevious slide TfL snooped via 1070 Aps An idea of just how dense the UK WiFi space is:

9 wigle.net – WiFi Access Point SSIDwigle.net -15 Hanbury Street

10 wigle.net – WiFi Access Point SSIDwigle.net -15 Hanbury Street wigle.net -15 Hanbury Street wigle.net -15 Hanbury Street wigle.net -15 Hanbury Street

11 wigle.net – WiFi Access Point SSIDwigle.net -15 Hanbury Street wigle.net -15 Hanbury Street wigle.net -15 Hanbury Street wigle.net -15 Hanbury Street

12 wigle.net – WiFi Access Point SSIDwigle.net -15 Hanbury Street wigle.net -15 Hanbury Street wigle.net -15 Hanbury Street wigle.net -15 Hanbury Street

13 wigle.net – WiFi Access Point SSIDwigle.net -15 Hanbury Street wigle.net -15 Hanbury Street wigle.net -15 Hanbury Street wigle.net -15 Hanbury Street

14 wigle.net – WiFi Access Point SSIDwigle.net -15 Hanbury Street wigle.net -15 Hanbury Street wigle.net -15 Hanbury Street wigle.net -15 Hanbury Street

15 wigle.net – WiFi Access Point SSIDwigle.net -15 Hanbury Street wigle.net -15 Hanbury Street wigle.net -15 Hanbury Street wigle.net -15 Hanbury Street

16 Anonymity loves Crowds – could be anywhere in UKBTWiFi BTWi-fi BTWifi-with-FON BTWifi-X O2 Wifi Wifi Extra VodafoneWiFi _The Cloud X

17 Anonymity loves Crowds – could be anywhere in UKEE WiFi-Auto Virgin Media WiFi Virgin Media

18 Anonymity loves Crowds – could be on the moveAddLee Wi-Fi National Express Coach megabus-wifi ABELLIO-BUS

19 Anonymity loves Crowds – could be tracked on the moveAudi_MMI_3944 Audi_MMI_4579 Porsche_WLAN_817e5f

20 Anonymity loves Crowds – I know where you have beenGatwick FREE Wi-Fi _Heathrow Wi-Fi Nice Airport Free WiFi _Bentall Centre FREE WIFI The In and Out Club WiFi _Gunwharf Quays Free WIFI Free Kitzsteinhorn WiFi

21 Anonymity loves Crowds – several candidate locationsThe Fox & Hounds The Riverside HP-Print-1C-Officejet Pro 8610 M&S Free WiFi BarclaysFreeWiFi McDonald's Free WiFi Sainsbury's WiFi

22 Anonymity loves Crowds – Tracking your Home Address ?BTHub4-CNT4 BT Smart Hub 2465 BTHub5-R7KS TALKTALK8F32E4 TALKTALK-A63C9E VM G VM

23 Anonymity loves Crowds only 3 data points to de-anonymise ?virginmedia ,humbleabode,Applebees,HOTEL BROADBAND,Avonpark 2,SKY33BBE,DoubleTree Wireless,BTHub5-XWMZ,BTHub6-MGSM,SKY64926 Surrey Libraries,GOODTASTE,Comfort-Suites-Epernay,The Brickmakers Arms Free Wifi,Theatre_Public,BTWiFi,Livebox-A744,VM G,BTHub5-XKRP,PrimalRoost

24 Anonymity loves Crowds – trying to hide with unique IDPolice Surveillance Van #34 Police surveillance van 2 HELP I'M TRAPPED IN A ROUTER_EXT Hanger_51_Guest OOOOOH Look A Bird! OneConnectionToRuleThem Not The Wi-Fi You're Looking For

25 Grabbing WiFi MAC & SSID & ProbesHardware incl cables Raspberry Pi Zero or Zero W - £20 Raspberry Pi 2 B - £30 (no built in WiFi) Raspberry Pi 3 - £40 N.B. the built in Broadcom WiFi does not support the necessary WiFi Monitor mode so: WiFi dongle e.g. RALink RT5270 chipset £5 - £10 mobile device recharge USB battery pack £10 -£20

26 Grabbing WiFi MAC & SSID & ProbesHardware Maplin still stock a Raspberry Pi 2 B kit with Mouse, Keyboard, powered USB hub, Ethernet, HDMI cables, microUSB power supply, NOOBS microSD and a RTL5270 WiFi dongle for just under £50 https://www.maplin.co.uk/p/quad-core-raspberry-pi-v2-development-kit-n01ea (needs a case or tupperware box etc) Battery pack

27 Grabbing WiFi MAC & SSID & ProbesOperating Systems for Raspberry Pi Started off using the Raspi compatible version of Kali Linux, popular with Penetration Testers / hackers Now the latest Raspian Stretch repositories have adequate versions of the Application software mentioned earlier

28 Grabbing WiFi MAC & SSID & ProbesApplication Software (open source) sudo apt-get install kismet airodump-ng part of aircrack-ng suite Python scripts using scapy and python-netaddr macchanger – script WiFi MAC address changes wireshark mdk3 –WiFi attack tool - can be used to fake SSID tmux - keeps your sessions running when disconnected from SSH

29 How to protect your privacy & securityDisable WiFi (& BlueTooth) on your mobile device before you leave home or work (also saves battery) Do not enable Connect Automatically Check you have not enabled advanced persistent WiFi settings WiFi on whilst in sleep mode Automatically connect to Open Networks Use common SSID at home or work without router serial number i.e. change VM to Virgin Media Change your WiFi Router default admin password

30 How to protect your privacy & securitySome devices, sort of, periodically randomise MAC addresses e.g. Apple IoS, but not if they are probing for an Out of Range SSID access point connection You can try to pollute e.g. TfL MAC address snooping with a macchanger script to create multiple legitimate looking but fake WiFi MAC address signals

31 How to protect your privacy & securityIt is easy for attackers to change the SSID of their own “Evil Twin” WiFi access points to something plausible e.g. McDonalds Free WiFi to try a Man-In-The-Middle attack on you. You can fake lots of SSID for propaganda slogans with an mdk3 script Only use encrypted https:// web connections if you are logging in to or banking or e-commerce sites Use a commercial or private Virtual Private Network VPN if using public “Free” WiFi