Re: my idea of the day

[Michal Zalewski <lcamtuf () dione ids pl>]

On Thu, 15 Mar 2007, Dave Aitel wrote:

 [ Repost; Dave, if you get a chance, reject my original post and
   approve this one instead, I hit Ctrl-X too early; or if it's too late,
   reject this repost. Thanks. ]

> So here's my idea of the day: I want relational triangulation in
> SILICA. I want to be able to click "Find this AP" and then have SILICA
> say "stay still . . . . signal is 99. Now take 5 steps to the left....
> signal is 91. Now take five steps forward....signal is 102" and then
> interpolate in "steps" the distance and direction of the access point.

Moving several feet to the left or right when not standing next to the
device is almost guaranteed not to measure any appreciable signal
differences that would not be overpowered by random reflections, RF
interference, attentuation caused by walls, chairs, etc, or residual
directional characteristics of an antenna (you need to get one that is
almost perfectly omnidirectional, or else maintain a precise angle while
moving around).

Consider this: when standing 20 meters from the transmitter, facing it in
an open, unobstructed, reflection- and interference-free field, moving 2
meters to the left with a perfectly omnidirectional antenna would change
the actual distance the signal has to travel by about 0.1%. A precise RF
interferometer could work, but signal strength measurement alone are not a
useful indication of your location in this axis.

Doing it from 5 meters away will of course work better, but then you're
close enough to spot the transmitter by simply observing signal strength
while walking around. Circling the area of a suspected transmitter site
would yield great results, too, but without a GPS or a set of precise
accelerometers, registering or approximating your movements in an indoor
environment is unlikely to be easy.

If you're left with only one axis to take meaningful measurements, you
wouldn't be able to interpolate the actual distance, because you don't
know how powerful the signal would be were you standing next to the
transmitter - depends on chips, antenna, settings, terror alert level, and
how strong is the initial attentuation is (be it caused by ceiling panels,
doors, rack mount or a printer it is sitting behind).

As such, standing up, making 5 steps to the right, 5 to the front, 5 to
the left, 5 to the back is almost guaranteed to give you no benefit over
simply walking around with a traditional meter.

We happen to hunt "pirate" APs in our office buildings from time to time,
and even with specialized, directional receivers and quality software,
it's still a mess.

That said, there are several tools that allow AP location triangulation in
corporate environments, but they usually rely on several fixed measurement
points that are 10-50 meters apart, and mounted in a controlled, carefully
measured way, and again, *around* the rogue access point, so that absolute
measurements can be made. AirMagnet sells something like this.

/mz
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave