Your wi-fi will tell me where you live, where you work and where you travel
Many people know that your mobile devices disseminate information about their previous connections. Most have no idea about this.
To connect to already known networks that do not announce their presence, all your mobile devices send test packets to find the networks they know. These packets can be intercepted when the phone is turned on, or when it is disconnected from the network. To do this, use the usual tools - airodump / tcpdump. Example:
# airodump-ng -w wifi-dump wlan0 # tcpdump -n -l -e -r wifi-dump.cap | grep 'Probe Request ([^)]'
The output contains the time, the MAC address of the device, and the network name. Example:
16:32:26.628209 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:50:ea:d6:aa:bb:cc Probe Request (SUBWAY) [1.0 2.0 5.5 11.0 Mbit]
That is, device 50: ea: d6: aa: bb: cc checked if the SUBWAY network was within reach.
So what's wrong with that?
Well, they emit these packets with network names. Think about it.
Note that most LANs have unique names. Of course, common names like SUBWAY will come across. But in many homes, networks are called either automatically generated by ProviderNameDEADBEEF, or as specified by users.
That is, the list of trial packages contains roughly the following network names:
home: ProviderNameXXXXX, StreetNameWifi, etc.
workers: Company, Company City, etc.
hotels: various unique names, except for chain hotels
So what if you suddenly intercept a test packet with the network name FooProvider123456, BlahProviderABCDEF, ACME-Fooville, CafeAwesome? Of course, you can guess what kind of provider the person has and where he dines. But these are just names. No BSSIDs, coordinates, or anything else. Good. But not really.
For there is WiGLE in the world!
WiGLE (the abbreviation "engine for recording information about wireless networks") is a service operating under the motto "All networks that all people find." And most city networks can really be found in this service. Moreover, you can find networks of interest to you by searching by their name. This is how you get information about the networks you are interested in by their names.
Networks in the Kremlin area
[approx. transl.] The large scale location of networks on the map is shown only for registered users.
Some assumptions can be made. For example, if Wigle returns more than 3-4 networks with the same name, these are most likely some standard networks that can be ignored ... If only one of them is not close to the unique ones that we found. You can filter out networks that have not been visible for more than a year. Unless they are unique and have not moved in time - otherwise, this will mean that the access point has been moved.
Collection of information
What information can we collect from the list of networks? Let's look at a map that was created automatically from the Wigle search results. They were downloaded using the wiggle library and mapped:
I marked encrypted networks with green, open networks with red. The blue ones are unknown. Each marker actually points to a specific building. You can immediately understand that a person most likely lives and works on the east coast of the USA (several markers), flies to Japan (a marker of an encrypted corporate network) and rests in Thailand (a network with hotel names), and also travels to New Zealand (network with the names of the campsites). From the name of the corporate network, you can calculate the name of the company.
Here you have social engineering, and the search for a specific person, and the search for employees of company X ... And by the MAC address you can find out the model of the device - and thus find this person in the crowd.
Chef what to do ??
On linux, you can configure wpa_supplicant networks and specify scan_ssid = 0. So it is configured by default and this setting cancels the sending of test packets. On other systems - I do not know.
Of course, you can delete saved networks, or turn off wi-fi when you do not need it. But this is not a solution to the problem. You can call your home network a common name - but this does not solve the problems with the names of other networks that you use.