Solomon-SonyaYour phone might be telling the world more than you think – and Solomon Sonya is listening. The US Air Force trainer, who speaks today at SecTor 2016, will be unveiling a tool that can find out where your phone has been. It can be put together using little more than a Raspberry Pi and his free software, but he promises some surprising results.

Sonya, an assistant professor at the US Air Force Academy, rose through the ranks of the US Air Force to become officer in charge at AFCERT, the organization responsible for securing the organization’s entire network. His job revolved around incident intrusion response, finding and analyzing malware to learn his adversary’s techniques, which means that he’s always thinking about the inner workings of systems. He also trains others at the academy in digital forensics.

Sonya found himself getting interested in WiFi while at an airport on the way to a conference. “I’m watching passengers walk by, and asking without any previous knowledge, is it possible to tell where these people had been before?”

He hit on an idea. “Everyone has their phone,” he remembers thinking. “It’s a common thing.” So he started there. He began experimenting with phones to find out what signals he could intercept without spending lots of money. He got a copy of BackTrack – the pen testing Linux distribution that eventually became Kali – connected a Wi-Fi card to it, and placed into promiscuous mode so that it would sniff all the traffic it could find. Then he used the packet analysis program T-Shark to monitor wireless signals looking for devices that were trying to ‘beacon’.

Beaconing in WiFi refers to a constant game of ‘marco polo’, in which a device will electronically broadcast the service set identifier (SSID) of a wireless access point that it has connected to in the past.

What does beaconing look like? Imagine that you’re a conservative type, and prefer to frequent coffee shops you’ve used before. You may walk around at an airport you haven’t visited before, blindly yelling ‘Starbucks!’. A Starbucks barrista might hear you, and yell ‘Hey! We’re a Starbucks! Over here!’

Mobile phones do the same thing. If they have connected to an access point called ‘Starbucks WiFi’ in the past then they’ll broadcast that name when looking for a connection, in the hope of finding it again. If an access point with that SSID answers back, then the device will try to connect with it.

Some SSIDs, such as ‘Starbucks WiFi’ or ‘DLink’ are pretty common. But others, such as ‘Telus-57803’ or ‘Apartment 209’ are unique. If Sonya could get a list of them all, along with where they were located, he figured that would be a good way to find out where people had been. If someone’s phone constantly beaconed “JoeBobsCoffee’ and he knew that SSID was in Winnipeg somewhere, then he’d know that the phone had been there.

WiGLE it. Just a little bit.

How could you get such a list, though? The likes of Apple, Google and Microsoft create their own. Those lists are fiercely protected, though.

Wardriving would be another option. “You could put a Wi-Fi Pineapple on a bus,” he said. The device could collect SSID information for you and map it out, but it would still take a long time and a lot of resources to build a big map.

Luckily for him, there was another option. WiGLE, a crowdsourced database of SSIDs. “I cannot say enough how wonderful this site is,” he says. “They are creating a large database that you can now access.”

Using the Wiggle API, he could intercept a device’s beaconing data and query the WiGLE database to find out where those SSIDs are. That would then enable him to determine where a person had been based on their beaconing.

Promiscuous phones

“I thought your phone wouldn’t send out many probes, but that’s not true,” said Sonya. Phones beacon this data all the time, but some send it more readily than others. “iPhones are my favourite because they’re constantly broadcasting that information,” explains Sonya. These phones will beacon even when connected, which he believes is an attempt to give users the best possible connectivity.

Conversely, an Android device will typically ask for SSID names in the area to see if they have a match, rather than immediately beaconing all of its past connections. Nevertheless, many of these phones will eventually beacon all of their secrets too, he says.

What can an attacker do with such beaconing data? We have already seen a project that collected data about people at airports, but it isn’t clear if it used exactly the same techniques. In 2014, Edward Snowden revealed that CSEC, Canada’s non-domestic signals intelligence agency, used Wi-Fi in airports to track travellers.

You can go beyond tracking individual devices across the world, though. One possible scenario is a man in the middle attack, in which a malicious access point listens for a phone’s beacon data and then changes its own SSID to create a match. At this point, the attacker could sniff that device’s traffic.

Sonya is soft-launching his tool today during his SecTor talk, and will make it available to everyone else on October 27th. The tool is written mostly in Java and works on both Linux and Windows.