June 27, 2022
How much open source data could we collect at InfoSecurity Europe 2022?
We set up a passive only signal collection demo at our stand. So, what were our findings?

Equipment used and purpose

• RTL-SDR – GSM Traffic

• Wi-Fi Range Extender – Wireless Traffic

Wi-Fi Analysis

Our collection targeted SSID’s (Service Set Identifier), MAC (Media Access Control) addresses that were categorised to random and non-random, as well as attempts to geolocate these. Here is what we found.

• 2132 unique SSID’s

• 845 unique non-random MAC addresses

• 7999 (7237 removed duplications) random MAC addresses

• 542 networks geolocated

• 25.4% networks could be geolocated

Due to constraints around API usage we geofenced our collection of SSID geolocation through WIGLE, an open-source Wi-Fi mapping platform. The results were still astounding with many of these networks belonging to home routers where we could narrow down the SSID location to the street level. We also noted during data processing that 762 random MAC addresses were removed after removal of duplications. The reason for this is that randomised MAC addresses were designed as a way of increasing privacy. Some devices will however reuse the same MAC address to connect to the same SSID. This obfuscates the device itself but not when it comes to understanding if the device is within a specific location. There was a notable similarity found during analysis between the country associated with SIM cards traced and SSID’s tracked during this demo.

GSM Analysis

A quick look over the data we collected during the surveillance of the Global System for Mobile (GSM) communications network revealed SIM cards belonging to a total of 30 different countries. A list of the top ten collated along with the count can be found on the right hand side. The scope of collection would have exceeded the limits of the ExCeL in London where the conference was held, however it was interesting to see that over 49% of SIM cards using the GSM network were from outside of the UK. The map above shows just how far travelled people were in within the area. Other data collected allowed us to drill down to the operators, brand and the exact International Mobile Subscriber Identity (IMSI) number. The ability to harvest this data is, as pointed out, open source but potentially incredibly dangerous in the wrong hands. An IMSI could be placed into software for tracking purposes, allowing a criminal to know when a mobile device is in the area or not. Similarly journeys could be mapped out via cell tower connections.

Why does this matter?

This blog post has highlighted a number of ways of identifying personal devices in time and space. The threat increases dependent on the perceived importance of the device by the threat actor. Advice relating to protection against IMSI tracking is limited. The risk to many people is low and the outcome could be potential surveillance of device. The greater risk lies with Wi-Fi and SSIDs.  The reason for this is simply that the data collected above relies on probe requests. After this if the probe request is successfully answered, authentication occurs and the connection is made. If a threat actor wished to use the data collected maliciously it would be very easy to do so and could result in an end user connecting to a fake SSID. This would act as a man-in-the-middle, forwarding and receiving data, harvesting all the information in flow that is unencrypted.

How can you protect your data?

Our best advice to prevent tracking device by MAC address is to ensure you have a random MAC address and where possible, that this is randomised every connection.

iPhone

Randomise MAC

  • Settings
  • Tap Information next to Network
  • Ensure Private Network Address is enabled

Managed Networks

  • Settings
  • Wi-Fi
  • Ask to Join Networks (Set to Notify or Off)

Android

Randomise MAC

  • Settings
  • Developer Tools
  • Enable Wi-Fi-enhanced MAC randomisation

Managed Networks

  • Settings
  • Connections / Wi-Fi
  • Click the three dots in the top right and choose Advanced
  • Manage Networks (Remove networks not in use)

Other top tips:

1. Turn off Wi-Fi when not in use – simple but effective.  

2. Prevent your device from connecting to networks automatically if already known or remove known networks if possible.

3. Ensure the networks you’re connecting to are using strong encryption.  

4. If using public Wi-Fi use a VPN.

If you are interested in learning more about this demo, please contact Mike Wallis. Our defensive team can work with you to secure your devices, perform digital forensics on those devices, and ensure that your business networks are set up correctly. We also specialise in open-source information gathering, and can work with you to provide actionable intelligence.

Sign up to our newsletter to receive the latest updates