Slashdot Mirror

> search of the facility by a bomb-sniffing dog.

They called in the wrong sniffers. https://wigle.net/

Do you really want someone to be able to easily determine your daily routines?

Remember that GPS is not the only source for location information. Geolocated Wifi SSIDs, geolocated IPs and geolocated cell tower locations make location tracking peanuts for sufficiently large companies.

Try finding your favorite WiFi-networks here: https://wigle.net/
Cell tower database: https://opencellid.org/

You can bet your ass that (semi-)static IPs are geolocated using that data as well.

Check your house on https://wigle.net/

If you live in a built-up area, chances are someone is currently advertising the fact that you have a wireless network, especially if it's only WEP or completely open.

And just wait until it's compromised and the firmware fault lets guests slip into your router and sniff all your traffic and/or enter your local network.

There's a reason that you put a router between your Internet connection and local network (and, no, the SuperHub / Home Hubs don't count because they are just waiting for a compromise).

IMSI-catchers, like the infamous Harris Stingray, operate in two different modes, passive and active.

In passive mode it just listens to the cellular frequencies and records the IMSI of any device in range. This is similar to WiFi war driving and listening passively for SSIDs. While there are some preventative measures you can take, at some point you just have to broadcast the ID in the clear for things to work. Not a lot can be done to securely protect against this.

However, in active mode the IMSI-catcher spoofs credentials and claims to be a valid cell tower, tricking the cell phone to actually connect to it. This allows everything from text messages, to DTMF tones to the contents of a voice call to be captured.

Here is where there is room for end-user security improvements. One step would be to whitelist the known towers in your area, refusing to let your phone connect to any tower not on your list -- such as claimed NEW towers.

Net stumbler applications like Wigle include lists of cellular networks in their scans and databases. A crowd-sourced or crowd-validated list of known, real towers could serve as an initial load or verification.

The trick is getting your phone to connect only to the whitelisted towers. I believe that function lies in the baseband processor and access to that is normally locked down tight.

This could be a nice addition to something like Silent Circle's Blackphone.

If nothing else, it should be possible to have your phone alert you when it connects to a non-whitelisted cell tower. After all, Android has the ability to display what tower you're connected to. Apps like Network Signal Info Pro certainly give enough details.

This could be a really good way to map wireless networks: https://wigle.net/

If you have a look at what sites like Wigle.net are reporting from wardriving the global total is somewhere over 147 million wifi locations. While this may be over reporting as the old wifi spots do not get aged out, this will be offset by areas that have not been covered yet. USA seems to be the most collected with over 53 million wireless hotspots. France strangely only reports a little over 3 million hotspots... nowhere near the 13 million suggested in the report

More stats can bee seen at https://wigle.net/gps/gps/main/stats/
Country stats at https://wigle.net/gps/gps/main/genslicestats
and the most interesting the maps https://wigle.net/gps/gps/Map/onlinemap2

MoeBalls is more unique. But if you have enough SSIDs, the intersection of them can give a unique location even if each individual one can be found in many locations.

openwlanmap.org uses it to display maps of wifi-war-drived-data when you submit any. I scanned wifi-access points while driving to France for a holiday; amazing how many access points you detect even in the middle of nowhere!

Pathetic pikers compared to https://wigle.net/

http://openwlanmap.org/northam...
https://wigle.net/images/rigle...

openwlanmap.org uses it to display maps of wifi-war-drived-data when you submit any. I scanned wifi-access points while driving to France for a holiday; amazing how many access points you detect even in the middle of nowhere!

Pathetic pikers compared to https://wigle.net/

http://openwlanmap.org/northam...
https://wigle.net/images/rigle...

You are right, of course, it merely follows people, it says nothing of signal paths, and can't distinguish no-signal areas from un-visited areas.

If trilateration signal in a given area is marginal, the data collection should mark the area as marginal. If marginal area surrounds unvisited area, one can be fairly confident that the border is between a visited area and a no-signal area.

For wifi mapping, this is redundant

Not if Mozilla plans to make the data available to the public under terms more permissive than the WiGLE EULA. It could be an example of what Google's Greg Stein called "license pressure".

You are right, of course, it merely follows people, it says nothing of signal paths, and can't distinguish no-signal areas from un-visited areas.

And showing a map when there are so few participants is pretty silly.

For cell reception, this is useless.
For wifi mapping, this is redundant.

I wonder if they found out what browser and OS are used at Apple and at Microsoft...

Exactly. When the answers to half of your questions are blindingly obvious without even asking them, you're really wasting your time. Start asking questions that are an actual threat to corporate secrets, though, and at most companies, the employees will clam up faster than a politician caught with a hooker behind a cheap Vegas strip club.

Take Apple for example. Let's see:

• Do you have a cafeteria? Uh, yeah. It's listed on Yelp.
• What operating system do you use? Three guesses and the first two don't count.
• What service pack are you running? What the **** is a service pack?
• What browser do you use? Three guesses and the first two don't count.
• What mail client do you use? Three guesses and the first two don't count.
• What antivirus system do you use? Um... dude, it's a Mac....
• What's your ESSID? Hmm. I wonder if it could be AppleWiFi?

And so on. These sorts of questions are so innocuous and the information is so easy to obtain by literally anyone in the general public that even the most paranoid person wouldn't try to keep them secret. They don't represent a real-world way to get any further information in anything but the most bizarre scenarios. The interesting question is whether they can then use that information to get something of value. Short of that, this is like screaming that the sky is falling when really a bird just dropped something on your shoulder.

The fundamental failing here is that these folks naïvely assume everything has to be secret, and that obtaining information at a very low level of trust allows you to take advantage of a slippery slope to obtain information that requires a high level of trust. The reality is quite the opposite when it comes to almost everything on this list. Companies want potential job seekers to know that they have one of the best corporate cafeterias in the area. They want visitors to their campus to be able to use the Wi-Fi network to check their email. They want people to apply on their public jobs website for positions in the cafeteria. And so on. Those needs are fundamentally incompatible with keeping that information secret, period.

Further, for information that does have to be public knowledge, competent companies take steps to mitigate the damage that the information can do. For example, most companies require you to use a badge to access the corporate cafeteria, vet their new hires carefully, put the Wi-Fi on a public network with no access to internal systems, require you to use a VPN for access to any internal systems, require that confidential information be disposed of in locked metal bins, etc. The fact that those mitigations exist is not a secret (yet the existence of a VPN was one of the "flags"); if your security depends on keeping the mechanism of that security a secret, then it is broken by design.

In short, if the company is doing security right, then basically nothing on that list of flags is actually of value to an attacker, making this a really silly study.

So you didn't read TFA ? (Of course not).

It is trying to build a public (or so it says) database of where there is cell towers and or wifi, all geolocated by GPS.

Skyhook already has their database, mostly of wifi addresses volunteered.
Google has their database, which they jump started with Street View cars, but now keep up to date with a bazillion android phones running around.
WiggleWIFI has their wifi only database, collected by volunteers, which is public and massive, but not all that usable, although you can probably zoom into your neighborhood and find Wifi routers by the dozen.

But this database is supposed to be available publicly, and will know that if you are connected to Cell Tower XYZ, and your phone can see tower RWC, then you must be located in this particular grid square. Nobody but the cell companies have that data.

This project aims at collecting those tower locations, and wifi locations.

If you don't want to participate, then don't install the app on your smartphone.

But be aware the maps exist already, in a number of disjoint databases. This one hopes to make it a joint one, and a public one. They are late to the party, but at least they claim it will be public. Its not clear just how public, but hinted at is the ability for your laptop, or phone, to pin point its location without a clear view of the sky (no GPS) simply by virtue of what router you are talking to. There isn't a hint about feeding advertisers.

Well which is it? Not too sophisticated, but the busted into his lame decoys easily enough.

Forcing a door open is not the same as sophisticated lock picking. But nonetheless, the point about sophistication seems to be what they did once they got access. Most did menial tasks while 4 meddled with a specific communication protocol.

He claims to have triangulated where the attacker was based on their wifi card. REALLY? How is that done? He knows where every wifi router in the world is does he? Triangulate!!! All Wifi cards use three routers? Who knew! Each of which has its position known?

I'm not sure your reading comprehension is up to speed here. The web interface that was hacked embedded an exploit framework called BeEF so the researcher could gain access to the attackers system through the browser. What he likely did was query the networks detected by the wifi cards then crossed them to data from sites like WiGLE or perhaps something even more specific.

This is more then enough to get a Geographical location of a person and narrow it down to not only country, but city and even neighborhoods within the city.

Oh, and the triangulation isn't on where the wifi car itself accesses a router, but with the names of the specific networks the wifi cards can see. If you see several distinctly different named networks, the odds of them being in more then one location is low so you know it has to be a location close enough to all of them to be seen at the same time. For instance, if I see the SSIDs duck_butter, shoreline, bbangsoon, and linksys, I can find that I am near the Chicago Water Commissioner's office at Pfc Milton Olive park, near the Chicago harbor. Go ahead and look it up.

Somewhere there are some people chuckling at this guy.

I think that happens to all of us every once in a while. I was laughing pretty good earlier at someone too.

Well which is it? Not too sophisticated, but the busted into his lame decoys easily enough.

Forcing a door open is not the same as sophisticated lock picking. But nonetheless, the point about sophistication seems to be what they did once they got access. Most did menial tasks while 4 meddled with a specific communication protocol.

He claims to have triangulated where the attacker was based on their wifi card. REALLY? How is that done? He knows where every wifi router in the world is does he? Triangulate!!! All Wifi cards use three routers? Who knew! Each of which has its position known?

I'm not sure your reading comprehension is up to speed here. The web interface that was hacked embedded an exploit framework called BeEF so the researcher could gain access to the attackers system through the browser. What he likely did was query the networks detected by the wifi cards then crossed them to data from sites like WiGLE or perhaps something even more specific.

This is more then enough to get a Geographical location of a person and narrow it down to not only country, but city and even neighborhoods within the city.

Oh, and the triangulation isn't on where the wifi car itself accesses a router, but with the names of the specific networks the wifi cards can see. If you see several distinctly different named networks, the odds of them being in more then one location is low so you know it has to be a location close enough to all of them to be seen at the same time. For instance, if I see the SSIDs duck_butter, shoreline, bbangsoon, and linksys, I can find that I am near the Chicago Water Commissioner's office at Pfc Milton Olive park, near the Chicago harbor. Go ahead and look it up.

Somewhere there are some people chuckling at this guy.

I think that happens to all of us every once in a while. I was laughing pretty good earlier at someone too.

For the average user, how many people are going to set it up like that. And obfuscating the SSID? Care to elaborate?

Certainly the average user does not take adequate precautions against attack. I was just mentioning a method to mitigate the effectiveness of rainbow tables against WPA. (obviously WEP is bad, and is no longer recommended for any use)

WPA hashes are seeded using the SSID. Rainbow tables are constructed using known SSID's so if you "obfuscate" the SSID by making it somewhat long with random characters then rainbow tables are not effective. Increasing the length and randomness of your PSK is also helpful, as rainbow-table attacks rely on a dictionary and are computed to a finite length (commonly 20 characters).

Using WPA2 with a gobledegook SSID and a PSK of 63 characters in length that contains no dictionary words is in practice not crackable.

Take your walk digitally. https://wigle.net/gps/gps//BMap/onlinemap2/

Where the hell do you live? Back woods of Kentucky or some place?

I use a War Driving app (WiGLE WIFI) on my android on my rides and walks around my area, and open WIFI is a rarity in residential areas.
I mean like one house in a hundred. In my subdivision of 75 houses there isn't even one unencrypted router. Not one.
(There are several routers with Guest accounts, but even these require a password after you get an IP).

There are some facts an figures about this gleaned from users of this app posted here: https://wigle.net/gps/gps/main/stats/
Unencrypted wifi is on a steady downward trend, now down to about 18% over all areas that WiGLE users visit.

When you allow for those that are open on purpose (coffee shops restaurants, libraries) you are probably down to 12% of residential
users leave their wifi open.

ugh. their eula is terrible... it's almost like contributing your data to google maps for free :)

http://wigle.net/eula.html

No, we know.

Out of the millions of SSIDs in the US alone, TFA writer could only confer with 400 of them for a sample

400 is what you can find in an afternoon of war driving in suburbia, or an hour walking around apartment complexes with a wardriving app on your smartphone.

But realistically, with WIFI being such a short range medium getting a significantly larger sample with a non-google scale budget is pretty problematic. You can't detect them very far away, and the more crowded the wifi space the smaller the detection distance due to unfavorable signal to noise ratio.

To the rescue: http://wigle.net/ a collection of 57 million crowd-sourced, geocoded access points gleaned via various means, but most of them with a smart phone application like Wigle Wifi Wardriving available free for android. Simply turn that on, put on your headphones and go for a walk and when you get back you will have very accurate maps of dozens of routers. Log into Wigle.com, upload, and contribute to the map which can also be searched and zoomed. (Their server is prone to slashdotting).

They could have worked a deal with Wigle.net to mine their SSID names, sorted in order by the first 6 letters, and discarded the first 98% and come up with a far more interesting collection.

Out of the millions of SSIDs in the US alone, TFA writer could only confer with 400 of them for a sample

400 is what you can find in an afternoon of war driving in suburbia, or an hour walking around apartment complexes with a wardriving app on your smartphone.

But realistically, with WIFI being such a short range medium getting a significantly larger sample with a non-google scale budget is pretty problematic. You can't detect them very far away, and the more crowded the wifi space the smaller the detection distance due to unfavorable signal to noise ratio.

To the rescue: http://wigle.net/ a collection of 57 million crowd-sourced, geocoded access points gleaned via various means, but most of them with a smart phone application like Wigle Wifi Wardriving available free for android. Simply turn that on, put on your headphones and go for a walk and when you get back you will have very accurate maps of dozens of routers. Log into Wigle.com, upload, and contribute to the map which can also be searched and zoomed. (Their server is prone to slashdotting).

They could have worked a deal with Wigle.net to mine their SSID names, sorted in order by the first 6 letters, and discarded the first 98% and come up with a far more interesting collection.

I am surprised to see that much ruckus about this "OpenSignalMaps" when Wigle http://wigle.net/ already existed for a while, and has more than 61 million networks recorded around the world. I do know they don't have the fancy Web2.0 website, but they have been doing this before that even got popular...

Why do you think people "name" their networks "linksys?"

All 4.7% of them? http://wigle.net/gps/gps/Stat

Google might not publish this, but others already do.

*sigh* Yes, yes, and obviously, because some unrelated companies are doing this, it clearly means Google will too by... um... osmosis. Yeah, let's go with that. Osmosis.

Google might not publish this, but others already do.

Skyhook is the service that my 1st-gen iPod Touch would use for location data. (I don't know about current Apple products, because I don't have any.)

It doesn't work on IP addresses at all, but rather by listening for nearby 802.11 beacons and triangulating your location using their signal strengths, using MAC addresses (or rather, BSSID) to uniquely identify each access point.

I was generally very impressed with its performance in rural Ohio. Pretty much within 100 yards, no matter what, as long as I had an open internet connection with which to query the database and at least one fixed Wifi signal. (I still think this is pretty awesome for a glorified MP3 player.)

Google uses a similar method for their Android devices when GPS is unavailable. It located me in a downtown Chicago hotel within a few feet, with no GPS fix, but so far hasn't been as generally accurate as what I experienced with Skyhook's service on the old iPod.

Wigle can be used for similar stuff, these days, and caters to those who enjoy wardriving.

And there are others...

Your ex girlfriend's access point's MAC address is not entirely unlikely to already be searchable on wigle.net.

(Her client devices' MAC addresses are another story, though -- you might find out where her Linksys box lives, but you won't discover which gym she goes to.)

In case MS does take theirs down, don't forget the biggest and oldest community-built database of wireless networks: Wigle.net

Long before MS, Google, or Skyhook wardrivers have been working in concert on their own time and dime to contribute over 40 million geolocated networks worldwide. A few thousand of those were first done by me in fact, though I haven't contributed in years.

Check out WiGLE: http://wigle.net/

I can break down some of the numbers for you: linky link

Unique wifi networks in DB: 31,592,538
Unique networks w/ location: 30,576,668
Unique wifi locations in DB: 1,211,718,307
Unique cell towers in DB: 25,696

Networks with crypto: 16,194,355 (51.2%)
Networks without crypto: 8,295,965 (26.2%)
Networks crypto unknown: 7,102,218 (22.4%)
Networks with default SSID: 3,181,785 (10.0%)
New unique networks today: 35,224
New today with location: 35,221
New yesterday with location: 38,447

By manufacturer:

Linksys 2846742 9.010%
D-Link 1365841 4.323%
Cisco 1225600 3.879%
Dell 909165 2.877%
Netgear 849644 2.689%
Belkin 486015 1.538%
2wire 458674 1.451%
Symbol 322504 1.020%
Apple Computer 243631 0.771%

I can break down some of the numbers for you: linky link

Unique wifi networks in DB: 31,592,538
Unique networks w/ location: 30,576,668
Unique wifi locations in DB: 1,211,718,307
Unique cell towers in DB: 25,696

Networks with crypto: 16,194,355 (51.2%)
Networks without crypto: 8,295,965 (26.2%)
Networks crypto unknown: 7,102,218 (22.4%)
Networks with default SSID: 3,181,785 (10.0%)
New unique networks today: 35,224
New today with location: 35,221
New yesterday with location: 38,447

By manufacturer:

Linksys 2846742 9.010%
D-Link 1365841 4.323%
Cisco 1225600 3.879%
Dell 909165 2.877%
Netgear 849644 2.689%
Belkin 486015 1.538%
2wire 458674 1.451%
Symbol 322504 1.020%
Apple Computer 243631 0.771%

Uh, what?

Even assuming the commercial providers (Skyhook et al.) are unwilling to contract a reasonable price for such access to their databases as the agencies need... Why in hell would they not grab the relevant mappacks from http://wigle.net/ like everyone else (i.e. me) does?

Must be some good weed, chum.

You can't realistically expect users to know how to configure this stuff and it doesn't actually cost the company anything extra.

Actually, I can expect that. And I can even show you a pretty graph that indicates folks are doing an increasingly better job with encrypting their wireless networks.

As an anecdote, my own experiences with wardriving in small-town Ohio have been interesting to me. Some towns and neighborhoods are full of wide-open networks. Some are almost completely locked-down. Some people will have two SSIDs for their house, like a WPA-protected network called "Jones" and a second non-encrypted "Jones Guest".

And there's plenty of savvy people out there who even give different family members their own encrypted WLANs, judging from the SSIDs that I see.

Generally speaking, I've seen folks make good progress over the past few years. Gone are the days when I could just open my laptop in any old neighborhood, pick one of several "linksys" APs, and get Internet access.

Isn't this just looking at wardriving data that was submitted to various wardriving geolocation databases?

1) You broadcast your wireless MAC to the universe via wireless.
2) Dude picks it up on a wardrive scan.
3) Dude uploads his logs to http://wigle.net/ or some other database.
4) Google gets data from these databases (how?) and puts it into their geolocation database

I know I've uploaded my own wireless MAC to wigle before, so no help there. Then again, I have an android phone that connects to my wireless router. Perhaps when your android device has a GPS lock and is connected to a wireless router, it uploads the wireless MAC and current lat/lon values to the Great Google Database in the Sky? That wouldn't surprise me at all.

I tried putting in my WIRED and LAN MAC addresses into the proof of concept website and it put them in locations a thousand miles away (Maryland and New York).

wigle.net

Don't mess with those johnnies-come-lately that those others have mentioned above, wigle.net is the oldest and largest open database of access points, and they too have an Android app as well as many other clients.

Over 22 MILLION access points and counting, biatch.

My nickname is personally identifiable to anybody willing to do a few minutes of work and has a few brain cells to rub together. I'm not hiding, but I'm not doing anybody's work for them. In fact, the SSID of my wireless at home is the address of my Slashdot profile page. (And at some point when I get back into volunteering time and points for Wigle, my Slashdot identity will be attached to the physical location of my house at least in one publicly accessible place.)

Dude, compared to Wigle, that site is pathetic with a capital 'P'.

I really hope no one tells Congress about WiGLE.

It's naive to think that only Google can collect your wifi info. People are probably doing so in your town already. Check out sites like this one. My ESSID appears listed there in each of the places I've rented over the last 4 years or so.

Is that a problem? I don't think so. Secure your network if you're concerned about it.

I approach the whole thing with a big "meh."

The common Slashdot mindsets of "teh Gubament shouldn't have that data!!" and "if they didn't want anyone to see it, folks should've encrypted it!!" are not mutually exclusive.

Fact is, if the government(s) really wanted to sniff cleartext data broadcast via Wifi, they'd be doing it. In fact, I'd be very surprised if they haven't been sniffing things for a long time.

So if someone else happens to gather up some cleartext data by accident, and the government(s) demand it to be delivered to them, all I can say is this: Gosh, folks. As far as we can tell, WPA2 with AES is plenty safe at the moment, and you're a fool if you're using neither that nor some other form of encryption. And while I don't think that the government(s) should be able to do demand that the data be turned over to them, it is rather in-keeping with the general rule of things: When the government learns that you have a pile of stuff that doesn't belong to you, do they simply ask you to destroy it? No! They take it away.

Meanwhile, I've been doing a lot of wardriving for a while, recording SSIDs, BSSIDs, and GPS coordinates on my Droid, just because it's interesting to me. Even in the short time (half a year, or so) that I've been doing this, I've seen a big increase in encryption usage in my area. This is a Good Thing, An important unintended side-effect of stories about this Google oops is that they will certainly help keep the trend toward encryption moving.

And now that you mention it, here's Wigle.net's map of linksys SSIDs.

WiGLE

How about some prior art ??

http://wigle.net/gps/gps/main/download/

This has been running for years

I'm not endorsing Google's collection, but aren't people who openly broadcast their data be at least *a little* at fault here?

No. I would be "a little at fault" if I use apps to willingly disclose my static IP and MAC on a forum. By default we expect the broadcast signal to cease to exist beyond reasonable ranges. The problem at hand is that at least 1 in 2 /. geeks doesn't even know about AP Geomapping sites like wigle. Suddenly my witty AP name is accessible to anyone who knows where I live. Lack of knowledge means potential for misuse, even if a name isn't particulary helpful to most people today. The stakes always change when your joke is visible at a global scale, as shown by public outcry over Facebook's recent default privacy blunders.

Remember how Windows 2000 users we not at fault for buying a system lacking a firewall out of the box. Microsoft itself was at fault, but only technically because they stood idle while Blaster and other worms took advantage of open ports in our baby internet days. John Q. Public cannot be "at fault" for the openness of access points. De-facto policies are at a sweet spot without hiding the AP name; not all people who use or buy a wireless router can grok the why or how "hidden wireless" works. They just want to pay for their new "phone/internet bundle service thing" and plug and play their equipment. The past 5 years have already brought us WAP encryption-on-first-run wizards.

Router makers will have a big problem with user feedback if their wizards hide AP names on the very same day of purchase. Brand new customers are savvy enough to use WPA keys. They aren't savvy to "find" and troubleshoot a "hidden by default" AP from their iPod, phone, PSP or laptop. Most buyers will return units that they can't connect to, ignoring how it would be "more secure." Blame the industry, because you can't solve social problems without more technology these days.

The I guess WiGle.net is doing something wrong. http://wigle.net/images/rigled-images/europe.png

I would so mod you up if I could. In addition to companies like Skyhook, private hobbyist groups like Wigle have been doing this for years. Wigle is up to 20 million logged and geolocated APs. And if you download their client and play with the request constraints enough, you could retrieve every one of those entries with a little patience.

There's a far better resource here anyway:
http://wigle.net/gps/gps/main/ssidstats

        1967466 9.481%
linksys 1767274 8.516%
default 543979 2.621%
NETGEAR 499542 2.407%
Belkin54g 230670 1.111%
no_ssid 215863 1.040%
Wireless 201520 0.971%
hpsetup 154749 0.745%
WLAN 99567 0.479%
DLINK 85869 0.413%
ACTIONTEC 82937 0.399%
home 80043 0.385%
        70417 0.339%
Free Public WiFi 56769 0.273%

http://wigle.net/gps/gps/Map/onlinemap2/

Combine it with a GPS and join the thousands of people already doing this and contribute to this site.