We’re all familiar with the tales of cyber stalking where victims are mercilessly pursued by trolls. But most of us are unaware that the mobile device in our pocket could expose us to stalker attacks in the real world.
Walk-and-stalk attacks use the signals emitted by a mobile device such as a smartphone or tablet to pinpoint a specific individual in a given location. Armed with the right equipment it’s possible not only to detect these signals but to capture the user’s online credentials, and determine his daily habits, where he goes to work, what time he clocks on and off, and even where he lives.
Devices that connect to wireless networks routinely emit probe requests to determine if a WiFi network is within the vicinity and to identify suitable hotspots for the user to connect to. This is a continuous process, with the device performing sweeps every few minutes, and it’s this process that can be circumvented and used to track the user and his movements.
Perhaps you want to determine which workers are in a particular office, for instance. By walking past the office with a software tool such as Airodump on a laptop or tablet it is possible to listen for the probe requests sent out by the smart device. This will, of course, collect all of the devices in the vicinity, including those from people walking past, in cars, or on buses, resulting in a mass of data.
How it works
We recently tried this during a five-minute walk down a busy London street in Whitehall and found more than a thousand clients making probe requests. On this particular exercise we narrowed down the data to individual probe requests by simply performing the scan again to deduce which devices were static, meaning there was a high probability they were working in offices nearby. This kind of information is liable to be highly valuable if you’re into subversive political activities, hacktivism, or even terrorism.
The multiple scan technique is surprisingly effective. By leaving it an hour or two before doing a second scan we identified the static devices, as opposed to those moving out of range as they walk/drive/bus off to somewhere else. An hour later and a third sample after office closing time revealed which devices were absent. All the wireless clients that were consistent between scans one and two were therefore likely to be inside the office we were interested in. If they disappeared in scan three, after the office was shut, there’s an even higher probability those wireless devices were owned by staff.
Once we had isolated the device and its probe requests, we were able to deduce information about the user. By looking at sites such as WIGLE.net, it’s possible to work out where the user lives and works (the home access points the clients were probing for are often mapped during scans, revealing their GPS coordinates). The end result gave us concrete evidence on who was working in the vicinity at that time and where they would be headed after work.
Now the good news
That said, this attack is by no means always effective, particularly if the network names (SSIDs) probed for aren’t unique, or aren’t on the WIGLE database of war drives. If the hacker’s efforts are thwarted by a lack of auxiliary information, there are other variations of the Walk-and-Stalk attack at their disposal, however. Having searched for and locked on to a probe request and MAC address, the hacker could simply follow that person, keeping within range so that the signal strength does not drop. An interesting variation on this would be for a drone to follow a wireless target, although this would almost certainly require triangulation to maintain contact.
Tailing a probe-emitting device does require a reliable connection or triangulation to maintain contact, however. This version of the attack works better if there are multiple receiving stations in the locality, say, one at the top of Whitehall and one at the bottom, enabling the hacker to track the MAC going past each. Directional antennae can help, although such equipment can be conspicuous.
The third and final method of performing a Walk-and-Stalk attack is to spoof the SSIDs being probed for. Using a tool such as SSLStrip, the hacker simply sits and waits to perform a Man In The Middle (MITM) attack, grabbing the credentials of passersby pertaining to email, social networks etc. This attack forces a victim's browser into communicating with an adversary in plain text over HTTP, and the adversary proxies the modified content from an HTTPS server. To do this, SSLStrip is "stripping" secure https:// web links, turning them into common or garden-variety http:// URLs. Simple but effective and highly illegal, and a complete violation of the Computer Misuse Act, we might add.
All of these attacks use the probe requests sent by the innocent-looking smartphone or tablet in your pocket, not only betraying our location at the point of capture but also potentially where we live and work. Aside from the political ramifications of our own Whitehall excursion, Walk-and-Stalk attacks pose a very real threat to business as they could be used to target high-status individuals or staff that work for companies holding valuable information, potentially resulting in harassment, kidnapping, assault, or theft.
Thankfully, this type of attack is simple to prevent. By turning off the WiFi on the mobile device when it is not in use, probe requests will not be sent, ensuring your device doesn’t act like a homing beacon and protecting your anonymity.