Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Ken Munro
Ken Munro
Connect Directly
E-Mail vvv

‘Walk & Stalk’: A New Twist In Cyberstalking

How hackers can turn Wifi signals from smartphones and tablets into a homing beacon that captures users' online credentials and follows them, undetected, throughout the course of the day.

We’re all familiar with the tales of cyber stalking where victims are mercilessly pursued by trolls. But most of us are unaware that the mobile device in our pocket could expose us to stalker attacks in the real world.

Walk-and-stalk attacks use the signals emitted by a mobile device such as a smartphone or tablet to pinpoint a specific individual in a given location. Armed with the right equipment it’s possible not only to detect these signals but to capture the user’s online credentials, and determine his daily habits, where he goes to work, what time he clocks on and off, and even where he lives.

Devices that connect to wireless networks routinely emit probe requests to determine if a WiFi network is within the vicinity and to identify suitable hotspots for the user to connect to. This is a continuous process, with the device performing sweeps every few minutes, and it’s this process that can be circumvented and used to track the user and his movements.

Perhaps you want to determine which workers are in a particular office, for instance. By walking past the office with a software tool such as Airodump on a laptop or tablet it is possible to listen for the probe requests sent out by the smart device. This will, of course, collect all of the devices in the vicinity, including those from people walking past, in cars, or on buses, resulting in a mass of data.

How it works
We recently tried this during a five-minute walk down a busy London street in Whitehall and found more than a thousand clients making probe requests. On this particular exercise we narrowed down the data to individual probe requests by simply performing the scan again to deduce which devices were static, meaning there was a high probability they were working in offices nearby. This kind of information is liable to be highly valuable if you’re into subversive political activities, hacktivism, or even terrorism.

The multiple scan technique is surprisingly effective. By leaving it an hour or two before doing a second scan we identified the static devices, as opposed to those moving out of range as they walk/drive/bus off to somewhere else. An hour later and a third sample after office closing time revealed which devices were absent. All the wireless clients that were consistent between scans one and two were therefore likely to be inside the office we were interested in. If they disappeared in scan three, after the office was shut, there’s an even higher probability those wireless devices were owned by staff.

Once we had isolated the device and its probe requests, we were able to deduce information about the user. By looking at sites such as WIGLE.net, it’s possible to work out where the user lives and works (the home access points the clients were probing for are often mapped during scans, revealing their GPS coordinates). The end result gave us concrete evidence on who was working in the vicinity at that time and where they would be headed after work.

Now the good news
That said, this attack is by no means always effective, particularly if the network names (SSIDs) probed for aren’t unique, or aren’t on the WIGLE database of war drives. If the hacker’s efforts are thwarted by a lack of auxiliary information, there are other variations of the Walk-and-Stalk attack at their disposal, however. Having searched for and locked on to a probe request and MAC address, the hacker could simply follow that person, keeping within range so that the signal strength does not drop. An interesting variation on this would be for a drone to follow a wireless target, although this would almost certainly require triangulation to maintain contact.

Tailing a probe-emitting device does require a reliable connection or triangulation to maintain contact, however. This version of the attack works better if there are multiple receiving stations in the locality, say, one at the top of Whitehall and one at the bottom, enabling the hacker to track the MAC going past each. Directional antennae can help, although such equipment can be conspicuous.

The third and final method of performing a Walk-and-Stalk attack is to spoof the SSIDs being probed for. Using a tool such as SSLStrip, the hacker simply sits and waits to perform a Man In The Middle (MITM) attack, grabbing the credentials of passersby pertaining to email, social networks etc. This attack forces a victim's browser into communicating with an adversary in plain text over HTTP, and the adversary proxies the modified content from an HTTPS server. To do this, SSLStrip is "stripping" secure https:// web links, turning them into common or garden-variety http:// URLs. Simple but effective and highly illegal, and a complete violation of the Computer Misuse Act, we might add.

All of these attacks use the probe requests sent by the innocent-looking smartphone or tablet in your pocket, not only betraying our location at the point of capture but also potentially where we live and work. Aside from the political ramifications of our own Whitehall excursion, Walk-and-Stalk attacks pose a very real threat to business as they could be used to target high-status individuals or staff that work for companies holding valuable information, potentially resulting in harassment, kidnapping, assault, or theft.

Thankfully, this type of attack is simple to prevent. By turning off the WiFi on the mobile device when it is not in use, probe requests will not be sent, ensuring your device doesn’t act like a homing beacon and protecting your anonymity.

Ken Munro is Partner and Founder of Pen Test Partners LLP, a firm of experienced penetration testers, all of whom have a stake in the business. He regularly blogs on everything from honeypots to hacking cars and also writes for various newspapers and industry magazines in an ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/21/2015 | 5:19:39 AM
Thanks for this article, this might look simple but really everybody has to know about it..

Good job.
User Rank: Apprentice
11/12/2014 | 9:46:06 AM
Re: How prevalent?
Hi Marilyn, good question. There are a number of reasons to turn WiFi off when you're not using it:

1: your battery will usually last longer with Wi-Fi off

2: mobile data is sometimes faster than Wi-Fi, particularly 4G when compared to an overloaded ADSL connection in a coffee shop (because someone else is streaming!)

3: mobile data is almost always more secure than Wi-Fi. It's more to do with the way one connects to Wi-Fi though, rather than the encryption

4: Client probe requests do give away information about you and allow you to be tracked. The security services and phone companies can do this using GMS, but anyone can track you using Wi-Fi

5: you can mitigate the Wi-Fi tracking fairly easily, but hardly anyone does.:

- set a generic SSID (name) for your access points. Not defaults like BT-ADSL-F534D or similar, as they facilitate tracking you back to your home or office

- don't allow your devices to send client probe requests - that can be done by switching off settings like 'look for access points automatically' or 'connect automatically' or similar in your wireless client config.

I was sat on a plane before take-off recently, before the door was closed, so fired up a listener quickly. I saw over 50 devices still sending probe requests. I could work out the home addresses in the UK for at least 10 of those. Who has an empty house because they're just leaving on a business trip... Who would be easiest to burgle...

What about firing up a listener whilst in a family holiday destination? Look for mobile devices sending probe requests, trace the home address using wigle.net or similar, pass to criminals back home, burgle empty house...

I for one think it's worth turning Wi-Fi off when not in use
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
11/12/2014 | 9:34:21 AM
Re: How prevalent?
LOL, Not likely (as far as I know!)
User Rank: Ninja
11/12/2014 | 9:32:47 AM
Re: How prevalent?
I don't think this is somthing the average person needs to be worried about unless you suspect you are being stalked by someone with significant tech savvy.  
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
11/12/2014 | 8:09:33 AM
How prevalent?
Ken, Thanks for this great expose of the potential harm from the simple devices we use every day. But how concerned should the average person really be? Do I really need to turn off the Wifi when I'm out and about in public?
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...