Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

11/11/2014
10:30 AM
Ken Munro
Ken Munro
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

‘Walk & Stalk’: A New Twist In Cyberstalking

How hackers can turn Wifi signals from smartphones and tablets into a homing beacon that captures users' online credentials and follows them, undetected, throughout the course of the day.

We’re all familiar with the tales of cyber stalking where victims are mercilessly pursued by trolls. But most of us are unaware that the mobile device in our pocket could expose us to stalker attacks in the real world.

Walk-and-stalk attacks use the signals emitted by a mobile device such as a smartphone or tablet to pinpoint a specific individual in a given location. Armed with the right equipment it’s possible not only to detect these signals but to capture the user’s online credentials, and determine his daily habits, where he goes to work, what time he clocks on and off, and even where he lives.

Devices that connect to wireless networks routinely emit probe requests to determine if a WiFi network is within the vicinity and to identify suitable hotspots for the user to connect to. This is a continuous process, with the device performing sweeps every few minutes, and it’s this process that can be circumvented and used to track the user and his movements.

Perhaps you want to determine which workers are in a particular office, for instance. By walking past the office with a software tool such as Airodump on a laptop or tablet it is possible to listen for the probe requests sent out by the smart device. This will, of course, collect all of the devices in the vicinity, including those from people walking past, in cars, or on buses, resulting in a mass of data.

How it works
We recently tried this during a five-minute walk down a busy London street in Whitehall and found more than a thousand clients making probe requests. On this particular exercise we narrowed down the data to individual probe requests by simply performing the scan again to deduce which devices were static, meaning there was a high probability they were working in offices nearby. This kind of information is liable to be highly valuable if you’re into subversive political activities, hacktivism, or even terrorism.

The multiple scan technique is surprisingly effective. By leaving it an hour or two before doing a second scan we identified the static devices, as opposed to those moving out of range as they walk/drive/bus off to somewhere else. An hour later and a third sample after office closing time revealed which devices were absent. All the wireless clients that were consistent between scans one and two were therefore likely to be inside the office we were interested in. If they disappeared in scan three, after the office was shut, there’s an even higher probability those wireless devices were owned by staff.

Once we had isolated the device and its probe requests, we were able to deduce information about the user. By looking at sites such as WIGLE.net, it’s possible to work out where the user lives and works (the home access points the clients were probing for are often mapped during scans, revealing their GPS coordinates). The end result gave us concrete evidence on who was working in the vicinity at that time and where they would be headed after work.

Now the good news
That said, this attack is by no means always effective, particularly if the network names (SSIDs) probed for aren’t unique, or aren’t on the WIGLE database of war drives. If the hacker’s efforts are thwarted by a lack of auxiliary information, there are other variations of the Walk-and-Stalk attack at their disposal, however. Having searched for and locked on to a probe request and MAC address, the hacker could simply follow that person, keeping within range so that the signal strength does not drop. An interesting variation on this would be for a drone to follow a wireless target, although this would almost certainly require triangulation to maintain contact.

Tailing a probe-emitting device does require a reliable connection or triangulation to maintain contact, however. This version of the attack works better if there are multiple receiving stations in the locality, say, one at the top of Whitehall and one at the bottom, enabling the hacker to track the MAC going past each. Directional antennae can help, although such equipment can be conspicuous.

The third and final method of performing a Walk-and-Stalk attack is to spoof the SSIDs being probed for. Using a tool such as SSLStrip, the hacker simply sits and waits to perform a Man In The Middle (MITM) attack, grabbing the credentials of passersby pertaining to email, social networks etc. This attack forces a victim's browser into communicating with an adversary in plain text over HTTP, and the adversary proxies the modified content from an HTTPS server. To do this, SSLStrip is "stripping" secure https:// web links, turning them into common or garden-variety http:// URLs. Simple but effective and highly illegal, and a complete violation of the Computer Misuse Act, we might add.

All of these attacks use the probe requests sent by the innocent-looking smartphone or tablet in your pocket, not only betraying our location at the point of capture but also potentially where we live and work. Aside from the political ramifications of our own Whitehall excursion, Walk-and-Stalk attacks pose a very real threat to business as they could be used to target high-status individuals or staff that work for companies holding valuable information, potentially resulting in harassment, kidnapping, assault, or theft.

Thankfully, this type of attack is simple to prevent. By turning off the WiFi on the mobile device when it is not in use, probe requests will not be sent, ensuring your device doesn’t act like a homing beacon and protecting your anonymity.

Ken Munro is Partner and Founder of Pen Test Partners LLP, a firm of experienced penetration testers, all of whom have a stake in the business. He regularly blogs on everything from honeypots to hacking cars and also writes for various newspapers and industry magazines in an ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Seza
50%
50%
Seza,
User Rank: Apprentice
1/21/2015 | 5:19:39 AM
Interesting!
Thanks for this article, this might look simple but really everybody has to know about it..

Good job.
Ken_Munro
100%
0%
Ken_Munro,
User Rank: Apprentice
11/12/2014 | 9:46:06 AM
Re: How prevalent?
Hi Marilyn, good question. There are a number of reasons to turn WiFi off when you're not using it:

1: your battery will usually last longer with Wi-Fi off

2: mobile data is sometimes faster than Wi-Fi, particularly 4G when compared to an overloaded ADSL connection in a coffee shop (because someone else is streaming!)

3: mobile data is almost always more secure than Wi-Fi. It's more to do with the way one connects to Wi-Fi though, rather than the encryption

4: Client probe requests do give away information about you and allow you to be tracked. The security services and phone companies can do this using GMS, but anyone can track you using Wi-Fi

5: you can mitigate the Wi-Fi tracking fairly easily, but hardly anyone does.:

- set a generic SSID (name) for your access points. Not defaults like BT-ADSL-F534D or similar, as they facilitate tracking you back to your home or office

- don't allow your devices to send client probe requests - that can be done by switching off settings like 'look for access points automatically' or 'connect automatically' or similar in your wireless client config.

I was sat on a plane before take-off recently, before the door was closed, so fired up a listener quickly. I saw over 50 devices still sending probe requests. I could work out the home addresses in the UK for at least 10 of those. Who has an empty house because they're just leaving on a business trip... Who would be easiest to burgle...

What about firing up a listener whilst in a family holiday destination? Look for mobile devices sending probe requests, trace the home address using wigle.net or similar, pass to criminals back home, burgle empty house...

I for one think it's worth turning Wi-Fi off when not in use
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/12/2014 | 9:34:21 AM
Re: How prevalent?
LOL, Not likely (as far as I know!)
Bprince
50%
50%
Bprince,
User Rank: Ninja
11/12/2014 | 9:32:47 AM
Re: How prevalent?
I don't think this is somthing the average person needs to be worried about unless you suspect you are being stalked by someone with significant tech savvy.  
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/12/2014 | 8:09:33 AM
How prevalent?
Ken, Thanks for this great expose of the potential harm from the simple devices we use every day. But how concerned should the average person really be? Do I really need to turn off the Wifi when I'm out and about in public?
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17593
PUBLISHED: 2019-10-14
JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator.
CVE-2019-17594
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-17595
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-14823
PUBLISHED: 2019-10-14
A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to...
CVE-2019-17592
PUBLISHED: 2019-10-14
The csv-parse module before 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. The __isInt() function contains a malformed regular expression that processes large crafted input very slowly. This is triggered when using the cast option.