This is how smartphones, tablets and other portable devices can give away information on your habits and movement that you rather would not want to see disclosed to the wrong people.
I think everyone of us knows the feeling of insecurity when leaving property unattended, especially if it is our home. Even leaving a note for the delivery guys generally is avoided as criminals might use it as a hint to see that nobody is home. But are you sure that the measures you are taking are really as effective as you think?
While you are taking extreme care not to make it too obvious that nobody is home by installing gadgets and timers to get lights switched on and off dynamically it might be the invisible hint in the air that gives away details on your presence or absence. Two decades ago only few wireless devices existed, usually these were implemented in stationary hardware such as home computers and routers. However, with the booming market of portable devices the factor of exclusive stationary use has vanished. By today almost every Smartphone user has a portable light weight Wifi enabled device, and as to avoid expenses from data-transfer rates or exceeding flatrate limitations, most users are more than happy to have the smartphone signed in to the home network instead of using the cellphone network (3G/4G whatever…)
This is where the issues start. Most people just use the Wifi technology without knowing everything about it that they should be aware of. Therefore, most people do not know that you can passively listen into the network traffic. Even if the attacker is not able to decode the traffic by the fact that the network owner has set up a certain wifi security hardening, the attacker can see which devices are present in the network at a given time.
For example:
I have about 6 Wifis in my neighborhood. Before writing this blog post I have taken a closer look at one of the networks. The house is in view from my office therefore it is easy to get a visual impression on who is leaving or coming back. After just a few hours of monitoring the clients registered on the network I was able to determine which type of smartphones are used, who is using a smartphone with a certain MAC-Address and who is in the house by the smartphone (usually in the pocket of your pants) being communicating with their local Wifi Router.
How does all this work?
I will try to explain it in an easy way without getting too much into technical depth. Imagine you had 3 houses, each house has a specific color, lets say we use the following model:
House A – RED
House B – YELLOW
House C – GREEN
Just as seen on the image below.
The color essentially is the MAC Address of the Router, which more the less is unique and therefore a great item for gathering information. Each network device has a MAC-Address which is the hardware identifier, they can be changed if needed but the standard user won’t touch it. This brings us to the next step… the portable devices.
Knowing that each device has a MAC Address they can be identified based on that data. Instead of using MAC Adresses, we will be using fruit names. This will make it easier to understand the model. Let’s say we have 2 devices in each house:
House A – RED -> Peach and Orange
House B – YELLOW -> Apple and Banana
House C – GREEN -> Citron and Pear
Now when the users are in the house the mobile devices connect to the home network, meaning the fruits are put into a basket of the color of the house. For example “Peach and Orange” would be in the “RED basket” as the smartphones of the users in House A are in the RED color network.
In our symbolic approach the image would be changing to look like below, once that all client devices have connected to their home networks:
As I said before the attackers can see who is signed in to the network, meaning that they can see if the basket is empty or not. Knowing which property has devices signed in all time that landowners are present it gets rather easy to find a point of attack once they are gone.
In a more technical way the MAC-Address of the client device connects to the MAC-Address of the Router/AP. All this Data is UNIQUE and transmitted without any sort of encryption. For the RED house we could say that:
The network name is: WIFI-12345
The Router MAC Address is: 00:11:22:33:44:55
The Peach MAC Address is: AA:BB:CC:DD:EE:99
The Orange MAC Address is: 99:AA:BB:CC:DD:EE
In any case of doubt a narrow opening angle directional antenna for Wifi band will be helpful to determine specific station locations discretely.
Getting back to our models the image below shows you the 3 houses (networks, represented by color) with the devices (represented by fruits) being present. Only in one house (red house to the left) no fruits are present. Hence no wireless devices are signed in to the red network.
From the perspective of a potential intruder, the visual indication of no devices being signed in to the wireless network is almost as clear, as the screenshots below will show you.
This first screenshot is showing a Linux (Ubuntu 12.04) terminal running airodump-ng, one of my favorite tools for security and performance analysis on wireless networks.
I have marked several items on the screenshot and will try to give a brief describtion on what you see.
Red Box 1:
The BSSID is the “Basic Service Set Identifier”, one of the core parts of (wireless) network traffic routing. The BSSID at the same time usually equals the MAC Address of your AP / Router’s Wifi-Adapter. In some cases the BSSID and MAC can get modified, however the idea remains the same.
Red Box 2:
The ESSID is the name that was given to the network. This name is entirely up to the network administrator and one Router (BSSID) usually can host up to 32 SSIDS. Often the SSID is very useful for determining who the network belongs to, especially in the case of family names being used… imagine an SSID “Smith-Network” with only 1 family “Smith” living in the street.
On the screenshot shown above, no devices are communicating with the wireless network access point / router. Therefore they are not listed and it looks like the emtpy windows on the red house on our last symbolic example.
This next screenshot shows you what it looks like once that devices are communicating with the Access Point / Router.
Items 1 and 2 are the same as seen before, however, by now 2 further stations are listed which communicate with the BSSID. Under “Station” you will find 2 red boxes, box 3 and 4. Each box contains the MAC address of the device that is signed in to the Wifi, keep in mind that this MAC is unique and even permits the attacker to identify what sort of device you use as the first 3 bytes (00:11:22:xx:xx:xx) contain a vendor specific ID.
Does it take long monitoring to find out about your Wifi-Motion-Profile?
I would assume that you notice if a car is parked near your house with somebody using a notebook all the time and not moving much, potentially having some bigger antennas attached to it than forcefully needed. Therefore I can understand if you were thinking that you would notice such activitiy until now.
However, the entire monitoring of your Wifi client devices can be done discretely, either by running automated equipment in a parked vehicle or just by sporadically checking in on your property and wifi devices by stopping for a minute. Correlatating the parked cars and lights active with a cold phone call soon would reveal at what time devices are present that can be assigned to a user in your house. There is no urgent need to monitor a long time, and if you left your smartphone in the wifi over night, then you would give the attacker a great way of checking during times that you would not even notice the presence in the road.
If you are worried by now, you potentially would want to rethink how you handle the connections to your Wifi and if it is really required to leave the invisible presence marker connected to the Wifi whenever you are home. The final decision is up to you.