May 10, 2013 at 1:02 pm

Thanks for the writeup.

The ARPs which sometimes contain the BSSID information disclosure are actually targeting the MAC address of the DHCP server on a previously joined network. On most home/soho WiFi routers, the DHCP server MAC address is the same as the router’s WiFi BSSID (sometimes it’s the same except for the last octet).

This is often not the case on bigger corporate WiFi networks with multiple APs and separate DHCP servers, so the MAC address picked up may sometimes not be a WiFi BSSID at all and can’t be used for geolocation.

I’ve found that the best way to reproduce the BSSID disclosure is to broadcast a WiFi network (using airbase-ng or similar) with no DHCP server enabled, while sniffing on the same interface when an iDevice is joining the network. It seems to help if the network is broadcasting on the same WiFi channel as the network the device has previously joined (hat tip to Mark Wuergler for this). Passively sniffing on the same 802.11 channel that a nearby router is broadcasting on also works.

In addition to ARPs, the sniffer will also pick up standard SSID probes that all devices send out when sniffing at the 802.11 layer (i.e. WiFi interface set to monitor mode or reading a PCAP recorded from the same).

As to the question of why some router BSSIDs are in the database and others aren’t - in my limited experience, it seems to take about 2 weeks for a new router in an urban area to show up (see page 20 of my SyScan slides). It doesn’t seem to matter if the network is hidden (SSID broadcast disabled) or not.

Darth Null

May 11, 2013 at 12:21 am

They target the DHCP server? Interesting, I must’ve missed that in past writeups. :( My home net has its own DHCP server, so that’s why I didn’t see my home AP disclosed by devices. I’ll have to compare the MACs I collected with the servers’ MACs. If I still have that data (I just edited the DB directly to obfuscate the image….looked prettier than a bunch of black bars).

I definitely need to re-install this on a cleaner machine, maybe a vmware image or separate box, because I was getting odd sniffing/driver errors that was probably also preventing me from seeing SSID probes. Also interesting note about WiFi channels, too.

I still don’t know about my home and work APs not being in the DB, though. They’ve been there for a lot longer than 2 weeks (1 year for work, and 6 for the home AP). Both are WPA2, neither is hidden… I wonder if there might be some threshold of devices that “notice” it (even without association)? That is, until 50 or 100 devices detect and report the AP, it won’t appear?

That might be easy enough to test, come to think of it, by spoofing a bunch of wloc reports over a few week period. Hm. I’ll have to think about that – might take some careful planning and execution, but I bet we could easily simulate “new” APs in quiet, busy, and super-busy environments….

Thanks for the detailed comment, you’ve given me even more to think about!