11-11-2022 | By Robin Mitchell
Recently, researchers demonstrated a drone with multiple Wi-Fi SoCs that is able to locate precisely where Wi-Fi devices are located, even through walls which introduces numerous security challenges. What exactly did the researchers design, how can it be used for nefarious practices, and how can an attack like this be mitigated against?
Recently, researchers from the University of Waterloo Ontario demonstrated a drone that utilises off-the-shelf hardware to map Wi-Fi devices and identify their location relative to the drone. If used in a domestic environment, the drone is capable of mapping all Wi-Fi-enabled devices, even if those devices are in other rooms, and this allowed the researchers to create an accurate map of a network.
The drone, which has been named Wi-Peep, was demonstrated at the 28th Annual International Conferences on Mobile Computing and Networking, and the main focus of the device was to demonstrate the current weaknesses in commonly used internet protocols. Furthermore, the researchers described how such a device can be used for criminal activities, including tracking and monitoring.
To make the system work, the researchers turned to an exploit that is somewhat difficult to solve without making major changes to existing hardware. Simply put, the vast majority of Wi-Fi devices will respond when an external device attempts to make a connection, regardless if the credentials provided are wrong. The researchers dubbed this mechanism "Polite Wi-Fi" as Wi-Fi devices will always politely respond when receiving a connection attempt.
As these connection attempts are timestamped, the researchers then use time-of-flight to determine the distance between the Wi-Fi device and the drone. The researchers have claimed to be able to position devices accurately to one meter, which is more than enough for enabling other exploits.
Finally, devices that respond to connection attempts, even if they do not contain the correct credentials, will also transmit their MAC address. As MAC addresses are assigned to manufacturers, numerous amounts of information can be obtained on the responding device.
If an attacker has the technological capability to launch the attack described by the researchers, then it could be used for numerous malicious purposes. The first, and most obvious use for such an attack, is to identify and track users in homes. Considering that most people have smartphones near their persons at all times, it is a highly effective method for determining the position of people throughout a home and thus can provide valuable intel to those looking to burgle.
Tracking and identifying individuals can also be beneficial when trying to identify key staff members, such as security. The use of Wi-Fi tracking allows someone to map the path of security staff and identify areas that are not adequately patrolled.
Another potential use for the technology is to allow a burglar to quickly identify where valuables are and the nature of those valuables. As MAC addresses are linked to manufacturers, it is relatively easy to determine if a device is a smart TV, a smartphone, or a computer. Thus, a scan of a property from the outside can show the most valuable areas to hit first and thus reduce the time needed to successfully burgle a property.
Fortunately, most criminals are thick idiots who wouldn't understand the first thing about Wi-Fi traffic sniffing, but that isn't to say that all criminals are. In fact, some criminals can be exceptionally intelligent, especially hackers, and it is this intelligence that often makes them successful. However, the technology demonstrated by the researchers is unlikely to be exploited in the near future due to the complexity involved, but it is possible that future criminals will turn to such exploits.
With such attacks increasingly becoming likely, what can people do to protect against such attacks? What options are there when dealing with Wi-Fi-enabled devices?
While not exactly an ideal solution, it is possible for devices with internet capabilities to utilise LAN instead. By using LAN, an attacker cannot utilise the vulnerabilities found in Wi-Fi, and even though this is not possible for some devices (such as phones and laptops), it can definitely protect some devices, such as security cameras.
Another potential solution against Wi-Fi attacks is to shift towards Li-Fi, which requires a line of sight. Devices inside a room can all communicate with an access point, but those on the other side of a wall would not be able to detect anything. However, this requires changing a network's infrastructure, which is costly, and not all devices support Li-Fi (in fact, almost none do).
Besides the use of LAN cables, there is very little that can be done. If those responsible for developing Wi-Fi standards can prevent devices from responding to every connection request, then this attack would be rendered impossible. However, even if current Wi-Fi standards are changed, many millions of devices would not be able to receive updates for this (especially if they implement key Wi-Fi protocols at the hardware level) and thus remain vulnerable.
Overall, the attack demonstrated by the researchers could pose a major threat in the future when the price of electronics falls even lower, and the complexity of developing such a device becomes trivialised.