Post Reply

Patched wpa_supplicant to scan for APs passively

OP steadyeddy

16th March 2014, 10:28 PM   |  #1  
OP Junior Member
Thanks Meter: 4
 
3 posts
Join Date:Joined: Mar 2014
I patched wpa_supplicant to do wildcard access point scans passively, because **** tracking. (Wildcard means you're not looking for a particular access point, especially not one with a hidden SSID.) Seems to work perfectly, except it takes a few seconds longer to list all the access points around you. And it's a very simple patch too.

Just apply inside all the ~/android/system/external/wpa_supplicant* folders and build. Then look at the air traffic before and after installing the new binary (and resetting Wifi) with this Wireshark filter expression: wlan.addr == ph:on:em:ac:ad:dr

https://gist.github.com/anonymous/9589807
Attached Files
File Type: patch wpa_supplicant.passive-wildcard.patch - [Click for QR Code] (424 Bytes, 143 views)
Last edited by steadyeddy; 16th March 2014 at 10:39 PM.
The Following 4 Users Say Thank You to steadyeddy For This Useful Post: [ View ]
20th March 2014, 03:39 PM   |  #2  
Senior Member
Flag Minnesota
Thanks Meter: 937
 
407 posts
Join Date:Joined: Jan 2008
More
Quote:
Originally Posted by steadyeddy

I patched wpa_supplicant to do wildcard access point scans passively, because **** tracking. (Wildcard means you're not looking for a particular access point, especially not one with a hidden SSID.) Seems to work perfectly, except it takes a few seconds longer to list all the access points around you. And it's a very simple patch too.

Just apply inside all the ~/android/system/external/wpa_supplicant* folders and build. Then look at the air traffic before and after installing the new binary (and resetting Wifi) with this Wireshark filter expression: wlan.addr == phn:em:ac:ad:dr

https://gist.github.com/anonymous/9589807

Is this a true monitor mode (rfmon) patch? Either way, very nice work!
20th March 2014, 04:04 PM   |  #3  
h4waii's Avatar
Senior Member
Toronto
Thanks Meter: 5
 
607 posts
Join Date:Joined: Nov 2007
Quote:
Originally Posted by ryanbg

Is this a true monitor mode (rfmon) patch? Either way, very nice work!

No. It removes directed probes to stop leaking stored network SSIDs. This is not for on-device RFMON.
21st March 2014, 08:25 PM   |  #4  
OP Junior Member
Thanks Meter: 4
 
3 posts
Join Date:Joined: Mar 2014
Quote:
Originally Posted by h4waii

It removes directed probes to stop leaking stored network SSIDs.

Actually it's the opposite, probe requests looking for specific SSIDs still go through, but with or without this patch they only happen when your Android system remembers APs with a hidden SSID (check your wpa_supplicant.conf). And they need to happen, because it's the only way to connect to those APs. If you don't want to send out such probe requests, just don't connect to APs with hidden SSIDs, or at least "forget" them after you're done.

What the patch really does is remove nonspecific (=wildcard) probe requests. They do not leak SSIDs, but they do leak your device's current MAC address. (And more broadly, the radio characteristics of your device.)
9th October 2014, 05:01 AM   |  #5  
Junior Member
Thanks Meter: 0
 
1 posts
Join Date:Joined: Oct 2014
Any progress?
This work is a good idea; my development machine is down but I will test it out asap.

A patch like this, that could emulate IOS 8's new wireless behavior, could solve one part of the SSID probe problem, but having an option to not immediately trigger a bunch of wireless actions as soon as a network connection is established would be fix the other half.

Has there been any progress or tests to see if this will make our machines more secure?

Thanks for the code, I'm going to begin asking questions on the hostapd mailing list.
Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


Top Threads in Security Discussion by ThreadRank