Patched wpa_supplicant to scan for APs passively

Search This thread

steadyeddy

New member
Mar 16, 2014
4
4
0
I patched wpa_supplicant to do wildcard access point scans passively, because **** tracking. (Wildcard means you're not looking for a particular access point, especially not one with a hidden SSID.) Seems to work perfectly, except it takes a few seconds longer to list all the access points around you. And it's a very simple patch too.

Just apply inside all the ~/android/system/external/wpa_supplicant* folders and build. Then look at the air traffic before and after installing the new binary (and resetting Wifi) with this Wireshark filter expression: wlan.addr == ph:eek:n:em:ac:ad:dr

https://gist.github.com/anonymous/9589807
 

Attachments

  • wpa_supplicant.passive-wildcard.patch
    424 bytes · Views: 1,113
Last edited:

ryanbg

Inactive Recognized Developer
Jan 3, 2008
855
1,735
123
movr0.com
I patched wpa_supplicant to do wildcard access point scans passively, because **** tracking. (Wildcard means you're not looking for a particular access point, especially not one with a hidden SSID.) Seems to work perfectly, except it takes a few seconds longer to list all the access points around you. And it's a very simple patch too.

Just apply inside all the ~/android/system/external/wpa_supplicant* folders and build. Then look at the air traffic before and after installing the new binary (and resetting Wifi) with this Wireshark filter expression: wlan.addr == ph:eek:n:em:ac:ad:dr

https://gist.github.com/anonymous/9589807

Is this a true monitor mode (rfmon) patch? Either way, very nice work!
 

steadyeddy

New member
Mar 16, 2014
4
4
0
It removes directed probes to stop leaking stored network SSIDs.

Actually it's the opposite, probe requests looking for specific SSIDs still go through, but with or without this patch they only happen when your Android system remembers APs with a hidden SSID (check your wpa_supplicant.conf). And they need to happen, because it's the only way to connect to those APs. If you don't want to send out such probe requests, just don't connect to APs with hidden SSIDs, or at least "forget" them after you're done.

What the patch really does is remove nonspecific (=wildcard) probe requests. They do not leak SSIDs, but they do leak your device's current MAC address. (And more broadly, the radio characteristics of your device.)
 

terbospeed

New member
Oct 8, 2014
1
0
0
Any progress?

This work is a good idea; my development machine is down but I will test it out asap.

A patch like this, that could emulate IOS 8's new wireless behavior, could solve one part of the SSID probe problem, but having an option to not immediately trigger a bunch of wireless actions as soon as a network connection is established would be fix the other half.

Has there been any progress or tests to see if this will make our machines more secure?

Thanks for the code, I'm going to begin asking questions on the hostapd mailing list.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 4
    I patched wpa_supplicant to do wildcard access point scans passively, because **** tracking. (Wildcard means you're not looking for a particular access point, especially not one with a hidden SSID.) Seems to work perfectly, except it takes a few seconds longer to list all the access points around you. And it's a very simple patch too.

    Just apply inside all the ~/android/system/external/wpa_supplicant* folders and build. Then look at the air traffic before and after installing the new binary (and resetting Wifi) with this Wireshark filter expression: wlan.addr == ph:eek:n:em:ac:ad:dr

    https://gist.github.com/anonymous/9589807
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone