Patched wpa_supplicant to scan for APs passively

[steadyeddy]

I patched wpa_supplicant to do wildcard access point scans passively, because **** tracking. (Wildcard means you're not looking for a particular access point, especially not one with a hidden SSID.) Seems to work perfectly, except it takes a few seconds longer to list all the access points around you. And it's a very simple patch too.

Just apply inside all the ~/android/system/external/wpa_supplicant* folders and build. Then look at the air traffic before and after installing the new binary (and resetting Wifi) with this Wireshark filter expression: wlan.addr == phn:em:ac:ad:dr

https://gist.github.com/anonymous/9589807

 

[ryanbg]

I patched wpa_supplicant to do wildcard access point scans passively, because **** tracking. (Wildcard means you're not looking for a particular access point, especially not one with a hidden SSID.) Seems to work perfectly, except it takes a few seconds longer to list all the access points around you. And it's a very simple patch too.

Just apply inside all the ~/android/system/external/wpa_supplicant* folders and build. Then look at the air traffic before and after installing the new binary (and resetting Wifi) with this Wireshark filter expression: wlan.addr == phn:em:ac:ad:dr

https://gist.github.com/anonymous/9589807

Is this a true monitor mode (rfmon) patch? Either way, very nice work!

 

[h4waii]

Is this a true monitor mode (rfmon) patch? Either way, very nice work!

No. It removes directed probes to stop leaking stored network SSIDs. This is not for on-device RFMON.

 

[steadyeddy]

It removes directed probes to stop leaking stored network SSIDs.

Actually it's the opposite, probe requests looking for specific SSIDs still go through, but with or without this patch they only happen when your Android system remembers APs with a hidden SSID (check your wpa_supplicant.conf). And they need to happen, because it's the only way to connect to those APs. If you don't want to send out such probe requests, just don't connect to APs with hidden SSIDs, or at least "forget" them after you're done.

What the patch really does is remove nonspecific (=wildcard) probe requests. They do not leak SSIDs, but they do leak your device's current MAC address. (And more broadly, the radio characteristics of your device.)

 

[terbospeed]

Any progress?

This work is a good idea; my development machine is down but I will test it out asap.

A patch like this, that could emulate IOS 8's new wireless behavior, could solve one part of the SSID probe problem, but having an option to not immediately trigger a bunch of wireless actions as soon as a network connection is established would be fix the other half.

Has there been any progress or tests to see if this will make our machines more secure?

Thanks for the code, I'm going to begin asking questions on the hostapd mailing list.