{"id":46611,"date":"2022-12-16T09:12:58","date_gmt":"2022-12-16T14:12:58","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=46611"},"modified":"2022-12-16T09:12:58","modified_gmt":"2022-12-16T14:12:58","slug":"wi-peep-wireless-localization","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/wi-peep-wireless-localization\/46611\/","title":{"rendered":"Wi-Peep: features of wireless peeping"},"content":{"rendered":"<p>In November 2022, researchers at universities in the U.S. and Canada <a href=\"https:\/\/deepakv.web.illinois.edu\/assets\/papers\/WiPeep_Mobicom2022.pdf\" target=\"_blank\" rel=\"nofollow noopener\">demonstrated<\/a> a method of Wi-Fi device localization using inexpensive and easy-to-find equipment. The attack proof-of-concept was dubbed Wi-Peep, as it can be used to peep on devices communicating with each other via Wi-Fi. The research offers new insight into certain features of Wi-Fi networks, and the potential risks of device-localization. We should start by saying that the risks aren\u2019t too high \u2014 an attack looks like something out of a Bond movie. But that doesn\u2019t make the research any less interesting.<\/p>\n<h2>Wi-Peep attack features<\/h2>\n<p>Before looking at the report in detail, let\u2019s consider a real-life attack. Attackers fly a mini-quadcopter with the most inexpensive microcomputer on board around a target building, collecting data to obtain a map of wireless devices inside with reasonable accuracy (\u00b11.5 meters under ideal conditions). But why would they? Well, let\u2019s imagine it\u2019s a bank or a top-secret laboratory whose security systems are equipped with Wi-Fi modules. And there\u2019s your \u201cwhy\u201d: their location could be of huge practical interest to attackers planning physical penetration.<\/p>\n<div id=\"attachment_46612\" style=\"width: 999px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2022\/12\/16090807\/wi-peep-wireless-localization-scheme.jpg\"><img decoding=\"async\" aria-describedby=\"caption-attachment-46612\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2022\/12\/16090807\/wi-peep-wireless-localization-scheme.jpg\" alt=\"Simplified Wi-Peep attack scheme.\" width=\"989\" height=\"499\" class=\"size-full wp-image-46612\"><\/a><p id=\"caption-attachment-46612\" class=\"wp-caption-text\">Simplified Wi-Peep attack scheme. <a href=\"https:\/\/deepakv.web.illinois.edu\/assets\/papers\/WiPeep_Mobicom2022.pdf\" target=\"_blank\" rel=\"noopener nofollow\">Source<\/a>.<\/p><\/div>\n<p>So how do researchers imitate something like that?\u2026<\/p>\n<p>The Wi-Peep attack exploits two important features of absolutely any Wi-Fi device, from ancient wireless modules from 20 years ago to the most modern. The first is the power-saving mechanism in Wi-Fi devices. The Wi-Fi module, say, in a smartphone can preserve battery by shutting down the wireless receiver for short periods of time. A wireless access point needs to consider this mode of operation: your router can accumulate data packets for a specific device, then transmit them all at once when it signals it\u2019s ready again to receive a transmission.<\/p>\n<p>For a successful attack, a potential spy would need to obtain a list of MAC addresses \u2014 unique device IDs whose locations would be determined later. Devices in the same home, office, or hotel are usually connected to a shared Wi-Fi network, the name of which is no secret. It turned out that it\u2019s possible to send a fake data packet, ostensibly from this shared wireless network, informing all connected devices that the access-point buffer has accumulated some data destined for them. In reply to this signal, the devices send responses which, when analyzed, reveal the unique MAC addresses of all network devices almost instantly. But there\u2019s a simpler way: eavesdrop on wireless radio traffic; however, this takes more time: according to the researchers you need to accumulate data in passive mode for 12 hours.<\/p>\n<p>The second exploitable feature of wireless data exchange was provisionally named Wi-Fi Polite. That name was assigned by the authors of an earlier 2020 <a href=\"https:\/\/dl.acm.org\/doi\/10.1145\/3422604.3425951\" target=\"_blank\" rel=\"nofollow noopener\">study<\/a>. In a nutshell, the essence of the feature is this: a wireless device always responds to an address request from another device, even if they\u2019re not connected to a shared Wi-Fi network, and even if the request isn\u2019t encrypted or is malformed. In response, the Wi-Fi module sends a simple confirmation (\u201cData from you received\u201d), but that turns out to be sufficient to determine the distance to the responding device. The response time for receipt of such a packet is strictly regulated, and is 10 microseconds. A potential attacker can measure the time between sending a request and receiving a response, subtract those 10 microseconds, and get the time taken for the radio signal to reach the device.<\/p>\n<p>What does that give? Moving around a stationary wireless device, we can determine its coordinates with a fairly high degree of accuracy, knowing our own location and the distance to the object of interest. Much of the research is devoted to overcoming the many difficulties of this method. The signal from the Wi-Fi radio transmitter is constantly reflected by walls and other obstacles, making it difficult to calculate the distance. In fact, that standardized response time <em>should <\/em>be 10 microseconds, but it actually varies from device to device \u2014 ranging from 8 to 13 microseconds. The geolocation accuracy of the attackers\u2019 Wi-Fi module itself also has an effect: it turns out that even the precision of geopositioning systems (GPS, GLONASS, etc.) isn\u2019t always enough. Although the resulting data contains a lot of noise, if enough measurements are made, relatively high accuracy can be achieved. That means if you make tens of thousands of readings, you get a positioning accuracy with an error in the range of 1.26 to 2.30 meters \u2014 on the horizontal plane. On the vertical, the researchers were able to determine the exact floor in 91% of cases, but nothing more.<\/p>\n<h2>Low-cost sophisticated attack<\/h2>\n<p>Although the system for determining the coordinates of wireless devices turned out to be not very accurate, it\u2019s still of interest \u2014 not least because the equipment used by the researchers is dirt-cheap. Theoretically, an attack can be carried out by a potential spy in person, simply by slowly walking around the target object. For added convenience, the researchers used a cheap quadcopter fitted with a microcomputer based on the ESP32 chipset and a wireless module. The total cost of this reconnaissance kit (excluding the cost of the quadcopter) is less than US$20! What\u2019s more, the attack is virtually impossible to trace on the victim\u2019s device. It uses the standard capabilities of Wi-Fi modules, which cannot be disabled or at least modified in terms of behavior. If communication between the victim\u2019s device and the attackers\u2019 microcomputer is possible in principle, the attack will work. The practical range of data transmission over Wi-Fi is tens of meters, which in most cases will suffice.<\/p>\n<h2>Fuzzy implications<\/h2>\n<p>If we assume the attack is doable in real life, is the data obtained of any use? The researchers propose several scenarios. First and most obviously, if we know the MAC address of the smartphone of a specific individual, we can roughly track their movements in public places. This is possible even if their smartphone is not connected to any wireless networks at the time of the attack. Second, creating a map of wireless devices in a secure building (a competitor\u2019s office, bank premises) for a subsequent physical attack is an entirely realistic scenario. For example, attackers can determine the approximate location of surveillance cameras if these use Wi-Fi for data transmission.<\/p>\n<p>There are also less obvious benefits from collecting such data. You could, for instance, collect information about the number of Wi-Fi devices in a hotel to estimate how many guests there are. Such data may be of interest to competitors. Or, knowing the number of wireless devices could help determine if potential victims are at home. Even the MAC addresses themselves \u2014 without coordinates \u2014 are of some use: for collecting statistics about smartphone usage in a public place. In addition to spying and burglary, such methods are a threat to people\u2019s privacy.<\/p>\n<p>However, the immediate risk of such a method being deployed in practice is still quite low. This applies to all potential attacks and data collection methods for which you have to get close to the target object. It\u2019s quite labor-intensive for one thing, meaning that few would do it on a mass scale, and for targeted attacks \u2014 other methods may be more effective. At the same time, scientific research helps to understand how minor features of complex technologies can be harnessed for malicious purposes. The researchers themselves note that the real benefit of their work will be if this small security and privacy risk is eliminated in future versions of wireless data transmission technologies.<\/p>\n<p>For the time being, all we can recommend is to use an <a href=\"https:\/\/antidrone.kaspersky.com\/en\/?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder____\" target=\"_blank\" rel=\"noopener nofollow\">anti-drone system<\/a>. It won\u2019t help against Wi-Peep, but it will at least guard against being spied on from the air.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kesb-top3\">\n","protected":false},"excerpt":{"rendered":"<p>Researchers find a new reliable way to track the location of wireless Wi-Fi devices. <\/p>\n","protected":false},"author":665,"featured_media":46613,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3051,3052],"tags":[729,174],"class_list":{"0":"post-46611","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-smb","10":"tag-espionage","11":"tag-wi-fi"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/wi-peep-wireless-localization\/46611\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/wi-peep-wireless-localization\/24996\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/wi-peep-wireless-localization\/20491\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/wi-peep-wireless-localization\/27563\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/wi-peep-wireless-localization\/25325\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/wi-peep-wireless-localization\/25657\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/wi-peep-wireless-localization\/28220\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/wi-peep-wireless-localization\/34417\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/wi-peep-wireless-localization\/19909\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/wi-peep-wireless-localization\/20504\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/wi-peep-wireless-localization\/29619\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/wi-peep-wireless-localization\/33108\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/wi-peep-wireless-localization\/25683\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/wi-peep-wireless-localization\/31371\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/wi-peep-wireless-localization\/31080\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/espionage\/","name":"espionage"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/46611","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/665"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=46611"}],"version-history":[{"count":1,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/46611\/revisions"}],"predecessor-version":[{"id":46614,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/46611\/revisions\/46614"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/46613"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=46611"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=46611"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=46611"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}