Beware of Flying Dones: Here’s Wi-Peep

An interesting paper [1] outlines Wi-Peep, and which is a location revealing system that aims to locate devices. It basically uses a flaw…
Ref: [1]

Beware of Flying Dones: Here’s Wi-Peep

An interesting paper [1] outlines Wi-Peep, and which is a location revealing system that aims to locate devices. It basically uses a flaw in the 802.11 protocol to force Wi-fi devices to reveal themselves on a network that the intruder does not have access to:

Figure 1: Research paper [1]

Overall, there is no need to install any software on the target device, and where the system can be ported onto a drone or could be carried into a physical space. The device costs less than $20 and is less than 10g in weight (and could be easily carried by a small drone):

Figure 2: Wi-Peep [1]

The research work investigates the usage of Wi-Peep mounted onto a drone. Overall, the first part of the attack involves the discovery of the MAC address of the target device. This involves the transmission of a fake beacon, and where devices respond with their MAC address (even though they are not connected to the same wi-fi access point):

Figure 3: Discovered devices from a beacon request [1]

In order to locate devices, it uses a ToF (Time of Flight) method. With this, the attacker measures the time taken for acknowledgments to be received and then multiplies this by the speed of light. These acknowledgments contain timestamps from the target device, and the attacker can compute the delay between them. This then gives the round-trip time-of-flight and the SIFS (the delay between packet reception and ACK transmission). With these, the device can be located within a reasonable accurate radius.

After this, the attacker sends fake Wi-fi packets which are not related to the network that the target connects to. For this, the paper outlines the Polite Wi-fi technique [2]:

Figure 4: Polite Wifi [2]

Using this method, the researchers previously found that many of the devices respond to the Polite Wifi request, and where the MAC addresses often revealed the device manufacturer:

Figure 5: Vendor discovery [2]

Using the Polite Wifi requests, the researchers found that they could even reveal how the device was being used by the target. In the following, we see the activity of the device on the ground, and then being picked up. Followed by some typing, and then laying the device back on the ground:

Figure: Activity monitoring of a device [2]

Overall, the research team set up an experiment of locating 11 devices in the house with a basement, the main floor, and a second floor:

The results then show that the errors for a table on the second floor were fairly low (less than 0.5 m), but the errors increased when the devices were placed on the main floor (and up to 2 m error). Surprisingly the basement devices generated a lower error rate, generally, than the devices on the floor above:

Conclusions

The use of beacons has always been a problem, especially in capturing the four-way handshake. Here is my little demo on the cracking of this:

References

[1] Abedi, A., & Vasisht, D. (2022, October). Non-cooperative wi-fi localization & its privacy implications. In Proceedings of the 28th Annual International Conference on Mobile Computing And Networking (pp. 570–582).

[2] Abedi, A., & Abari, O. (2020, November). WiFi Says” Hi!” Back to Strangers!. In Proceedings of the 19th ACM Workshop on Hot Topics in Networks (pp. 132–138).