RECHERCHE N O Y L E D S E ´ E U Q I L P P A S E C N E I C S S E D L A N O Device-to-Identity linking attack using targeted I T A N Wi-Fi geolocation spoofing T U T I T S N I C´ elestin Matte - Jagdish Achara - Mathieu Cunche ACM WiSec 2015
Outline of the talk 1 Introduction 2 Background 3 Description of the attack 4 Tests and results 5 Conclusion 2 / 20 Matte C´ elestin - APVP 2014 - 2014.12.05
Introduction ◮ Mobile devices are trackable because they emit probe requests [2] ◮ But only through an “anonymous” identifier: the MAC address ◮ Is it really anonymous? ◮ Problem: given a mobile device identified by a Wi-Fi MAC address, find the identity of the owner of this device. ◮ Solution: attack on Wi-Fi-based Positioning Systems (WPS) ◮ Outcome: get personal information: identity of the device’s owner → account on geotagged services (example with Twitter) 3 / 20 Matte C´ elestin - APVP 2014 - 2014.12.05
Background ◮ Wi-Fi service discovery ◮ Wi-Fi based geolocation ◮ Spoofing geolocation 4 / 20 Matte C´ elestin - APVP 2014 - 2014.12.05
Background - Wi-Fi service discovery ◮ How do devices know which Wi-Fi access points (APs) are present? ◮ Two methods: ◮ passive discovery: APs broadcast beacons ◮ active discovery: devices send probe requests (with or without SSIDs), APs respond with probe responses 5 / 20 Matte C´ elestin - APVP 2014 - 2014.12.05
Background - Wi-Fi based geolocation ◮ One geolocation method uses visible access points to locate devices ◮ Mainly used when GPS is not available or not available yet (i.e., inside building), or to save battery Figure: Geolocation via trilateration based on visible Wi-Fi access points. 6 / 20 Matte C´ elestin - APVP 2014 - 2014.12.05
Background - spoofing geolocation Based on a previous work [3] 7 / 20 Matte C´ elestin - APVP 2014 - 2014.12.05
Description of the attack ◮ Targeted spoofing ◮ Description ◮ Testing WPS ◮ Implementation 8 / 20 Matte C´ elestin - APVP 2014 - 2014.12.05
Targeted spoofing ◮ Problem: original attack supposes that there is only one device in range. What if we want to target only one device among other ones? ◮ Passive discovery: ◮ Beacons are broadcast (destination address = ff:ff:ff:ff:ff:ff) ◮ Can it simply work without broadcast? (targeted destination address) ◮ Active discovery: ◮ simply reply to broadcast probe requests from only one device 9 / 20 Matte C´ elestin - APVP 2014 - 2014.12.05
Targeted spoofing ◮ Problem: original attack supposes that there is only one device in range. What if we want to target only one device among other ones? ◮ Passive discovery: ◮ Beacons are broadcast (destination address = ff:ff:ff:ff:ff:ff) ◮ Can it simply work without broadcast? (targeted destination address) ◮ Yes. ◮ Active discovery: ◮ simply reply to broadcast probe requests from only one device 10 / 20 Matte C´ elestin - APVP 2014 - 2014.12.05
Attacker model ◮ Two kind attackers: ◮ simple: physically close to the target, can only access public information ◮ powerful: also close to the target, but can access private information (no need to be “friend” with the target) 11 / 20 Matte C´ elestin - APVP 2014 - 2014.12.05
Description of the attack 7 WPS 8 3 2 6 4 victim 1 9 5 attacker 10 Figure: Description of the attack (dotted lines: optional) 12 / 20 Matte C´ elestin - APVP 2014 - 2014.12.05
Tests and results ◮ Testing geolocation spoofing on WPS ◮ Implementation ◮ Results - Example ◮ Results - discussion ◮ Testing the attack on different Android apps 13 / 20 Matte C´ elestin - APVP 2014 - 2014.12.05
Testing geolocation spoofing on WPS ◮ Can we avoid jamming? How do WPS react if we send AP from different locations? ◮ Evaluation on multiple WPS: GoogleGeoloc, Navizon, Skyhook ◮ Navizon takes history into account Fraction of successful attacks locations (%) Fraction of successful attacks locations (%) 100 100 80 80 60 60 40 40 20 20 0 0 0.0 0.5 1.0 1.5 2.0 2.5 0.0 0.5 1.0 1.5 2.0 Fake AP ratio R Fake AP ratio R Figure: Fraction of successful attacks: number of AP from original location over number of AP from destination location (left: Google geolocation API; right: Skyhook) 14 / 20 Matte C´ elestin - APVP 2014 - 2014.12.05
Implementation ◮ Some bash + perl + php scripts ◮ Does everything automatically ◮ Available on github [1] 15 / 20 Matte C´ elestin - APVP 2014 - 2014.12.05
Results - example Figure: The Twitter application, before and during the attack. 16 / 20 Matte C´ elestin - APVP 2014 - 2014.12.05
Results - discussion ◮ Tested on Android and iOS ◮ Never worked on iOS ◮ No need to jam legitimate APs ◮ ...But: does not always work, mainly depending on the number of real access points, and the distance of the fake location 17 / 20 Matte C´ elestin - APVP 2014 - 2014.12.05
Testing the attack on different Android apps Figure: Result of the Wi-Fi geolocation spoofing on selected Android applications 18 / 20 Matte C´ elestin - APVP 2014 - 2014.12.05
Conclusion ◮ Attack on Wi-Fi-based positioning systems ◮ Contributions: jamming not necessary, targeted attack → allow full attack ◮ Generate a fake Wi-Fi environment ◮ Get user information: account name on applications publishing location ◮ Evaluated the attack on various WPS and Android apps 19 / 20 Matte C´ elestin - APVP 2014 - 2014.12.05
Bibliography Public repository of the test script. https://github.com/Perdu/geoloc_attack , consulted on 2014.04.07. M. Cunche, M. A. Kaafar, and R. Boreli. I know who you will meet this evening! linking wireless devices using wi-fi probe requests. In World of Wireless, Mobile and Multimedia Networks (WoWMoM), 2012 IEEE International Symposium on a , pages 1–9. IEEE, 2012. N. O. Tippenhauer, K. B. Rasmussen, C. P¨ opper, and S. ˇ Capkun. Attacks on public wlan-based positioning systems. In Proceedings of the 7th international conference on Mobile systems, applications, and services , pages 29–40. ACM, 2009. 20 / 20 Matte C´ elestin - APVP 2014 - 2014.12.05
Recommend
More recommend
