Creepy Wireless Stalking Made Easy

In a slight twist on the august pursuit of warwalking, [Mehdi] took a Raspberry Pi armed with a GPS, WiFi, and a Bluetooth sniffer around Bordeaux with him for six months and logged all the data he could find. The result isn’t entirely surprising, but it’s still a little bit creepy.

If your WiFi sends out probe requests for its home access points, [Mehdi] logged it. If your Bluetooth devices leak information about what they are, [Mehdi] logged it. In the end, he got nearly 30,000 WiFis logged, including 120,000 probes. Each reading is timestamped and geolocated, and [Mehdi] presents a few of the results from querying the resulting database.

Continue reading “Creepy Wireless Stalking Made Easy”

WarWalking With The ESP8266

[Steve] needed a tool to diagnose and fix his friend’s and family’s WiFi. A laptop would do, but WiFi modules and tiny OLED displays are cheap now. His solution was to build a War Walker, a tiny handheld device that would listen in WiFi access points, return the signal strength, and monitor the 2.4GHz environment around him.

The War Walker didn’t appear out of a vacuum. It’s based on the WarCollar Dope Scope, a tiny, portable device consisting of an off-the-shelf Chinese OLED display, an ESP8266 module, and a PCB that can charge batteries, provide a serial port, and ties the whole thing together with jellybean glue. The Dope Scope is a capable device, but it’s marketed towards the 1337 utilikilt-wearing, The Prodigy-blasting pentesters of the world. It is, therefore, a ripoff. [Steve] can build his version for $6 in materials.

The core of the build is an ESP-based carrier board built for NodeMCU. This board is available for $3.77 in quantity one, with free shipping. A $2 SPI OLED display is the user interface, and the rest of the circuit is just some perfboard and a few wires.

The software is based on platformio, and dumps all the WiFi info you could want over the serial port or displays it right on the OLED. It’s a brilliantly simple device for War Walking, and the addition of a small LiPo makes this a much better value than the same circuit with a larger pricetag.

A Lot Of WiFi Power, A Yagi, And A Sniper’s ‘Scope

Do you remember the early days of consumer wireless networking, a time of open access points with default SSIDs, manufacturer default passwords, Pringle can antennas, and wardriving? Fortunately out-of-the-box device security has moved on in the last couple of decades, but there was a time when most WiFi networks were an open book to any passer-by with a WiFi-equipped laptop or PDA.

The more sophisticated wardrivers used directional antennas, the simplest of which was the abovementioned Pringle can, in which the snack container was repurposed as a resonant horn antenna with a single radiator mounted on an N socket poking through its side. If you were more sophisticated you might have used a Yagi array (a higher-frequency version of the antenna you would use to receive TV signals). But these were high-precision items that were expensive, or rather tricky to build if you made one yourself.

In recent years the price of commercial WiFi Yagi arrays has dropped, and they have become a common sight used for stretching WiFi range. [TacticalNinja] has other ideas, and has used a particularly long one paired with a high-power WiFi card and amplifier as a wardriver’s kit par excellence, complete with a sniper’s ‘scope for aiming.

The antenna was a cheap Chinese item, which arrived with very poor performance indeed. It turned out that its driven element was misaligned and shorted by a too-long screw, and its cable was rather long with a suspect balun. Modifying it for element alignment and a balun-less short feeder improved its performance no end. He quotes the figures for his set-up as 4000mW of RF output power into a 25dBi Yagi, or 61dBm effective radiated power. This equates to the definitely-illegal equivalent of an over 1250W point source, which sounds very impressive but somehow we doubt that the quoted figures will be achieved in reality. Claimed manufacturer antenna gain figures are rarely trustworthy.

This is something of an exercise in how much you can push into a WiFi antenna, and his comparison with a rifle is very apt. Imagine it as the equivalent of an AR-15 modified with every bell and whistle the gun store can sell its owner, it may look impressively tricked-out but does it shoot any better than the stock rifle in the hands of an expert? As any radio amateur will tell you: a contact can only be made if communication can be heard in both directions, and we’re left wondering whether some of that extra power is wasted as even with the Yagi the WiFi receiver will be unlikely to hear the reply from a network responding at great distance using the stock legal antenna and power. Still, it does have an air of wardriver chic about it, and we’re certain it has the potential for a lot of long-distance WiFi fun within its receiving range.

This isn’t the first wardriving rifle we’ve featured, but unlike this one you could probably carry it past a policeman without attracting attention.

Nexmon Turns Nexus 5 (and RPi3!) Into WiFi Toolkit

Back in the day, when wardriving was still useful (read: before WPA2 was widespread), we used to wander around with a Zaurus in our pocket running Kismet. Today, every cellphone has WiFi and a significantly more powerful processor inside. But alas, the firmware is locked down.

mrmcd16-7748-deu-nexmon_-_make_wi-fi_hacking_on_smartphones_great_again_sdmp4-shot0005_thumbnailEnter the NexMon project. If you’ve got a Nexus 5 phone with the Broadcom BCM4339 WiFi chipset, you’ve now got a monitor-mode, packet-injecting workhorse in your pocket, and it looks a lot less creepy than that old Zaurus. But more to the point, NexMon is open. If you’d like to get inside what it took to reverse-engineer a hole into the phone’s WiFi, or make your own patches, here’s a great starting place.

But wait, there’s more! The recently released Raspberry Pi 3 has a similar Broadcom WiFi chipset, and has been given the same treatment, turning your RPi 3 into a wireless-sniffing powerhouse. How many Raspberry Pi “hacks” actually hack the Raspberry Pi? Well, here’s one.

We first learned of this project from a talk given at the MetaRhein-Main Chaos Days conference which took place last weekend. The NexMon talk (in German, but with slides in English) is just one of the many talks, all of which are available online.

The NexMon project is a standout, however. Not only do they reverse the WiFi firmware in the Nexus 5, but they show you how, and then apply the same methods to the RPi3. Kudos times three to [Matthias Schulz], [Daniel Wegemer], and [Matthias Hollick]!

WiFi Fob Acquaints OLED with ESP

When you think of WiFi in projects it’s easy to get into the rut of assuming the goal is to add WiFi to something. This particular build actually brings WiFi awareness to you, in terms of sniffing what’s going on with the signals around you and displaying them for instant feedback.

[0miker0] is working on the project as his entry in the Square Inch Project. It’s an adapter board that has a footprint for the 2×4 pin header of an ESP8266-01 module, and hosts the components and solder pads for a 128×64 OLED display. These are becoming rather ubiquitous and it’s not hard to figure out why. They’re relatively inexpensive, low-power, high-contrast, and require very few support components. From the schematic in the GitHub Repo it looks like 5 resistors and 7 caps.

The video below shows off two firmware modes so far. The first is an AP scan that reads out some information, the second is a weather-display program. Anyone who’s worked with the ESP modules knows that they have the potential to gather all kinds of data about WiFi signals — one of our favorite demos of this is when [cnlohr] used it to create a 3d light painted map of his WiFi signal strength. Chuck a rechargeable LiPo on this thing, tweak the example code for your needs, and you have a new gadget for wardriving-nouveau.

Continue reading “WiFi Fob Acquaints OLED with ESP”

NSA Technology Goes Open Hardware

When [Edward Snowden] smeared the internet with classified NSA documents, it brought to light the many spying capabilities our government has at its disposal. One the most interesting of these documents is known as the ANT catalog. This 50 page catalog, now available to the public, reads like a mail order form where agents can simply select the technology they want and order it. One of these technologies is called the Sparrow II, and a group of hackers at Hyperion Bristol has attempted to create their own version.

The Sparrow II is an aerial surveillance platform designed to map and catalog WiFi access points. Think wardriving from a UAV. Now, if you were an NSA agent, you could just order yourself one of these nifty devices from the ANT catalog for a measly 6 grand.  However, if you’re like most of us, you can use the guidance from Hyperion Bristol to make your own.

They start off with a Raspi, a run-of-the-mill USB WiFi adapter, a Ublox GY-NEO6MV2 GPS Module, and a 1200 mAh battery to power it all. Be sure to check out the link for full details.

Thanks to [Joe] for the tip!

Modified E-ZPass detects reads far from toll booths

Def Con speaker [pukingmonkey] has spent quite a bit of time studying methods government and law enforcement use to track private citizens’ vehicles on the roads. One of the major tracking methods is E-ZPass, an electronic toll collection system used in several states around the country. [pukingmonkey] cracked open his E-ZPass tag to find a relatively basic circuit. In his DEF CON presentation (PDF), he notes you shouldn’t do this to your own tag, as tags are legally not the property of the user.

The tag uses a 3.6 volt long life battery to operate. When idle, the tag only draws 8 microamps. During reads, current draw jumps to 0.3 mA. Armed with this information, it was relatively simple to add a current detecting circuit that outputs a pulse on tag reads. Pulses are then fed into a toy cow, which lights up and “Moos” on each read.

Continue reading “Modified E-ZPass detects reads far from toll booths”