Computer Security: I know where you have been… since forever!

OK, the “forever” has to be taken with a pinch of salt. But generally speaking, if you were to pass near my office carrying your smartphone, I would be able to find out. It’s all thanks to the wireless communication capabilities of your phone…

 

So how is it done? Every wireless network has a name (SSID: Service Set Identifier). At CERN, for example, you can find “eduroam”, “CERN” or “CERNn” (any other SSIDs are rogue and should not be used). Whenever you connect to a wireless network, your phone keeps a record of the SSID it has connected to for future use. If your phone detects a wireless network, it tries every SSID it has in its list until a wireless access point answers positively, in order to establish a connection. And the longer you have your smartphone, the more SSIDs it has connected to around the world and the more it “knows” about where it has been. This is the information I can tap into.

A specialised rogue wireless access point, like the HAK5 “PineApple”, can pretend to be any wireless network*. It just sends out a wireless beacon that your smartphone picks up and answers. The rogue wireless access point then records any SSID request your phone tries out from its internal list: “CERN”, “StefanWLAN”, “GVAairport”, “Swisscom”, “SBB-FREE”, “HyattAtlantaGuest”, “AmsterdamRoaming”, “ITUwifi”… And, obviously, very often, the SSID name provides sufficient information about where you or I have been. Voilà.

So, how should you protect yourself? First, disable the option to join wireless networks automatically. If you do this, you will see the SSIDs you can connect to and confirm as required. Alternatively, you can disable your smartphone’s wireless capabilities completely and just enable them in places you know and trust. Resetting the network settings would be an even harsher step, but you would need to reconfigure those networks you regularly use… Finally, you could delete the SSID from your iCloud or Google account and reinstall the phone’s operating system to get rid of it once and for all. But you would have to be really paranoid to do that, don’t you think?

*Of course, the deployment of such a rogue wireless access point at CERN would violate the CERN Computing Rules


For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.

Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report


Access the entire collection of Computer Security articles here.

by Stefan Lueders, Computer Security Team