Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
Hello and welcome to the Thursday May 23rd, 2020,
0:02
4th edition of the Sands & Storm Centers Stormcast.
0:08
My name is Johannes Ulrich and
0:10
today I'm recording from Jacksonville, Florida.
0:14
Another Nmap diary from
0:17
Rob today. This
0:19
time, he's talking about how to
0:21
connect Nmap to IP info. So,
0:24
what is all is really about
0:26
including the Shodan diary from earlier
0:28
this week is that with Nmap,
0:31
well, Nmap really has evolved into
0:33
more of a vulnerability scanner than
0:36
just a simple port scanner by
0:38
really being very extensible via these
0:40
NSE scripts. And yes,
0:42
you can reach out to arbitrary
0:45
HTTP APIs with these scripts
0:47
and use this data to
0:49
enrich the results that you're
0:51
getting back from Nmap. A
0:54
real useful trick if you're sort
0:56
of trying to build your own
0:58
little vulnerability scanning scripts because you
1:00
get way more than just haters
1:03
a port open and maybe a
1:05
banner and such, but you can
1:07
actually then interrogate these services and
1:09
like in this case, also then
1:12
collect other data from external services.
1:16
And a few listeners have
1:18
asked about an article that
1:20
was published by Brian Krebs
1:23
about Wi-Fi location services. This
1:25
is based on work done
1:28
by researchers from the University of
1:30
Maryland. So, given that this article
1:32
got quite a bit of requests
1:35
and interests, I figured I'll spend
1:37
a little bit more time talking
1:40
about what these
1:42
Wi-Fi location services or Wi-Fi
1:44
position services are
1:46
and well, how they work.
1:48
So, very basic when you're
1:51
connecting to a wireless access
1:53
point, you're not just connecting
1:55
to a wireless network with
1:57
a particular SSID that's usually
2:00
the string that identifies the network
2:02
to you like you know often
2:04
net gear or whatever but
2:07
you're also connecting to a specific access
2:10
point with a BSS ID
2:12
and that's really the MAC
2:14
address of that access point.
2:16
So if you have a
2:18
network with multiple access points
2:20
they may all have the
2:22
same SSID or the
2:24
network name but each one of
2:26
these access points has a different
2:29
BSS ID or MAC address. Now
2:32
these days of course everybody has
2:34
a mobile device and mobile devices
2:36
often do have very precise GPS
2:39
chips built-in and these devices don't
2:41
really need to use a Wi-Fi
2:44
network to actually do
2:46
geolocation. However they can
2:49
help vendors to
2:51
create databases with a different
2:53
wireless networks and typically the
2:55
BSS ID here is cataloged
2:58
and the way this works is
3:00
that your wireless device may report back
3:03
to the vendor and that's not typically
3:05
Google or Apple that hey I'm currently
3:07
located in this particular location based on
3:10
my GPS and these are
3:12
the wireless access
3:14
points that I'm seeing and this
3:16
is the signal strength of these
3:19
wireless access points. So
3:21
if you now have a
3:23
device without a GPS like
3:25
a laptop or a desktop
3:27
computer the operating system does
3:29
take advantage of these databases
3:31
so it will report back
3:33
to Google, Apple, hey I'm
3:35
seeing in these particular access
3:37
points help me figure out
3:39
where I'm located based on
3:41
the locations reported earlier by
3:43
various devices with GPS and
3:45
the end result is that
3:47
even without a GPS you
3:50
get rather accurate location services
3:52
even in devices like laptops
3:54
and desktops. Now that's
3:56
where Google and Apple differ a little
3:58
bit with Google. Google the device
4:01
will report back. These are the
4:03
BSS IDs I'm seeing and that's
4:05
the signal strength and basically Google
4:08
returns the location of the user.
4:11
With Apple, well, Apple tries to
4:13
balance privacy a little bit at
4:15
least privacy of the Apple customer
4:17
running the Apple laptop. And in
4:20
that case, the device will just
4:22
report back a couple of BSS
4:24
IDs it's seeing and then Apple
4:26
will actually return a large
4:29
number, turns out around 400
4:31
different BSS IDs that
4:35
they have seen in the area. And
4:37
then it's up to the device to
4:39
figure out the location based on that
4:41
data. And the tricky
4:43
part here is that this of course
4:45
puts at risk the privacy of all
4:47
of these operators that are running these
4:49
different wireless networks because with one simple
4:52
API call, you get back the BSS
4:54
IDs and the locations of up to
4:56
400 different access
4:59
points. And these researchers in
5:02
Maryland, they did actually use this
5:04
to do some interesting sort of
5:06
data mining. Because the
5:08
BSS ID is the MAC
5:10
address and MAC address are
5:12
assigned to vendors, they, for
5:14
example, looked at MAC addresses
5:16
associated with Starlink terminals and
5:19
then looked, for example, at
5:21
areas like Ukraine, Crimea and
5:23
such and tried to figure
5:26
out where our Starlink terminals
5:28
located and well, they found
5:30
quite a few of them. Now these
5:32
researchers did notify Starlink about
5:34
these issues in particular, you know,
5:37
the conflict zone like Ukraine, there
5:39
of course, life and safety issues
5:41
involved with this and Starlink did
5:44
publish an update to its firmware
5:46
that will randomize the BSS ID
5:48
and since then there has been
5:50
a notable drop in locatable Starlink
5:53
terminals. Apple and
5:55
Google at least did agree
5:57
on sort of an opt-out mechanism.
5:59
that can be used
6:01
in order to not have
6:04
your particular PSID tracked. This
6:06
requires that you're adding underscore
6:08
no map to the SSID
6:11
of your wireless network. Now,
6:14
this discussion wouldn't be complete with also noting
6:16
that this is far from a new thing.
6:18
The earliest articles I sort of found about
6:20
this were from 2011. So
6:24
about 13 years ago, back then,
6:26
it already mentioned Google using the
6:29
no map suffix in order
6:31
to opt out of this. In
6:33
the past, Google, for example, sometimes
6:35
also has used its Google Street
6:38
View camera cars
6:40
to collect PSIDs. I
6:43
don't think they do that anymore. They've gotten some trouble
6:45
over that. Microsoft had a similar
6:47
system. Not sure if that's still active.
6:49
The problem with Microsoft was they had
6:51
a different suffix that you needed to
6:53
use in order to opt out. For
6:55
them, it was just underscore
6:58
opt out, if I remember correctly. And
7:00
then, of course, you have the problem
7:02
as a user. Well, are you going
7:04
to add no map or opt out?
7:08
I'm not sure if you can do both, like underscore
7:10
opt out, underscore no map. What that
7:12
will do, at least now
7:15
Apple agreed to use the same
7:17
suffix that Google already is using
7:19
for the last 10 plus years.
7:22
And that at least makes
7:24
it a bit easier to opt
7:26
out. Then there's the question, does
7:28
it actually help to set your
7:30
Wi-Fi network to hidden? Well, what
7:32
hidden does is it doesn't send
7:35
any beacons to actually advertise
7:37
the network. But if the network is
7:39
in use, you can still actually
7:42
see the traffic and still see
7:44
the SSID. And remember that these
7:46
BSS IDs are being reported, at
7:48
least in part, by systems connected
7:51
to the network. So this is
7:53
not like what happened 10 plus
7:55
years ago, but you had these
7:58
Google camera. events
8:01
that would passively collect that
8:03
data. So your best
8:05
bet at this point, if you don't
8:07
want to contribute to the database, is
8:09
to add an underscore no map to
8:12
your SSID, or
8:14
use a very generic SSID, maybe
8:16
randomize the MAC address of your
8:18
access points, if you can do
8:20
that, it depends on the access
8:22
point, to make
8:25
it basically more difficult to locate
8:27
a particular access point that may
8:29
be associated with you. Only
8:32
the BSSID is reported by these
8:34
APIs, not the SSID as far
8:36
as I know. So let's say
8:39
you're using your last name or
8:41
your address as your SSID, an
8:44
attacker wouldn't necessarily be able to
8:46
pinpoint your particular network using this.
8:48
If they only know the SSID,
8:52
they have to know the
8:54
actual BSSID. So
8:56
sorry for spending all the podcasts talking
8:59
about this one topic, but I figured
9:01
it was a sufficient interest to actually
9:03
do so. Thanks for
9:05
listening, and I'll add a couple
9:07
links also to the older articles in
9:10
the show notes. Thanks and talk to
9:12
you again tomorrow. Bye.
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More