0:00

Hello and welcome to the Thursday May 23rd, 2020,

0:02

4th edition of the Sands & Storm Centers Stormcast.

0:08

My name is Johannes Ulrich and

0:10

today I'm recording from Jacksonville, Florida.

0:14

Another Nmap diary from

0:17

Rob today. This

0:19

time, he's talking about how to

0:21

connect Nmap to IP info. So,

0:24

what is all is really about

0:26

including the Shodan diary from earlier

0:28

this week is that with Nmap,

0:31

well, Nmap really has evolved into

0:33

more of a vulnerability scanner than

0:36

just a simple port scanner by

0:38

really being very extensible via these

0:40

NSE scripts. And yes,

0:42

you can reach out to arbitrary

0:45

HTTP APIs with these scripts

0:47

and use this data to

0:49

enrich the results that you're

0:51

getting back from Nmap. A

0:54

real useful trick if you're sort

0:56

of trying to build your own

0:58

little vulnerability scanning scripts because you

1:00

get way more than just haters

1:03

a port open and maybe a

1:05

banner and such, but you can

1:07

actually then interrogate these services and

1:09

like in this case, also then

1:12

collect other data from external services.

1:16

And a few listeners have

1:18

asked about an article that

1:20

was published by Brian Krebs

1:23

about Wi-Fi location services. This

1:25

is based on work done

1:28

by researchers from the University of

1:30

Maryland. So, given that this article

1:32

got quite a bit of requests

1:35

and interests, I figured I'll spend

1:37

a little bit more time talking

1:40

about what these

1:42

Wi-Fi location services or Wi-Fi

1:44

position services are

1:46

and well, how they work.

1:48

So, very basic when you're

1:51

connecting to a wireless access

1:53

point, you're not just connecting

1:55

to a wireless network with

1:57

a particular SSID that's usually

2:00

the string that identifies the network

2:02

to you like you know often

2:04

net gear or whatever but

2:07

you're also connecting to a specific access

2:10

point with a BSS ID

2:12

and that's really the MAC

2:14

address of that access point.

2:16

So if you have a

2:18

network with multiple access points

2:20

they may all have the

2:22

same SSID or the

2:24

network name but each one of

2:26

these access points has a different

2:29

BSS ID or MAC address. Now

2:32

these days of course everybody has

2:34

a mobile device and mobile devices

2:36

often do have very precise GPS

2:39

chips built-in and these devices don't

2:41

really need to use a Wi-Fi

2:44

network to actually do

2:46

geolocation. However they can

2:49

help vendors to

2:51

create databases with a different

2:53

wireless networks and typically the

2:55

BSS ID here is cataloged

2:58

and the way this works is

3:00

that your wireless device may report back

3:03

to the vendor and that's not typically

3:05

Google or Apple that hey I'm currently

3:07

located in this particular location based on

3:10

my GPS and these are

3:12

the wireless access

3:14

points that I'm seeing and this

3:16

is the signal strength of these

3:19

wireless access points. So

3:21

if you now have a

3:23

device without a GPS like

3:25

a laptop or a desktop

3:27

computer the operating system does

3:29

take advantage of these databases

3:31

so it will report back

3:33

to Google, Apple, hey I'm

3:35

seeing in these particular access

3:37

points help me figure out

3:39

where I'm located based on

3:41

the locations reported earlier by

3:43

various devices with GPS and

3:45

the end result is that

3:47

even without a GPS you

3:50

get rather accurate location services

3:52

even in devices like laptops

3:54

and desktops. Now that's

3:56

where Google and Apple differ a little

3:58

bit with Google. Google the device

4:01

will report back. These are the

4:03

BSS IDs I'm seeing and that's

4:05

the signal strength and basically Google

4:08

returns the location of the user.

4:11

With Apple, well, Apple tries to

4:13

balance privacy a little bit at

4:15

least privacy of the Apple customer

4:17

running the Apple laptop. And in

4:20

that case, the device will just

4:22

report back a couple of BSS

4:24

IDs it's seeing and then Apple

4:26

will actually return a large

4:29

number, turns out around 400

4:31

different BSS IDs that

4:35

they have seen in the area. And

4:37

then it's up to the device to

4:39

figure out the location based on that

4:41

data. And the tricky

4:43

part here is that this of course

4:45

puts at risk the privacy of all

4:47

of these operators that are running these

4:49

different wireless networks because with one simple

4:52

API call, you get back the BSS

4:54

IDs and the locations of up to

4:56

400 different access

4:59

points. And these researchers in

5:02

Maryland, they did actually use this

5:04

to do some interesting sort of

5:06

data mining. Because the

5:08

BSS ID is the MAC

5:10

address and MAC address are

5:12

assigned to vendors, they, for

5:14

example, looked at MAC addresses

5:16

associated with Starlink terminals and

5:19

then looked, for example, at

5:21

areas like Ukraine, Crimea and

5:23

such and tried to figure

5:26

out where our Starlink terminals

5:28

located and well, they found

5:30

quite a few of them. Now these

5:32

researchers did notify Starlink about

5:34

these issues in particular, you know,

5:37

the conflict zone like Ukraine, there

5:39

of course, life and safety issues

5:41

involved with this and Starlink did

5:44

publish an update to its firmware

5:46

that will randomize the BSS ID

5:48

and since then there has been

5:50

a notable drop in locatable Starlink

5:53

terminals. Apple and

5:55

Google at least did agree

5:57

on sort of an opt-out mechanism.

5:59

that can be used

6:01

in order to not have

6:04

your particular PSID tracked. This

6:06

requires that you're adding underscore

6:08

no map to the SSID

6:11

of your wireless network. Now,

6:14

this discussion wouldn't be complete with also noting

6:16

that this is far from a new thing.

6:18

The earliest articles I sort of found about

6:20

this were from 2011. So

6:24

about 13 years ago, back then,

6:26

it already mentioned Google using the

6:29

no map suffix in order

6:31

to opt out of this. In

6:33

the past, Google, for example, sometimes

6:35

also has used its Google Street

6:38

View camera cars

6:40

to collect PSIDs. I

6:43

don't think they do that anymore. They've gotten some trouble

6:45

over that. Microsoft had a similar

6:47

system. Not sure if that's still active.

6:49

The problem with Microsoft was they had

6:51

a different suffix that you needed to

6:53

use in order to opt out. For

6:55

them, it was just underscore

6:58

opt out, if I remember correctly. And

7:00

then, of course, you have the problem

7:02

as a user. Well, are you going

7:04

to add no map or opt out?

7:08

I'm not sure if you can do both, like underscore

7:10

opt out, underscore no map. What that

7:12

will do, at least now

7:15

Apple agreed to use the same

7:17

suffix that Google already is using

7:19

for the last 10 plus years.

7:22

And that at least makes

7:24

it a bit easier to opt

7:26

out. Then there's the question, does

7:28

it actually help to set your

7:30

Wi-Fi network to hidden? Well, what

7:32

hidden does is it doesn't send

7:35

any beacons to actually advertise

7:37

the network. But if the network is

7:39

in use, you can still actually

7:42

see the traffic and still see

7:44

the SSID. And remember that these

7:46

BSS IDs are being reported, at

7:48

least in part, by systems connected

7:51

to the network. So this is

7:53

not like what happened 10 plus

7:55

years ago, but you had these

7:58

Google camera. events

8:01

that would passively collect that

8:03

data. So your best

8:05

bet at this point, if you don't

8:07

want to contribute to the database, is

8:09

to add an underscore no map to

8:12

your SSID, or

8:14

use a very generic SSID, maybe

8:16

randomize the MAC address of your

8:18

access points, if you can do

8:20

that, it depends on the access

8:22

point, to make

8:25

it basically more difficult to locate

8:27

a particular access point that may

8:29

be associated with you. Only

8:32

the BSSID is reported by these

8:34

APIs, not the SSID as far

8:36

as I know. So let's say

8:39

you're using your last name or

8:41

your address as your SSID, an

8:44

attacker wouldn't necessarily be able to

8:46

pinpoint your particular network using this.

8:48

If they only know the SSID,

8:52

they have to know the

8:54

actual BSSID. So

8:56

sorry for spending all the podcasts talking

8:59

about this one topic, but I figured

9:01

it was a sufficient interest to actually

9:03

do so. Thanks for

9:05

listening, and I'll add a couple

9:07

links also to the older articles in

9:10

the show notes. Thanks and talk to

9:12

you again tomorrow. Bye.