Wireless access point spoofing and mobile devices geolocation using swarms of flying robots

Similar documents
GETTING THE MOST OUT OF EVIL TWIN

Section 4 Cracking Encryption and Authentication

Tutorial: Simple WEP Crack

Wireless and Mobile Networks Reading: Sections 2.8 and 4.2.5

Configuration of Access Points and Clients. Training materials for wireless trainers

WIDS Technology White Paper

Configuration of Access Points and Clients. Training materials for wireless trainers

Lure10: Exploiting Windows Automatic Wireless Association Algorithm

PRODUCT GUIDE Wireless Intrusion Prevention Systems

VLANs and Association Redirection. Jon Ellch

Eye P.A. User Guide. Table of Contents

CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS

Wireless Attacks and Countermeasures

Monitoring the Mobility Express Network

Wireless Network Security Spring 2016

Mobile Security Fall 2013

Wireless Router at Home

Configuring Layer2 Security

Laurent Butti BlackHat Europe

Grandstream Networks, Inc. GWN76XX Series Mesh Network Guide

Attacks on WLAN Alessandro Redondi

Algorithm Development and Deployment for Indoor Localization of Resources

CSMC 417. Computer Networks Prof. Ashok K Agrawala Ashok Agrawala. Fall 2018 CMSC417 Set 1 1

Steerpath map creation tutorial and reference

Tracking Human Mobility using WiFi signals

Wireless KRACK attack client side workaround and detection

Requirements from the

Wireless technology Principles of Security

Table of Contents 1 WLAN Service Configuration 1-1

WLANs = Counterintuitive

Per-WLAN Wireless Settings

Sniffing and processing wireless traffic Alessandro Redondi

Running Reports. Choosing a Report CHAPTER

Unencrypted Mouse Packet

inssider User Guide inssider by MetaGeek USER GUIDE Page 1 Tel: +44 (0) Fax: +44 (0)

Wireless Protocols. Training materials for wireless trainers

Wireless LAN Security (RM12/2002)

WISNETWORKS. WisOS 11ac V /3/21. Software version WisOS 11ac

Wi-Net Window and Rogue Access Points

Step-by-Step: Handling RF Interference Challenges

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.

Whitepaper. MYSTERIES OF Wi-Fi ROAMING REVEALED. Understand Wi-Fi roaming problems so you can solve them

Getting Started with your MicroPnP Development and Evaluation Kit

Configuring IDS Signatures

WiFi CampPro 2 User Manual V01

Attack & Defense in Wireless Networks

3 Steps for Managing RF Interference Challenges

Wireless Network Security Spring 2015

Chapter 4 Advanced Settings and Features

CertShiken という認定試験問題集の権威的な提供者. CertShiken.

CWNA Exam PW0-100 certified wireless network administrator(cwna) Version: 5.0 [ Total Questions: 120 ]

Tracking Human Mobility Using WiFi Signals

Wireless Network Security

DETECTING, DETERMINING AND LOCALIZING MULTIPLE ATTACKS IN WIRELESS SENSOR NETWORK - MALICIOUS NODE DETECTION AND FAULT NODE RECOVERY SYSTEM

How Insecure is Wireless LAN?

EAPeak - Wireless 802.1X EAP Identification and Foot Printing Tool. Matt Neely and Spencer McIntyre

Managing Rogue Devices

CSNT 180 Wireless Networking. Chapter 7 WLAN Terminology and Technology

Grandstream Networks, Inc. GWN76xx Wi-Fi Access Points Master/Slave Architecture Guide

ECE Senior Project Proposal Panduit Sponsored - Wireless Client Location Determination. Nicholas Pratt Nathan Ruetten Michael Stanczyk

Obstacle Avoiding Wireless Surveillance Bot

Encrypted WiFi packet injection and circumventing wireless intrusion prevention systems

Implementation of a Wireless Mesh Network of Ultra Light MAVs with Dynamic Routing

1. Establishing a WiFi Connection

Overview. Introduction. Key Features

By Nick Giannaris. ZigBee

Wireless Challenges and Resolutions

HACKING EXPOSED WIRELESS: WIRELESS SECURITY SECRETS & SOLUTIONS SECOND EDITION JOHNNY CACHE JOSHUA WRIGHT VINCENT LIU. Mc Graw mim

CSCD 433/533 Advanced Networking

Last Lecture: Data Link Layer

ICP DAS WF-2571 FAQ. FAQ Version 1.1. ICP DAS Co., Ltd

Wireless Network Security Spring 2015

Adam Hodges CPSC481/CyberTiger Project Proposal 1/31/12. Motivations

ARUBA INSTANT BEST PRACTICES & TROUBLESHOOTING

exam. Number: Passing Score: 800 Time Limit: 120 min CISCO Deploying Cisco Wireless Enterprise Networks. Version 1.

Using GIS in Designing and Deploying Wireless Network in City Plans

Mobile Concierge Services

Managing Rogue Devices

D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

What is a Wireless LAN? The wireless telegraph is not difficult to understand. The ordinary telegraph is like a very long cat. You pull the tail in Ne

WISNETWORKS. WisOS 11ac V /3/21. Software version WisOS 11ac

Performance of Multicast over Unicast in Wi-Fi

Institute of Electrical and Electronics Engineers (IEEE) IEEE standards

ENH200 LONG RANGE WIRELESS 11N OUTDOOR CB/AP PRODUCT OVERVIEW. IEEE802.11/b/g/n 1T+1R 150Mbps 25 km High Performance

Introduction to WiFi Networking. Training materials for wireless trainers

ZAC Product Specification

Information extraction from WLAN traffic traces in multi-network scenarios

Detecting & Eliminating Rogue Access Point in IEEE WLAN

Epic Made Easy The Redesigned 350 QX3

Link Estimation and Tree Routing

Topic 2b Wireless MAC. Chapter 7. Wireless and Mobile Networks. Computer Networking: A Top Down Approach

Wireless Security Security problems in Wireless Networks

802.11b/g Access Point WL-8000AP

2.4GHz / 5GHz 54Mbps a/b/g Flexible Application

An efficient trigger to improve intra-wifi handover performance

ENH700EXT N Dual Radio Concurrent AP PRODUCT OVERVIEW

Wireless Network Security Spring 2011

XG-520 Wireless b/g Portable Router. User s Manual

Advanced WiFi Attacks Using Commodity Hardware

ARUBA OS ARUBA CONTROLLER FEATURES USED TO OPTIMIZE PERFORMANCE

Transcription:

Wireless access point spoofing and mobile devices geolocation using swarms of flying robots Master optional semester project, spring 2014 Jonathan CHESEAUX (cheseauxjonathan@gmail.com) Supervisors : Prof. Bixio Rimoldi Stefano Rosati, PhD Karol Kruzelecki

2

CONTENTS CONTENTS Contents 1 Introduction 4 2 Material 5 2.1 Hardware................................... 5 2.1.1 Flying robot.............................. 5 2.1.2 Gumstix Board............................ 5 2.1.3 Wifi dongle.............................. 6 2.2 Software.................................... 6 2.2.1 Yocto Project............................. 6 2.2.2 Scapy................................. 6 2.2.3 Wireshark............................... 6 3 Wireless Access Point Spoofing 7 3.1 Probe requests................................ 7 3.2 Directed Probe Requests........................... 7 3.3 Hidden SSID.................................. 7 3.4 DeAuth attack................................ 7 3.5 Experiment.................................. 7 3.6 Conclusion................................... 8 4 RSSI Based Geolocalization 9 4.1 Previous work................................. 9 4.2 RSSI as a metric............................... 9 4.3 GPS Trilateration............................... 9 4.4 GPS coordinates weighted average...................... 9 4.5 Results..................................... 10 5 Visualization tools 11 5.1 Live tracking................................. 11 5.2 Replay a flight................................. 11 6 Conclusion 12 3

1 INTRODUCTION 1 Introduction This project is split in two main parts, the first task is to spoof an existing wireless network in order to communicate with users on the ground via their mobile phones. A real life application could be that a natural disaster happened and the rescue team needs to establish a communication channel with a victim, without requiring any user-intervention. Due to the potential complexity of the terrain and weather condition, flying robots could be highly relevant to provide such a network. The second part of this work focus on localizing victims by analysing beacon frames periodically sent by their smartphone, if the Wifi mode is switched on. Provided that we can accurately localize smartphones on the ground, we assume that there will be a high probability that a victim is also situated next to it. It will also help to move the plane in a smaller zone, thus increasing the communication channel s reliability. A user interface is also provided in order to operate the planes and follow the localization estimates in real-time. It provides simple tools for routing the planes in smaller search areas and allows the operator to have a quick overview of the operations in progress or previous operations. 4

2 MATERIAL 2 Material 2.1 Hardware 2.1.1 Flying robot The flying robots used for this project are developed by SenseFly, a spin-off of EPFL 1. The model chosen for the experiments is the ebee, which has an autonomy of 30 minutes at full speed (12 m/s). Figure 1: Flying robot, model ebee 2.1.2 Gumstix Board The operating system of the robots is implemented on a Gumstix computer-on-module. Data is stored on a micro-sd card and an expansion board provides USB, Ethernet and power supply for the development phase. Figure 2: Gumstix board used in the flying robots 1 https://www.sensefly.com/ 5

2.2 Software 2 MATERIAL 2.1.3 Wifi dongle Flying robots are equipped with two Wifi radio interfaces, the first one is responsible for creating the network between the drones and the second one can communicate with mobile devices located on the ground. For the latter, we use the FRITZ!WLAN USB Stick N dongle, which is fully compatible with the latest WLAN standards and allows packet monitoring. 2.2 Software 2.2.1 Yocto Project Yocto Project is a tool that facilitates the creation of custom Linux kernel for embedded software. It was used in the project to build a lightweight Linux distribution with just the needed packages. The building process make use of so-called recipes. A recipe is a.bb file that contains information about software license, source location, compiling parameters, and is used by bitbake 2 to build the system for a specific architecture. The main advantage of using Yocto Project to create the embedded operating system is that packages can be easily added and the compiling process is automated. On the other hand, it can take a significant time to master this tool and dealing with dependencies errors can be a real nightmare. 2.2.2 Scapy Scapy is a very powerful Python library allowing the developer to manipulate network packets. It is used in this project to detect presence of mobile devices and communicate with them. 2.2.3 Wireshark Wireshark is a well-known open-source packet analyser. It was a good support for the research part of the project, especially for analysing information contained by probe request, as explained in more details in Section 4 of this report. 2 Bitbake is a building tool provided by Yocto Project 6

3 WIRELESS ACCESS POINT SPOOFING 3 Wireless Access Point Spoofing Wireless access point spoofing is a network attack based on the impersonation of a genuine Wifi router. A Wifi network is determined by its SSID, thus it is possible to setup a fake access point by copying an existing SSID. By sniffing packets with a powerful antenna we can learn a lot about users and access points, for example probe requests and responses are sent unencrypted and allows us to learn which AP s are in-range along with the users connected to them. 3.1 Probe requests Devices that want to connect to a wireless network first need to discover which access points are in-range. They send Probe Request packets containing a field SSID set to null. Each AP periodically broadcasts its SSID and can also answer to Probe Requests by sending Probe Reponses. If the device knows one of the advertised SSID, it will then try to associate with it. 3.2 Directed Probe Requests Directed Probe Requests are different from the simple Probe Requests in the sense that the SSID field of the packet is set to be one of the registered WLAN. In that manner, we can listen to directed probe requests from a mobile node and learn which AP s it was connected to before. 3.3 Hidden SSID It is possible for an AP to hide its name by not broadcasting it. The only way to connect to such an AP is then to know in advance its SSID. Experiment has shown that devices that were once connected to an hidden AP will send a directed probe request when in presence of an arbitrary hidden AP. This can be of great help to force the user to connect to the rogue AP. 3.4 DeAuth attack Even if we are able to impersonate an existing access point, we still need the user to be disconnected from the genuine AP. Deauthentication between an AP and a station can be easily performed by sending appropriate DeAuth packets, defined by the 802.11 standard. Aireplay-ng 3 is an open source tool that can inject and forge packet and provide simple commands for sending repeated DeAuth packets to the targets. 3.5 Experiment For this experiment, we used a TP-Link Nano router N to set up a fake AP. The test also implied an iphone 4 that had the epfl WLAN registered in its access points list and acted as the victim. This experiment was first conducted outside from the EPFL campus, where 3 http://www.aircrack-ng.org/doku.php?id=aireplay-ng 7

3.6 Conclusion 3 WIRELESS ACCESS POINT SPOOFING its wireless network wasn t accessible. The rogue AP was connected to Internet and set up to broadcast the SSID epfl. The iphone device sucessfully connected to the rogue AP without asking the user for an intervention. Another similar experiment was conducted in EPFL s premises but failed. This is certainly due to some wireless intrusion prevention systems implemented by EPFL IT administrators, as it is often the case for company s wifi. 3.6 Conclusion We have shown that it is indeed possible to impersonate an access point, provided that the spoofed network doesn t implement intrusion detection mechanisms. In our experiment we knew which SSID was in the device s preference list, but in real situations it is more difficult to guess which SSID to chose for the rogue AP. As we have seen, setting up an hidden AP can reveal some of these choices, or we could also use some common network names, such as linksys, NETGEAR, default, home, etc. 4 4 A list of the top 1000 commonly used Wifi network can be found at this webpage : https://wigle.net/gps/gps/main/ssidstats 8

4 RSSI BASED GEOLOCALIZATION 4 RSSI Based Geolocalization The goal of this project is to estimate the location of a user (potentially victim of a natural disaster) on the ground using flying robots. The location algorithm is based on the probe request frames periodically sent by the user s mobile phone if the wifi is switched on. 4.1 Previous work A lot of literature can be found on the subject, some stating that RSSI can t be reliably used to estimate a distance [5], others stating the opposite [4] [1] [2]. None of them used flying robots as sensor nodes and all were operating at smaller distances. 4.2 RSSI as a metric The Received Signal Strength Indication is a measurement indicating the power level received by the antenna and can be extracted from probe requests/responses sent inclear in a wireless network. There aren t any standards regarding the units used for this quantity, each chipset vendor use its own scale. The radio interface used in this project is the AVM FRITZ!WLAN USB Stick N and contains an Atheros AR9001U-2NX chipset. For this hardware, the RSSI value is defined as a percentage of RSSI MAX (60). The formula to convert the given RSSI to dbm is [5] P dbm = RSSI 60 100 95 which gives a range of -35dBm at 100% and -95dBm at 0%. In order to localize people using this metric, it would be convenient to convert this dbm powers in meters, but as shown in Figure 3, there is no noticeable correlation between RSSI value and the real distance, which will influence on the localization s accuracy. 4.3 GPS Trilateration The first implemented model makes use of the so-called Trilateration algorithm. Basically, this algorithm uses three GPS coordinates and three distances to compute an estimate of the real position. We can represent each GPS coordinate to be the center of a sphere, and the distance being the radius of this sphere. The point of interest should then lie on the intersection of the three spheres. Since RSSI can t be accurately translated to a distance, we used the normalized power and iteratively increased the radius of the spheres until they intersected. The accuracy of this method wasn t good enough for the purpose of the project (up to 100 meters in the worst case scenarios), thus we decided not to use it and find a better model. 4.4 GPS coordinates weighted average Another model was implemented in order to find accurately a user on the ground, which makes use of a simple weighted average. Let x be the vector formed by each coordinates 9

4.5 Results 4 RSSI BASED GEOLOCALIZATION Figure 3: Absence of correlation between the RSSI value (in percentage) and the distance in meters. (latitude and longitude) of the plane when it received a beacon frame and p be the vector of the corresponding RSSI. These vectors are sorted following descending order on RSSI values, and the weighted average is then applied as following : (x 0, y 0 ) = N p i x i i=1 N p i i=1 Where N is the number of beacon frames that we consider. We can either choose to discard every beacon frames whose power are lower than a desired threshold or simply take the N most powerful beacon frames, depending on the quantity of beacon frame we receive during a flight. 4.5 Results Three outdoor experiments were conducted during the project in order to test the accuracy of the models and the tools developed to visualize and interact with the planes. These tests have shown that RSSI values aren t stable at all and that it is possible to measure values from a large interval even if the target device was at the same distance each time the beacon was received. Accuracy was significantly improved by the weighted average model. On average the error was a bit less than 50 meters, and by tuning the parameters of the model appropriately we were able to localize users with an error smaller than 10 meters. These results are encouraging and further outdoor experiments will be conducted to find the best parameters for this model. 10

5 VISUALIZATION TOOLS 5 Visualization tools 5.1 Live tracking A Python framework has been developed for displaying the live position of the planes along with the users estimated positions. It also allows to change the route of the planes by clicking on them and drawing a new rectangular search area. The base station receives data from the planes using a standard TCP connection and pass them to the web frontend using WebSockets. The Google Maps API 5 was used in order to display the map and add markers on it. 5.2 Replay a flight Another framework built on top of the previous one allows users to replay an outdoor experiment previously conducted by using the logs generated by the planes. Figure 4: Application allowing to replay a flight from log files 5 https://developers.google.com/maps/ 11

6 CONCLUSION 6 Conclusion In this document, we have shown that wireless access point spoofing was possible, even though there are a lot of obstacles, such as guessing a valid SSID, disconnecting the user from the genuine router and wireless intrusion detection mechanisms. We have also proved that a relatively accurate geolocation based on RSSI analyse is possible, with an error lower than 10 meters, which is quite good provided that the planes were flying at an altitude of 60 to 70 meters from the ground during the tests. We also encountered many problems with RSSI values, for example the conversion formula from percentage to dbm were hard to find. Moreover, this power indicator is also really sensitive to noise, weather conditions, interferences, etc. Nevertheless, the results are encouraging and the localization accuracy could certainly be improved by further testing. 12

REFERENCES REFERENCES References [1] Karl Benkic, Marko Malajner, P Planinsic, and Z Cucej. Using rssi value for distance estimation in wireless sensor networks based on zigbee. In Systems, Signals and Image Processing, 2008. IWSSIP 2008. 15th International Conference on, pages 303 306. IEEE, 2008. [2] Wan-Young Chung et al. Enhanced rssi-based real-time user location tracking system for indoor and outdoor environments. In Convergence Information Technology, 2007. International Conference on, pages 1213 1218. IEEE, 2007. [3] IEEE-SA. Ieee 802.11: Wireless lan medium access control (mac) and physical layer (phy) specifications. 2012. [4] Zhang Jianwu and Zhang Lu. Research on distance measurement based on rssi of zigbee. In Computing, Communication, Control, and Management, 2009. CCCM 2009. ISECS International Colloquium on, volume 3, pages 210 212. IEEE, 2009. [5] Parameswaran, Ambili Thottam, I. Husain, M, and S Upadhyaya. Is rssi a reliable parameter in sensor localization algorithms - an experimental study. 28th International Symposium On Reliable Distributed Systems, 2013. [6] Madwifi Project. Converting signal strength percentage to dbm values. https://madwifi-project.org/attachment/wiki/userdocs/rssi/converting_ Signal_Strength.pdf?format=raw. [7] Yocto Project. Yocto project documentation. https://www.yoctoproject.org/ documentation. 13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback