Wireless access point spoofing and mobile devices geolocation using swarms of flying robots Master optional semester project, spring 2014 Jonathan CHESEAUX (cheseauxjonathan@gmail.com) Supervisors : Prof. Bixio Rimoldi Stefano Rosati, PhD Karol Kruzelecki
2
CONTENTS CONTENTS Contents 1 Introduction 4 2 Material 5 2.1 Hardware................................... 5 2.1.1 Flying robot.............................. 5 2.1.2 Gumstix Board............................ 5 2.1.3 Wifi dongle.............................. 6 2.2 Software.................................... 6 2.2.1 Yocto Project............................. 6 2.2.2 Scapy................................. 6 2.2.3 Wireshark............................... 6 3 Wireless Access Point Spoofing 7 3.1 Probe requests................................ 7 3.2 Directed Probe Requests........................... 7 3.3 Hidden SSID.................................. 7 3.4 DeAuth attack................................ 7 3.5 Experiment.................................. 7 3.6 Conclusion................................... 8 4 RSSI Based Geolocalization 9 4.1 Previous work................................. 9 4.2 RSSI as a metric............................... 9 4.3 GPS Trilateration............................... 9 4.4 GPS coordinates weighted average...................... 9 4.5 Results..................................... 10 5 Visualization tools 11 5.1 Live tracking................................. 11 5.2 Replay a flight................................. 11 6 Conclusion 12 3
1 INTRODUCTION 1 Introduction This project is split in two main parts, the first task is to spoof an existing wireless network in order to communicate with users on the ground via their mobile phones. A real life application could be that a natural disaster happened and the rescue team needs to establish a communication channel with a victim, without requiring any user-intervention. Due to the potential complexity of the terrain and weather condition, flying robots could be highly relevant to provide such a network. The second part of this work focus on localizing victims by analysing beacon frames periodically sent by their smartphone, if the Wifi mode is switched on. Provided that we can accurately localize smartphones on the ground, we assume that there will be a high probability that a victim is also situated next to it. It will also help to move the plane in a smaller zone, thus increasing the communication channel s reliability. A user interface is also provided in order to operate the planes and follow the localization estimates in real-time. It provides simple tools for routing the planes in smaller search areas and allows the operator to have a quick overview of the operations in progress or previous operations. 4
2 MATERIAL 2 Material 2.1 Hardware 2.1.1 Flying robot The flying robots used for this project are developed by SenseFly, a spin-off of EPFL 1. The model chosen for the experiments is the ebee, which has an autonomy of 30 minutes at full speed (12 m/s). Figure 1: Flying robot, model ebee 2.1.2 Gumstix Board The operating system of the robots is implemented on a Gumstix computer-on-module. Data is stored on a micro-sd card and an expansion board provides USB, Ethernet and power supply for the development phase. Figure 2: Gumstix board used in the flying robots 1 https://www.sensefly.com/ 5
2.2 Software 2 MATERIAL 2.1.3 Wifi dongle Flying robots are equipped with two Wifi radio interfaces, the first one is responsible for creating the network between the drones and the second one can communicate with mobile devices located on the ground. For the latter, we use the FRITZ!WLAN USB Stick N dongle, which is fully compatible with the latest WLAN standards and allows packet monitoring. 2.2 Software 2.2.1 Yocto Project Yocto Project is a tool that facilitates the creation of custom Linux kernel for embedded software. It was used in the project to build a lightweight Linux distribution with just the needed packages. The building process make use of so-called recipes. A recipe is a.bb file that contains information about software license, source location, compiling parameters, and is used by bitbake 2 to build the system for a specific architecture. The main advantage of using Yocto Project to create the embedded operating system is that packages can be easily added and the compiling process is automated. On the other hand, it can take a significant time to master this tool and dealing with dependencies errors can be a real nightmare. 2.2.2 Scapy Scapy is a very powerful Python library allowing the developer to manipulate network packets. It is used in this project to detect presence of mobile devices and communicate with them. 2.2.3 Wireshark Wireshark is a well-known open-source packet analyser. It was a good support for the research part of the project, especially for analysing information contained by probe request, as explained in more details in Section 4 of this report. 2 Bitbake is a building tool provided by Yocto Project 6
3 WIRELESS ACCESS POINT SPOOFING 3 Wireless Access Point Spoofing Wireless access point spoofing is a network attack based on the impersonation of a genuine Wifi router. A Wifi network is determined by its SSID, thus it is possible to setup a fake access point by copying an existing SSID. By sniffing packets with a powerful antenna we can learn a lot about users and access points, for example probe requests and responses are sent unencrypted and allows us to learn which AP s are in-range along with the users connected to them. 3.1 Probe requests Devices that want to connect to a wireless network first need to discover which access points are in-range. They send Probe Request packets containing a field SSID set to null. Each AP periodically broadcasts its SSID and can also answer to Probe Requests by sending Probe Reponses. If the device knows one of the advertised SSID, it will then try to associate with it. 3.2 Directed Probe Requests Directed Probe Requests are different from the simple Probe Requests in the sense that the SSID field of the packet is set to be one of the registered WLAN. In that manner, we can listen to directed probe requests from a mobile node and learn which AP s it was connected to before. 3.3 Hidden SSID It is possible for an AP to hide its name by not broadcasting it. The only way to connect to such an AP is then to know in advance its SSID. Experiment has shown that devices that were once connected to an hidden AP will send a directed probe request when in presence of an arbitrary hidden AP. This can be of great help to force the user to connect to the rogue AP. 3.4 DeAuth attack Even if we are able to impersonate an existing access point, we still need the user to be disconnected from the genuine AP. Deauthentication between an AP and a station can be easily performed by sending appropriate DeAuth packets, defined by the 802.11 standard. Aireplay-ng 3 is an open source tool that can inject and forge packet and provide simple commands for sending repeated DeAuth packets to the targets. 3.5 Experiment For this experiment, we used a TP-Link Nano router N to set up a fake AP. The test also implied an iphone 4 that had the epfl WLAN registered in its access points list and acted as the victim. This experiment was first conducted outside from the EPFL campus, where 3 http://www.aircrack-ng.org/doku.php?id=aireplay-ng 7
3.6 Conclusion 3 WIRELESS ACCESS POINT SPOOFING its wireless network wasn t accessible. The rogue AP was connected to Internet and set up to broadcast the SSID epfl. The iphone device sucessfully connected to the rogue AP without asking the user for an intervention. Another similar experiment was conducted in EPFL s premises but failed. This is certainly due to some wireless intrusion prevention systems implemented by EPFL IT administrators, as it is often the case for company s wifi. 3.6 Conclusion We have shown that it is indeed possible to impersonate an access point, provided that the spoofed network doesn t implement intrusion detection mechanisms. In our experiment we knew which SSID was in the device s preference list, but in real situations it is more difficult to guess which SSID to chose for the rogue AP. As we have seen, setting up an hidden AP can reveal some of these choices, or we could also use some common network names, such as linksys, NETGEAR, default, home, etc. 4 4 A list of the top 1000 commonly used Wifi network can be found at this webpage : https://wigle.net/gps/gps/main/ssidstats 8
4 RSSI BASED GEOLOCALIZATION 4 RSSI Based Geolocalization The goal of this project is to estimate the location of a user (potentially victim of a natural disaster) on the ground using flying robots. The location algorithm is based on the probe request frames periodically sent by the user s mobile phone if the wifi is switched on. 4.1 Previous work A lot of literature can be found on the subject, some stating that RSSI can t be reliably used to estimate a distance [5], others stating the opposite [4] [1] [2]. None of them used flying robots as sensor nodes and all were operating at smaller distances. 4.2 RSSI as a metric The Received Signal Strength Indication is a measurement indicating the power level received by the antenna and can be extracted from probe requests/responses sent inclear in a wireless network. There aren t any standards regarding the units used for this quantity, each chipset vendor use its own scale. The radio interface used in this project is the AVM FRITZ!WLAN USB Stick N and contains an Atheros AR9001U-2NX chipset. For this hardware, the RSSI value is defined as a percentage of RSSI MAX (60). The formula to convert the given RSSI to dbm is [5] P dbm = RSSI 60 100 95 which gives a range of -35dBm at 100% and -95dBm at 0%. In order to localize people using this metric, it would be convenient to convert this dbm powers in meters, but as shown in Figure 3, there is no noticeable correlation between RSSI value and the real distance, which will influence on the localization s accuracy. 4.3 GPS Trilateration The first implemented model makes use of the so-called Trilateration algorithm. Basically, this algorithm uses three GPS coordinates and three distances to compute an estimate of the real position. We can represent each GPS coordinate to be the center of a sphere, and the distance being the radius of this sphere. The point of interest should then lie on the intersection of the three spheres. Since RSSI can t be accurately translated to a distance, we used the normalized power and iteratively increased the radius of the spheres until they intersected. The accuracy of this method wasn t good enough for the purpose of the project (up to 100 meters in the worst case scenarios), thus we decided not to use it and find a better model. 4.4 GPS coordinates weighted average Another model was implemented in order to find accurately a user on the ground, which makes use of a simple weighted average. Let x be the vector formed by each coordinates 9
4.5 Results 4 RSSI BASED GEOLOCALIZATION Figure 3: Absence of correlation between the RSSI value (in percentage) and the distance in meters. (latitude and longitude) of the plane when it received a beacon frame and p be the vector of the corresponding RSSI. These vectors are sorted following descending order on RSSI values, and the weighted average is then applied as following : (x 0, y 0 ) = N p i x i i=1 N p i i=1 Where N is the number of beacon frames that we consider. We can either choose to discard every beacon frames whose power are lower than a desired threshold or simply take the N most powerful beacon frames, depending on the quantity of beacon frame we receive during a flight. 4.5 Results Three outdoor experiments were conducted during the project in order to test the accuracy of the models and the tools developed to visualize and interact with the planes. These tests have shown that RSSI values aren t stable at all and that it is possible to measure values from a large interval even if the target device was at the same distance each time the beacon was received. Accuracy was significantly improved by the weighted average model. On average the error was a bit less than 50 meters, and by tuning the parameters of the model appropriately we were able to localize users with an error smaller than 10 meters. These results are encouraging and further outdoor experiments will be conducted to find the best parameters for this model. 10
5 VISUALIZATION TOOLS 5 Visualization tools 5.1 Live tracking A Python framework has been developed for displaying the live position of the planes along with the users estimated positions. It also allows to change the route of the planes by clicking on them and drawing a new rectangular search area. The base station receives data from the planes using a standard TCP connection and pass them to the web frontend using WebSockets. The Google Maps API 5 was used in order to display the map and add markers on it. 5.2 Replay a flight Another framework built on top of the previous one allows users to replay an outdoor experiment previously conducted by using the logs generated by the planes. Figure 4: Application allowing to replay a flight from log files 5 https://developers.google.com/maps/ 11
6 CONCLUSION 6 Conclusion In this document, we have shown that wireless access point spoofing was possible, even though there are a lot of obstacles, such as guessing a valid SSID, disconnecting the user from the genuine router and wireless intrusion detection mechanisms. We have also proved that a relatively accurate geolocation based on RSSI analyse is possible, with an error lower than 10 meters, which is quite good provided that the planes were flying at an altitude of 60 to 70 meters from the ground during the tests. We also encountered many problems with RSSI values, for example the conversion formula from percentage to dbm were hard to find. Moreover, this power indicator is also really sensitive to noise, weather conditions, interferences, etc. Nevertheless, the results are encouraging and the localization accuracy could certainly be improved by further testing. 12
REFERENCES REFERENCES References [1] Karl Benkic, Marko Malajner, P Planinsic, and Z Cucej. Using rssi value for distance estimation in wireless sensor networks based on zigbee. In Systems, Signals and Image Processing, 2008. IWSSIP 2008. 15th International Conference on, pages 303 306. IEEE, 2008. [2] Wan-Young Chung et al. Enhanced rssi-based real-time user location tracking system for indoor and outdoor environments. In Convergence Information Technology, 2007. International Conference on, pages 1213 1218. IEEE, 2007. [3] IEEE-SA. Ieee 802.11: Wireless lan medium access control (mac) and physical layer (phy) specifications. 2012. [4] Zhang Jianwu and Zhang Lu. Research on distance measurement based on rssi of zigbee. In Computing, Communication, Control, and Management, 2009. CCCM 2009. ISECS International Colloquium on, volume 3, pages 210 212. IEEE, 2009. [5] Parameswaran, Ambili Thottam, I. Husain, M, and S Upadhyaya. Is rssi a reliable parameter in sensor localization algorithms - an experimental study. 28th International Symposium On Reliable Distributed Systems, 2013. [6] Madwifi Project. Converting signal strength percentage to dbm values. https://madwifi-project.org/attachment/wiki/userdocs/rssi/converting_ Signal_Strength.pdf?format=raw. [7] Yocto Project. Yocto project documentation. https://www.yoctoproject.org/ documentation. 13