How a Wi-Fi loophole enables device detection through walls

Computer scientist Ali Abedi thinks Wi-Fi is too polite, and like your small-town friend visiting New York, says hi to too many strangers.

Combining two tactics, Abedi and University of Waterloo, Ontario, researchers exposed Wi-Fi’s too-friendly feature: Connected devices, when receiving an initial packet, provide an acknowledgement—one that can reveal a gadget’s exact location if a drone gets involved.

By equipping an unmanned aircraft with a radio, the team located the electronics within a building, without having to go inside. The feat does not demonstrate an immediate threat, according to some network-security professionals, but perhaps one that signals a new opening for attackers.

“It used to be that you had to have physical access to areas to be able to exploit these kinds of vulnerabilities...I think the prominence of drones in modern society almost obviates that to a certain extent,” Justin Klein Keane, director of security operations for the MorganFranklin Consulting advisory, told IT Brew. The drone market is expected to double by 2026.

Wake up, take off. With a wireless-transmitter beacon, the team blasted a signal to nearby smart machines, shaking the devices from their sleep mode.

“We exploit that technique to wake up all of the devices and force them to send some packet, and as soon as they send the packet, their MAC address is revealed,” said Abedi, an adjunct professor during his time at Waterloo who is now a postdoctoral researcher at Stanford University.

With target destinations found, the drone takes off and sends introductory packets to the addresses. By calculating the time required to receive and return an acknowledgment, the researchers determined device coordinates.

The risk. With connection locations, an intruder could potentially track a guard by their smartwatch or a security camera by its MAC address. To avoid detection, Abedi recommends a randomized response time—one that would have to be installed in future chipsets.

“Even 0.1-microsecond is translated to something like 300 meters. So, a small variation in the response time messes up the calculation of the attacker completely,” Abedi told IT Brew.

To Andy Richter, senior solutions architect at the digital-services provider Presidio, the threats are not near-term, because there’s no money in the idea and no clear attack pattern.

“We want people to be aware of it. And…the industry needs to be thoughtful about it in the long term. But there’s nothing to do about it in the medium term, mostly due to the financial motivation of our opponents,” said Richter.

Zoom in. While the risks to the everyday end-user may be slim, Keane recognizes that clients with highly sensitive data may have to disconnect to avoid this kind of attack—or turn to a set of defenses not usually found in the IT shop.

“If I was talking to, say, a client that had particularly sensitive intellectual property they might be worried about, or a nation-state attacker trying to infiltrate their organization, I would make them aware of this and say, ‘Hey, if your facilities are that sensitive, you need anti-drone technology of some sort, because outside of that, there really is no good current defense against this particular attack,’” said Keane.—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @BillyHurls on Twitter.