[Dailydave] Wireless Disclosures

Robert Graham robert_david_graham at yahoo.com
Thu Mar 22 18:30:57 EDT 2012

>In our experience, this is not exactly the case. What Robert describes does 
>happen but, after a couple of minutes, if a connection has not yet
>been established, the iPhone will indeed broadcast probes for all recently
>connected SSIDs. How recent is recent? In our experiments, _all_ SSIDs
>stored in the device were being disclosed.
>We've seen this behavior with IOS 3, 4 and 5. This is obvious in
>the attached packet capture screenshot, where one can see the initial
>broadcasts to ANY as described by Robert but then comes the disclosure
>with all stored SSIDs being broadcasted.

That's interesting.

My experience is that while sitting in the front lobby as employees walk by, I get more SSIDs from other devices than Apple's. What you are saying is that I need to be more patient.

>The second disclosure that came up in the Ars comments has to do with
>the MAC addresses of previously seen DHCP servers
>This behavior is documented in RFC 4436 [4]:

I thought it ARPed the router, not the DHCP server, but either is allowed by the RFC.

It discloses these 3 MAC addresses after it "associates" to the access-point, but before it gets a DHCP address. It's very reliable. You can sit at an airport with a fake access-point broadcasting "attwifi" and "Apple Store" and get a ton of this info, even without giving them a DHCP assignment.

This also discloses the previously assigned IP address of the device, as well as the IP address of the router/DHCP server. These days, these addresses are almost always "local" addresses like, but sometimes you can get routable addresses, and thus find the "home" organization of the device..

In theory, you can use these MAC addresses with the Google, SkyHook, Microsoft, Apple, and Wigle.net databases to find their home address. Unfortunately, these databases now require two MAC addresses to work, in order to guard against this sort of abuse. The Wigle.net database allows this, but it's not very complete. But, if you have certain targets in mind, you can do your own GPS mapping of an area.

In theory, once you get these MAC addresses, you can send beacons from them with empty SSID fields, and otherwise silent devices will give up their SSIDs. Sadly, I haven't tested this yet, because my own home network separates the router and DHCP server from the access-points, so can't work for my devices this way.

More information about the Dailydave mailing list