Wireless access point spoofing andmobile devices geolocation using

swarms of flying robots

Master optional semester project, spring 2014

Jonathan CHESEAUX (cheseauxjonathan@gmail.com)

Supervisors : Prof. Bixio RimoldiStefano Rosati, PhD

Karol Kruzelecki

2

CONTENTS CONTENTS

Contents

1 Introduction 4

2 Material 52.1 Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2.1.1 Flying robot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.1.2 Gumstix Board . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.1.3 Wifi dongle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.2 Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.2.1 Yocto Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.2.2 Scapy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.2.3 Wireshark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

3 Wireless Access Point Spoofing 73.1 Probe requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73.2 Directed Probe Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . 73.3 Hidden SSID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73.4 DeAuth attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73.5 Experiment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

4 RSSI Based Geolocalization 94.1 Previous work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94.2 RSSI as a metric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94.3 GPS Trilateration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94.4 GPS coordinates weighted average . . . . . . . . . . . . . . . . . . . . . . 94.5 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

5 Visualization tools 115.1 Live tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115.2 Replay a flight . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

6 Conclusion 12

3

1 INTRODUCTION

1 Introduction

This project is split in two main parts, the first task is to spoof an existing wireless net-work in order to communicate with users on the ground via their mobile phones. A reallife application could be that a natural disaster happened and the rescue team needs to es-tablish a communication channel with a victim, without requiring any user-intervention.Due to the potential complexity of the terrain and weather condition, flying robots couldbe highly relevant to provide such a network.

The second part of this work focus on localizing victims by analysing beacon framesperiodically sent by their smartphone, if the Wifi mode is switched on. Provided that wecan accurately localize smartphones on the ground, we assume that there will be a highprobability that a victim is also situated next to it. It will also help to move the planein a smaller zone, thus increasing the communication channel’s reliability.

A user interface is also provided in order to operate the planes and follow the local-ization estimates in real-time. It provides simple tools for routing the planes in smallersearch areas and allows the operator to have a quick overview of the operations in progressor previous operations.

4

2 MATERIAL

2 Material

2.1 Hardware

2.1.1 Flying robot

The flying robots used for this project are developed by SenseFly, a spin-off of EPFL1.The model chosen for the experiments is the eBee, which has an autonomy of 30 minutesat full speed (12 m/s).

Figure 1: Flying robot, model eBee

2.1.2 Gumstix Board

The operating system of the robots is implemented on a Gumstix computer-on-module.Data is stored on a micro-SD card and an expansion board provides USB, Ethernet andpower supply for the development phase.

Figure 2: Gumstix board used in the flying robots

1https://www.sensefly.com/

5

2.2 Software 2 MATERIAL

2.1.3 Wifi dongle

Flying robots are equipped with two Wifi radio interfaces, the first one is responsiblefor creating the network between the drones and the second one can communicate withmobile devices located on the ground. For the latter, we use the FRITZ!WLAN USB Stick

N dongle, which is fully compatible with the latest WLAN standards and allows packetmonitoring.

2.2 Software

2.2.1 Yocto Project

Yocto Project is a tool that facilitates the creation of custom Linux kernel for embeddedsoftware. It was used in the project to build a lightweight Linux distribution with justthe needed packages.

The building process make use of so-called recipes. A recipe is a .bb file that con-tains information about software license, source location, compiling parameters, and isused by bitbake2 to build the system for a specific architecture.

The main advantage of using Yocto Project to create the embedded operating systemis that packages can be easily added and the compiling process is automated. On theother hand, it can take a significant time to master this tool and dealing with dependen-cies errors can be a real nightmare.

2.2.2 Scapy

Scapy is a very powerful Python library allowing the developer to manipulate networkpackets. It is used in this project to detect presence of mobile devices and communicatewith them.

2.2.3 Wireshark

Wireshark is a well-known open-source packet analyser. It was a good support for theresearch part of the project, especially for analysing information contained by proberequest, as explained in more details in Section 4 of this report.

2Bitbake is a building tool provided by Yocto Project

6

3 WIRELESS ACCESS POINT SPOOFING

3 Wireless Access Point Spoofing

Wireless access point spoofing is a network attack based on the impersonation of a genuineWifi router. A Wifi network is determined by its SSID, thus it is possible to setup a fakeaccess point by copying an existing SSID. By sniffing packets with a powerful antenna wecan learn a lot about users and access points, for example probe requests and responsesare sent unencrypted and allows us to learn which AP’s are in-range along with the usersconnected to them.

3.1 Probe requests

Devices that want to connect to a wireless network first need to discover which accesspoints are in-range. They send Probe Request packets containing a field SSID set tonull. Each AP periodically broadcasts its SSID and can also answer to Probe Requestsby sending Probe Reponses. If the device knows one of the advertised SSID, it will thentry to associate with it.

3.2 Directed Probe Requests

Directed Probe Requests are different from the simple Probe Requests in the sense thatthe SSID field of the packet is set to be one of the registered WLAN. In that manner,we can listen to directed probe requests from a mobile node and learn which AP’s it wasconnected to before.

3.3 Hidden SSID

It is possible for an AP to hide its name by not broadcasting it. The only way to connectto such an AP is then to know in advance its SSID. Experiment has shown that devicesthat were once connected to an hidden AP will send a directed probe request when inpresence of an arbitrary hidden AP. This can be of great help to force the user to connectto the rogue AP.

3.4 DeAuth attack

Even if we are able to impersonate an existing access point, we still need the user to bedisconnected from the genuine AP. Deauthentication between an AP and a station can beeasily performed by sending appropriate DeAuth packets, defined by the 802.11 standard.Aireplay-ng3 is an open source tool that can inject and forge packet and provide simplecommands for sending repeated DeAuth packets to the targets.

3.5 Experiment

For this experiment, we used a TP-Link Nano router N to set up a fake AP. The test alsoimplied an iPhone 4 that had the epfl WLAN registered in its access points list and actedas the victim. This experiment was first conducted outside from the EPFL campus, where

3http://www.aircrack-ng.org/doku.php?id=aireplay-ng

7

3.6 Conclusion 3 WIRELESS ACCESS POINT SPOOFING

its wireless network wasn’t accessible. The rogue AP was connected to Internet and set upto broadcast the SSID ”epfl”. The iPhone device sucessfully connected to the rogue AP

without asking the user for an intervention. Another similar experiment was conductedin EPFL’s premises but failed. This is certainly due to some wireless intrusion preventionsystems implemented by EPFL IT administrators, as it is often the case for company’swifi.

3.6 Conclusion

We have shown that it is indeed possible to impersonate an access point, provided that thespoofed network doesn’t implement intrusion detection mechanisms. In our experimentwe knew which SSID was in the device’s preference list, but in real situations it is moredifficult to guess which SSID to chose for the rogue AP. As we have seen, setting up anhidden AP can reveal some of these choices, or we could also use some common networknames, such as linksys, NETGEAR, default, home, etc.4

4A list of the top 1000 commonly used Wifi network can be found at this webpage :https://wigle.net/gps/gps/main/ssidstats

8

4 RSSI BASED GEOLOCALIZATION

4 RSSI Based Geolocalization

The goal of this project is to estimate the location of a user (potentially victim of anatural disaster) on the ground using flying robots. The location algorithm is basedon the probe request frames periodically sent by the user’s mobile phone if the wifi isswitched on.

4.1 Previous work

A lot of literature can be found on the subject, some stating that RSSI can’t be reliablyused to estimate a distance [5], others stating the opposite [4] [1] [2]. None of them usedflying robots as sensor nodes and all were operating at smaller distances.

4.2 RSSI as a metric

The Received Signal Strength Indication is a measurement indicating the power levelreceived by the antenna and can be extracted from probe requests/responses sent in-clear in a wireless network. There aren’t any standards regarding the units used for thisquantity, each chipset vendor use its own scale. The radio interface used in this project isthe AVM FRITZ!WLAN USB Stick N and contains an Atheros AR9001U-2NX chipset. Forthis hardware, the RSSI value is defined as a percentage of RSSI MAX (60). The formulato convert the given RSSI to dBm is [5]

PdBm =RSSI ∗ 60

100− 95

which gives a range of -35dBm at 100% and -95dBm at 0%.

In order to localize people using this metric, it would be convenient to convert this dBmpowers in meters, but as shown in Figure 3, there is no noticeable correlation betweenRSSI value and the real distance, which will influence on the localization’s accuracy.

4.3 GPS Trilateration

The first implemented model makes use of the so-called Trilateration algorithm. Basically,this algorithm uses three GPS coordinates and three distances to compute an estimate ofthe real position. We can represent each GPS coordinate to be the center of a sphere, andthe distance being the radius of this sphere. The point of interest should then lie on theintersection of the three spheres. Since RSSI can’t be accurately translated to a distance,we used the normalized power and iteratively increased the radius of the spheres untilthey intersected. The accuracy of this method wasn’t good enough for the purpose of theproject (up to 100 meters in the worst case scenarios), thus we decided not to use it andfind a better model.

4.4 GPS coordinates weighted average

Another model was implemented in order to find accurately a user on the ground, whichmakes use of a simple weighted average. Let x be the vector formed by each coordinates

9

4.5 Results 4 RSSI BASED GEOLOCALIZATION

Figure 3: Absence of correlation between the RSSI value (in percentage) and the distancein meters.

(latitude and longitude) of the plane when it received a beacon frame and p be the vectorof the corresponding RSSI. These vectors are sorted following descending order on RSSI

values, and the weighted average is then applied as following :

(x0, y0) =

N∑i=1

pixi

N∑i=1

pi

Where N is the number of beacon frames that we consider. We can either choose todiscard every beacon frames whose power are lower than a desired threshold or simplytake the N most powerful beacon frames, depending on the quantity of beacon frame wereceive during a flight.

4.5 Results

Three outdoor experiments were conducted during the project in order to test the ac-curacy of the models and the tools developed to visualize and interact with the planes.These tests have shown that RSSI values aren’t stable at all and that it is possible tomeasure values from a large interval even if the target device was at the same distanceeach time the beacon was received. Accuracy was significantly improved by the weightedaverage model. On average the error was a bit less than 50 meters, and by tuning theparameters of the model appropriately we were able to localize users with an error smallerthan 10 meters. These results are encouraging and further outdoor experiments will beconducted to find the best parameters for this model.

10

5 VISUALIZATION TOOLS

5 Visualization tools

5.1 Live tracking

A Python framework has been developed for displaying the live position of the planesalong with the users estimated positions. It also allows to change the route of the planesby clicking on them and drawing a new rectangular search area. The base station receivesdata from the planes using a standard TCP connection and pass them to the web front-end using WebSockets. The Google Maps API5 was used in order to display the map andadd markers on it.

5.2 Replay a flight

Another framework built on top of the previous one allows users to replay an outdoorexperiment previously conducted by using the logs generated by the planes.

Figure 4: Application allowing to replay a flight from log files

5https://developers.google.com/maps/

11

6 CONCLUSION

6 Conclusion

In this document, we have shown that wireless access point spoofing was possible, eventhough there are a lot of obstacles, such as guessing a valid SSID, disconnecting the userfrom the genuine router and wireless intrusion detection mechanisms.

We have also proved that a relatively accurate geolocation based on RSSI analyse ispossible, with an error lower than 10 meters, which is quite good provided that theplanes were flying at an altitude of 60 to 70 meters from the ground during the tests. Wealso encountered many problems with RSSI values, for example the conversion formulafrom percentage to dBm were hard to find. Moreover, this power indicator is also reallysensitive to noise, weather conditions, interferences, etc.

Nevertheless, the results are encouraging and the localization accuracy could certainly beimproved by further testing.

12

REFERENCES REFERENCES

References

[1] Karl Benkic, Marko Malajner, P Planinsic, and Z Cucej. Using rssi value for distanceestimation in wireless sensor networks based on zigbee. In Systems, Signals and ImageProcessing, 2008. IWSSIP 2008. 15th International Conference on, pages 303–306.IEEE, 2008.

[2] Wan-Young Chung et al. Enhanced rssi-based real-time user location tracking systemfor indoor and outdoor environments. In Convergence Information Technology, 2007.International Conference on, pages 1213–1218. IEEE, 2007.

[3] IEEE-SA. Ieee 802.11: Wireless lan medium access control (mac) and physical layer(phy) specifications. 2012.

[4] Zhang Jianwu and Zhang Lu. Research on distance measurement based on rssi ofzigbee. In Computing, Communication, Control, and Management, 2009. CCCM2009. ISECS International Colloquium on, volume 3, pages 210–212. IEEE, 2009.

[5] Parameswaran, Ambili Thottam, I. Husain, M, and S Upadhyaya. Is rssi a reliable pa-rameter in sensor localization algorithms - an experimental study. 28th InternationalSymposium On Reliable Distributed Systems, 2013.

[6] Madwifi Project. Converting signal strength percentage to dbm values.https://madwifi-project.org/attachment/wiki/UserDocs/RSSI/Converting_

Signal_Strength.pdf?format=raw.

[7] Yocto Project. Yocto project documentation. https://www.yoctoproject.org/

documentation.

13