Malware Uses WiFi BSSID for Victim Identification

An anonymous reader shares a report: Malware operators who want to know the location of the victims they infect usually rely on a simple technique where they grab the victim's IP address and check it against an IP-to-geo database like MaxMind's GeoIP to get a victim's approximate geographical location. While the technique isn't very accurate, it is still the most reliable method of determining a user's actual physical location based on data found on their computer. However, in a blog post last month, Xavier Mertens, a security researcher with the SANS Internet Storm Center, said he discovered a new malware strain that is using a second technique on top of the first. This second technique relies on grabbing the infected user's BSSID. Known as a "Basic Service Set Identifier," the BSSID is basically the MAC physical address of the wireless router or access point the user is using to connect via WiFi. You can see the BSSID on Windows systems by running the command: netsh wlan show interfaces | find "BSSID" Mertens said the malware he discovered was collecting the BSSID and then checking it against a free BSSID-to-geo database maintained by Alexander Mylnikov.

Resolved

[Archangel Michael]

Rotate MAC address regularly.

Re:

[jrumney]

The BSSID is not your MAC address. Rotating MAC address will not help What will help is to keep your router out of the database by limiting which apps have location permission on your phone and educating those you live with. This may be practical for your home wifi, but becomes harder if you are managing a hotspot for a larger group of users.

Re:

[jrumney]

Mine is different than the router's Wi-Fi MAC address, I think it depends on the software in your router, some may reuse the MAC address for simplicity (though technically this is a violation of IETF standards, as these identifiers are supposed to be globally unique, and I have been advised by an IETF expert when inquiring for my own product designs to use separate identifiers, even where technically the mediums and network layers were separate and they could never conflict in actual usage).

Re:

[arglebargle_xiv]

In any case it doesn't do much good, with your typical 32-bit MIPS- or ARM-powered router after 32 rotations you're back where you started, so all an attacker has to do is get 32 samples. Still, better than shifting your MAC address where you just end up with all zeroes after awhile.

Re:

[pjt33]

"Rotate" in this context just means "change on a schedule", not bitwise rotation.

Re:

[dskoll]

How do you stop someone with a phone from walking along your street scanning for WiFi networks and submitting data? Even hiding your ESSID is not enough to prevent this type of attack.

Re:

[dskoll]

To clarify, I mean that you can't really prevent someone from submitting your BSSID to the geolocation database. This doesn't otherwise open you up to attacks, but if one of your wireless devices is successfully compromised, it means you will be able to be geolocated.

Re:

[quonset]

How do you stop someone with a phone from walking along your street scanning for WiFi networks and submitting data?

You can't, but what you can do is not use wifi at home. Plug one end of a cable into your router and the other end into your machine. Voila. No wifi issues and a more stable, and faster, connection.

Problem solved. However, as usual, this is too simple so it won't be implemented.

Re:

[Anonymous Coward]

You can't, but what you can do is not use wifi at home. Plug one end of a cable into your router and the other end into your machine. Voila. No wifi issues and a more stable, and faster, connection.

Riiight. I'm going to plug a wire into my mobile phone.

Problem solved. However, as usual, this is too simple so it won't be implemented.

You are either simple or pretending to be. All my stationary devices are wired.

Re:

[nightflameauto]

Do they even make a wired ethernet adapter for tablets or phones? That's about 75% of home usage these days in my house, and likely a far higher percentage in my less tech oriented relatives houses.

I'm also trying to imagine how convenient it would be trying to fight a charging cable AND an ethernet cable when holding a tablet. Especially with the number of tablets available that have only one port.

Re:

[Rockoon]

oh I'm sure apple will combine the charging port with an ethernet port soon, but currently they are still integrating the charging port with the headphone port, so you are going to have to wait.

Re:

[EvilSS]

You can do it on the iPad. Or you could. Been a couple years since I needed to do that. It is a little convoluted, using the USB dongle, a powered USB hub, and a USB ethernet dongle. But it did work for me when I needed it.

Re:

[jrumney]

You can probably use an OTG adapter with a USB ethernet adapter in most Android phones.

Re:Resolved

[mccrew]

Plug one end of a cable into your router and the other end into your machine. Voila. No wifi issues and a more stable, and faster, connection.

Problem "solved".

Ladies and gentlemen, may I present today's winner for Most Typical Slashdot Solution-To-A-Problem Award! This one is:

* technically "correct"
* blames the user for others' technology failings
* and completely unworkable in the real world

All delivered in a patronizing, condescending tone. Well done, and thanks for playing!

Re:

[Mononymous]

Ethernet is "competely uworkable in the real world"?
About half of the devices on my home network are wired. I have about 250Mbps fiber, but it's pretty annoying when I have to access it by wifi, which is so much slooower and less reliable.

Re:

[dskoll]

I use a wired network for my machines that support it. My phone, alas, does not.

Re:

[jrumney]

You can't, but most of the apps that collect data for these databases only submit when actually connected to Wi-Fi, only a few of the older ones do actual wardriving.

Re:

[chispito]

Rotate MAC address regularly.

How about don't get infected with the malware in the first place?

No way to stop this. PERIOD

[ck42]

This is simply the next evolution in war driving.
As long as someone can walk the streets and sidewalks...drive their cars down a street...walk through a building...all while collecting BSSIDs and geo locations, they can submit that info to the database.
None of it is illegal. And having your BSSIDs collected doesn't constitute an attack on your network.

Sounds cool

[rduke15]

(Not the malware of course). This alternative BSSID/location database sounds like a cool complement to the Maxmind databases. Where/how can it be used?

Re:

[rduke15]

Found and tried it. Looked really cool, but apparently, my neighborhood is not interesting enough to be listed in that database.

Anyway, for others who would like to check it out, the site is https://www.mylnikov.org/ [mylnikov.org] and to query the database, the URL is "https://api.mylnikov.org/geolocation/wifi?v=1.1&data=open&bssid=YOUR_BSSID"

On Linux you can use iwlist to show the BSSIDs of APs around you, so you can do this to query the DB for all the APs you see:

sudo iwlist wlp3s0 scan \
| perl -nle '/ Address:

Re:

[dskoll]

Judging by the download page [mylnikov.org], the database hasn't been updated in about a year. Maybe the person running it got tired of maintaining it.

Don't even need BSSID from the computer

[Anonymous Coward]

BSSID can often be deduced by just incrementing the gateway's MAC by 1, which can be retrieved from the ARP table.

Re:

[jrumney]

If you have access to the arp table, you probably have access to the actual BSSID as well.

Grabbing the infected user's BSSID

[minorityreport]

How does this BSSID WiFi malware get onto the victims computer?