hngopher.com

       [HN Gopher] What is RF monitor-mode and why does it matter?
       ___________________________________________________________________
        
       What is RF monitor-mode and why does it matter?
        
       Author : punnerud
       Score  : 40 points
       Date   : 2021-12-22 12:06 UTC (10 hours ago)
        
 (HTM) web link (badfi.com)
 (TXT) w3m dump (badfi.com)
        
       | throwaway743 wrote:
       | Not sure if it's a thing of the past, but not too long ago you
       | could use monitor mode to pickup iphones within range and see
       | their AP connection history including, iirc, mac addresses. You
       | could then use wigle to map out paths. Creepy shit.
       | 
       | It's also used for indoor positioning software and pretty sure
       | it's enabled (or at least possible according to vendor patents)
       | on MTA's subway routers/aps. Which again is very creepy if
       | they're using it to track devices with wifi on but not connected.
        
         | ArchOversight wrote:
         | It's not just iPhones, it's any wireless device that is
         | actively scanning for a previously associated access point.
         | 
         | These days iPhones will change the MAC address while doing wifi
         | scans to a random one so you can't track individual iPhones
         | anymore.
        
           | iszomer wrote:
           | Some Android phones allow you to toggle this feature though
           | it wrecks with MAC filtering at home and elsewhere if
           | required.
        
             | MayeulC wrote:
             | Usually devices will randomize their MAC when scanning, and
             | pick a MAC associated with the SSID: https://android.stacke
             | xchange.com/questions/225839/android-1...
        
         | fullstop wrote:
         | I found this by accident once, and promptly deleted all of my
         | unused connections. I had stuff from hotels, airports, Disney
         | World, and other locations.
        
           | blitzar wrote:
           | It was also a pretty good way to do Man-in-the-middle
           | attacks, if the phone is looking for starbucks wifi or other
           | known open wifi you could jump right in there.
        
             | fullstop wrote:
             | Yes, I joked that I could create one called attwifi and
             | hang out next to Home Depot. If you made faked bank
             | websites or PayPal you could likely capture some
             | credentials.
        
       | d136o wrote:
       | Would love to know if anyone monitors their home or office RF
       | spectrum for unexpected guests, or just for fun.
       | 
       | I've played around with hackRF and it seems like that type of
       | scanning is something you might do in highly sensitive
       | environments.
        
         | dpifke wrote:
         | I use https://github.com/merbanan/rtl_433 on the tire pressure
         | monitoring system (TPMS) band used by my car (315 Mhz) to
         | trigger home automation like turning on the lights as we're
         | pulling up. (rtl_433 publishes to MQTT, which triggers actions
         | in Home Assistant for certain serial numbers.)
         | 
         | Side effect is that it also logs the tire serial numbers of
         | most (but not all) cars pulling into my driveway.
        
           | fortran77 wrote:
           | In order to get the TPMS to transmit on demand--at least on
           | cars sold here in the United States--you have to send a 125
           | kHz signal out. The car does this periodically when it takes
           | a reading, but unless you send this signal yourself, you
           | won't reliably get a read as you're pulling up.
           | 
           | https://www.brakeandfrontend.com/decoding-tpms-wireless-
           | sign...
        
             | dpifke wrote:
             | The car is a Volvo, and it seems to ping the sensors at
             | least once per minute when in motion, meaning there's
             | pretty much always at least one ping once we're within
             | range of home. Thus it works perfectly for the home
             | automation use case.
        
         | blitzar wrote:
         | London underground does this with wifi,
         | https://www.wired.co.uk/article/london-underground-wifi-trac...
        
       | ctoth wrote:
       | Isn't this traditionally called promiscuous mode?
        
         | kayodelycaon wrote:
         | No.
         | 
         | > Unlike promiscuous mode, which is also used for packet
         | sniffing, monitor mode allows packets to be captured without
         | having to associate with an access point or ad hoc network
         | first. Monitor mode only applies to wireless networks, while
         | promiscuous mode can be used on both wired and wireless
         | networks.
         | 
         | https://en.wikipedia.org/wiki/Monitor_mode
         | 
         | https://en.wikipedia.org/wiki/Promiscuous_mode
        
         | caylus wrote:
         | No. Promiscuous mode, like normal mode, is still connected to a
         | specific SSID. It just instructs the network adapter to not
         | drop IP packets not addressed to it.
         | 
         | Monitor mode is a level higher, and allows for capturing all
         | wireless frames regardless of what SSID they are for, and
         | regardless of whether they contain IP packets or are just
         | signaling like beacon and connection requests.
        
           | ctoth wrote:
           | Thank you for the explanation!
        
       ___________________________________________________________________
       (page generated 2021-12-22 23:01 UTC)