The Astonishing Power of Probe Response Packets

Wi-Fi enabled devices like mobile phones and tablets send out probe request packets in regular intervals. These probe requests have received a lot of attention recently, because they can be used for all sorts of legitimate but also nefarious purposes.

Presence detection systems for example, can pick up probe requests and monitor mobile devices without the device owner’s cooperation.
Many are aware of this problem in principle (and know about the solution) but underestimate the reach of probe requests.
Screen Shot 2017-03-28 at 18.11.58.png
In the above secenario, the mobile device sends probe requests, but is still too far from the monitoring station to be picked up. So, the monitoring station is still unaware of the nearby presence of the mobile device.
So far, that’s all as expected. No surprise here.
When I analyzed data captures I made, I realized that in the real world, things are more complex. In the real world people have neighbors.
Let’s look at the above scenario again with a neighbor who is not monitoring traffic and who is not cooperating with the monitor, but who has a Wi-Fi router to provide internet access for the family.
The target device is still too far from the monitoring station, but look what happens.
Screen Shot 2017-03-28 at 18.19.06.png
Now the neighbor’s router picks up the probe request from the target device and responds with a probe response. The neighbor’s router is within reach of the monitoring station and so not only the target device but also the monitoring station can pick up the probe response. Bingo. The probe response contains the mac address of the target device as the destination address.

The monitoring station knows that the neighbor’s router only sends a probe response to the target device after it has picked up a probe request. Clearly, the target device must be within reach of the neighbor’s Wi-Fi router.

Now the monitoring system also knows the direction from which the target device is approaching, because it knows from which neighbor the probe response came. It also knows that it has not yet picked up a probe request, so the target device is within the neighbor’s reach, but outside the monitor’s reach. Not enough information for an exact location yet, but good data points.
If there is not only one neighbor but many, it’s easy to see how a monitoring system can cover an area considerably larger than what it could cover alone. I found that quite astonishing. Probe requests have gotten a lot of bad press in the last few years, but probe responses have to take some blame too. And neighbors of course.

One thought on “The Astonishing Power of Probe Response Packets

Comments are closed.