Cristian – Cristian Balas

Recording wireless MAC addresses

There are a lot of phones, tablets, laptops and other devices that transmit data on wireless networks. Most of them use an “active” scan technique (details) and they send packets around periodically.

Since all packets have a “source MAC address” field, I tried to record all MAC addresses that send packets around when my device is in range.

I used a Raspberry Pi 2 device with a WiFi antenna to capture network packets, my phone with a simple app to record the GPS route and my bike to move around the city :). Here are the results:

My path:

I managed to capture 10000 unique source MAC addresses in a few hours. Here is a plot (each red pixel is around where I first spotted a unique MAC address):

That line where there were very few red dots, I took the subway in each direction, so that explains it. On the left of the map, I met a friend and went for a beer. And by looking at the data afterwards, I managed to easily extract my friend’s MAC address: I searched for a source address that was in my range most of the time when we met. And there was only one result. Here are all the positions where I spotted packets from this exact MAC address:

I wanted to do more digging into this data, but I’m not sure what I can do with it.

What’s clear is that smartphones can easily be tracked and that there are a LOT of devices out there 🙂

Generating Bucharest roads

As in a previous post, I’ve used the GPS coordinates of the taxi cars to create interesting visuals.

I’ve recorded the coordinates of all the cars in a few days and I’ve put them all to a single map. Here is the most detailed picture of Bucharest, obtained this way (click for high resolution):

Here is a short video that varies some parameters and creates the above picture:
Hint: Select highest video quality (HD 1440p) to view all the details

Bucharest taxi – Timelapse

In another blog post I was mentioning a public API to get coordinates of taxi cars in Bucharest (only the cars that run a specific taxi mobile app)

Since I am planning to learn Processing, I made a timelapse of the taxi cars movement on a Saturday night. Here it is:

About 10 real seconds in a frame, 30 FPS.
So a video second represents about 5 minutes of real time.

UPDATE: More timelapses:
Same night, but zoomed out to cover the entire city:

With some color (the taxi companies are color-coded):

The Processing sketch files can be found on my Github repository.

Overriding annoyances – vplay.ro

There is a great site (vplay.ro) that lets you view TV Shows online.

Recently they added a 5 minute wait timer before watching each episode, so that you may want to buy their Premium package:

I looked into it and the timer is only a client-side check. Even the user account is optional. You just have to post

key=[video_id]

vplus.ro/play/dinosaur.do

and you get back the (temporary?) URL for the video on a file server.

You can then watch the movie in VLC or even download it.

Security research – Android applications

Android applications are awesome. Especially the ones that talk to a service provider over the network.

I like to reverse engineer communication protocols / APIs between various client applications and their servers, since anything that my phone does, I could technically automate it or have access to the same functionality from my PC.

Today I looked into CleverTaxi, the largest solution to call a cab from your smartphone in Bucharest. I’ve noticed two problems:

– They talk to their server via HTTPS, but they don’t properly validate the certificate. So I could easily sniff all the API calls from my MITM network PC.

– The server API that makes the app work doesn’t require any authentication. For example, the app displays all the cab positions on top of the city map. For that functionality to work, the app makes a GET request to the server and gets a json response with the coordinates of all the cabs connected to the app. That API call is basically public and anyone can get the coordinates of all the cars, along with the company that owns each car. The positions are updated about each second, so I believe one could implement an algorithm that follows the feed of coordinates and tracks each car based on their position. I believe this is a privacy issue for the drivers.

Here I hooked the coordinate feed to Google Maps API (the icons were slightly changing position at 2 second interval):

Vision

“Everything around you that you call life was made up by people that were no smarter than you and you can change it, you can influence it, you can build your own things that other people can use.” (Steve Jobs)