dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1742

jschall
join:2013-10-04
Canada

jschall

Member

CSEC and WiFi hotspots - How do they do it?

I am wondering and speculating on the technical aspects of how Communications Security Establishment Canada was able to track WiFi users from airport hotspots to various other hotspots in Canada and the US.

The CBC got hold of a leaked CSEC PowerPoint presentation:
»www.cbc.ca/news/politics ··· .2517881

I suppose all that the spies needed was a list of all the MAC addresses logged-in at the airport, and then check for those MACs at all of the other hotspots.

From any WiFi-enabled phone or tablet, once logged-in to a hotspot (usually through a captive portal), it's straightforward to list all the MAC addresses simultaneously logged-in. The list could then be transmitted to a central CSEC database.

I am guessing that CSEC would have to then log-in at hundreds of other hotspots at cafés and airports across Canada and the US, and check for the same MAC addresses to show up. How could they do that? Or is there an easier way I haven't thought of?

Does anybody have any insight into the technical aspects of this CSEC exploit?

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav

Premium Member

Wrong question. Why is spying on Canadians suddenly lawful. Why did we have to hear it from a foreigner. What does this tell us about the organization involved and the oversight.
HELLFIRE
MVM
join:2009-11-25

2 recommendations

HELLFIRE to jschall

MVM

to jschall
said by jschall:

I suppose all that the spies needed was a list of all the MAC addresses logged-in at the airport, and then check for those MACs at all of the other hotspots.

Speaking as a person with over 7years experience in networking, whoever said / believes this about the
MAC addresses doesn't know what they're talking about. MAC addresses are LOCALLY SIGNIFICANT to the
network they're on. Once it goes off the local network, the MAC address is no longer relevant.

2ndly, it's child's play to spoof a MAC address, so this is on the level as an IP address being
a legal standard as "proof of identity."

Otherwise, considering how many other 3letter governmental agencies worldwide are into this business of
"tracking their own citizens," doesn't surprise me Canada'd do this as well. If so, this shenanigan needs to be
dismantled PRONTO!

Regards

jschall
join:2013-10-04
Canada

jschall

Member

@HELLFIRE: With all due respect for your "7 years experience in networking", I think the MAC address of my WiFi tablet that is recorded at Toronto Pearson would be VERY SIGNIFICANT to the spies if it was later recorded at Chicago O'Hare. N'est-ce pas?

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

1 recommendation

Anav

Premium Member

Wrong jschall. IP address tracking makes sense or at least patterns of behaviour on internet usage by IP. Mac address would never stand up in court, its easily spoofed. Of course I have no IT training and very little experience but even my cat knows that.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to jschall

MVM

to jschall
...and all due respect back jschall See Profile

- you're handing over ALL personal information recorded in your passport and boarding passes at either airport,
most of which IS uniquely identifiable to YOU personally, and DOES stand up in a court of law.

- considering the "digital footprint" a grid-connected person leaves around these days, a MAC address of
your wifi tablet in the grand scheme of things is VERY low hanging fruit.

From a technical aspect, the two wireless networks at Toronto Pearson and Chicago O'Hare are two distinct
and seperate entities. UNLESS they were accessible by / managed by the same group / company, crossreferencing
a MAC address is next to impossible, nevermind a pain in the derriere -- I should know as I've had a couple people
who didn't know better ask me "please find where I am on the network, the MAC is xxxx.xxxx.xxxx." Even if this
was on the 192.168.x.x address space, that's 2^64 possible IP addresses to check. Sorry, but I've got better
things to do with my time.

To take this out of the "speculation" realm and bring some actual hard data to it, dollars to donuts there's
likely equipment plugged in with the capability of deep packet inspection and/or lawful intercept built into
it -- feel free to google these terms jschall See Profile, but be forewarned to bring your tinfoil hat as you may not like what you come across.

As for SSL encrypted traffic, try this link to see how child's play it can be to decrypt / read this traffic transparently these days if one was so inclined.

My 00000010bits

Regards