The Raspberry Pi-powered device can scan for phones around you. If it keeps spotting the same one, it’ll send you an alert.

Matt Edmondson, a federal agent with the Department of Homeland Security for the last 21 years, got a call for help last year. A friend working in another part of government—he won’t say which one—was worried that someone might have been tailing them when they were meeting a confidential informant who had links to a terrorist organization. If they were being followed, their source’s cover may have been blown. “It was literally a matter of life and death,” Edmondson says.

“If you’re trying to tell whether you’re being followed, there are surveillance detection routes,” Edmondson says. If you’re driving, you can change lanes on a freeway, perform a U-turn, or change your route. Each can help determine whether a car is following you. But it didn’t feel like enough, Edmondson says. “He had those skills, but he was just looking for an electronic supplement,” Edmondson explains. “He was worried about the safety of the confidential informant.”

After not finding any existing tools that could help, Edmondson, a hacker and digital forensics expert, decided to build his own anti-tracking tool. The Raspberry Pi-powered system, which can be carried around or sit in a car, scans for nearby devices and alerts you if the same phone is detected multiple times within the past 20 minutes. In theory it can alert you if a car is tailing you. Edmondson built the system using parts that cost around $200 in total, and will present the research project at the Black Hat security conference in Las Vegas this week. He’s also open-sourced its underlying code.

The anti-tracking tool is made up of a Raspberry Pi, wireless signal detectors, and a battery pack.

Photograph: Matt Edmondson

In recent years there’s been an explosion in the number of ways people can be tracked by domestic abusers, stalkers, or those in the murky world of government-backed espionage. Tracking can either be software- or hardware-based. Stalkerware and spyware that can be installed directly on people’s phones can give attackers access to all your location data, messages, photos, videos, and more, while physical trackers—such as Apple’s AirTags—have been used to track where people are in real time. (In response to criticism, Apple has added some anti-tracking tools to AirTags.)

A quick search online reveals plenty of tracking tools, which are easy to buy. “There’s so much out there to spy on people, and so little to help people who are wondering whether they're being spied on,” Edmondson says.

The homemade system works by scanning for wireless devices around it and then checking its logs to see whether they also were present within the past 20 minutes. It was designed to be used while people are on the move rather than sitting in, say, a coffee shop, where it would pick up too many false readings.

The anti-tracking tool, which can sit inside a shoebox-sized case, is made up of a few components. A Raspberry Pi 3 runs its software, a Wi-Fi card looks for nearby devices, a small waterproof case protects it, and a portable charger powers the system. A touchscreen shows the alerts the device produces. Each alert may be a sign that you are being tailed.

The device runs Kismet, which is a wireless network detector, and is able to detect smartphones and tablets around it that are looking for Wi-Fi or Bluetooth connections. The phones we use are constantly looking for wireless networks around them, including networks they’ve connected to before as well as new networks.

Edmondson says Kismet makes a record of the first time it sees a device and then the most recent time it was detected. But to make the anti-tracking system work, he had to write code in Python to create lists of what Kismet detects over time. There are lists for devices spotted in the past five to 10 minutes, 10 to 15 minutes, and 15 to 20 minutes. If a device appears twice, an alert flashes up on the screen. The system can show a phone’s MAC address, although this is not much use if it’s been randomized. It can also record the names of Wi-Fi networks that devices around it are looking for—a phone that’s trying to connect to a Wi-Fi network called Langley may give some clues about its owner. “If you have a device on you, I should see it,” he says. In an example, he showed WIRED that a device was looking for a network called SAMSUNGSMART.

To stop the system from detecting your own phone or those of other people traveling with you, it has an “ignore” list. By tapping one of the device’s onscreen buttons, it’s possible to “ignore everything that it has already seen.” Edmondson says that in the future, the device could be modified to send a text alert instead of showing them on the screen. He is also interested in adding the capability to detect tire-pressure monitoring systems that could show recurring nearby vehicles. A GPS unit could also be added so you can see where you were when you were being tracked, he says.

“It’s purely designed to try to tell you that you’re seeing something now that you were also seeing a few minutes ago,” Edmondson says. “This isn’t designed to follow people in any way, shape, or form.” The hacker says he lives near the desert, so he tested the system in his car while driving around places where nobody else was, carrying multiple phones with him that could be detected by the tool. Edmondson says he believes the tool can be effective, since even spies working for a government still carry devices.“You still have your phone in your pocket,” he says. “You still have your phone on the seat sitting next to you, or in the center console.”

Edmondson has no plans to make the device into a commercial product, but he says the design could easily be copied and reused by anyone with some technical knowledge. Many of the parts involved are easy to obtain or may be lying around the homes of people in tech communities.

Ultimately, he says, the tech community needs to take tech-enabled tracking and surveillance more seriously. “It was really kind of disheartening and depressing to look at the ratio of tools to spy on people versus tools to help you not get spied on,” he says, adding that a person close to him has been the victim of a stalker in the past. In the case of his clandestine friend in another government department, the anti-tracking device was useful. “It was really designed to help someone who came to me asking for help,” he says. Fortunately for Edmondson’s friend (and his source), they used it in the real world, and the device didn’t find anyone following them.

This Anti-Tracking Tool Checks If You’re Being Followed

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 wireless.cgi has no filtering on parameters: delete_list, delete_al_mac, b_delete_list and b_delete_al_mac, which leads to command injection in page /wifi_mesh.shtml.

**WAVLINK Router AC1200 page /wizard\_router\_mesh.shtml Command Injection in adm.cgi****Description:**

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 adm.cgi has no filtering on parameters: web_pskValue, wl_Method, wlan_ssid, EncrypType, rwan_ip, rwan_mask, rwan_gateway, ppp_username, ppp_passwd and ppp_setver, which leads to command injection in page /wizard\_router\_mesh.shtml.

   

**Poc:**

Login is needed.

Visit /wizard\_router\_mesh.shtml.

When setting ""Router Mode" it redirects to /cgi-bin/adm.cgi with POST parameters: web_pskValue, wl_Method, wlan_ssid, EncrypType, rwan_ip, rwan_mask, rwan_gateway, ppp_username, ppp_passwd and ppp_setver. Use "xxx;command" for command injection.

**WAVLINK Router AC1200 page /ledonoff.shtml Command Injection in adm.cgi****Description:**

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 adm.cgi has no filtering on parameter led_switch, which leads to command injection in page /ledonoff.shtml.

**Poc:**

Login is needed.

Visit /ledonoff.shtml.

When switching LED, it redirects to /cgi-bin/adm.cgi with POST parameter led_switch. Use "xxx;command" for command injection.

**WAVLINK Router AC1200 page /wan.shtml Command Injection in adm.cgi****Description:**

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 adm.cgi has no filtering on parameters: ppp_username, ppp_passwd, rwan_gateway, rwan_mask and rwan_ip, which leads to command injection in page /wan.shtml.

 

**Poc:**

Login is needed.

Visit /wan.shtml.

When setting "WAN" it redirects to /cgi-bin/adm.cgi with POST parameters: ppp_username, ppp_passwd, rwan_gateway, rwan_mask and rwan_ip. Use "xxx;command" for command injection.

**WAVLINK Router AC1200 page /wizard\_rep.shtml Command Injection in adm.cgi****Description:**

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 adm.cgi has no filtering on parameters: wlan_signal, web_pskValue, sel_EncrypTyp, sel_Automode, wlan_bssid, wlan_ssid and wlan_channel, which leads to command injection in page /wizard\_rep.shtml.

  

**Poc:**

Login is needed.

Visit /wizard\_rep.shtml.

When setting "Repeater Mode" it redirects to /cgi-bin/adm.cgi with POST parameters: wlan_signal, web_pskValue, sel_EncrypTyp, sel_Automode, wlan_bssid, wlan_ssid and wlan_channel. Use "xxx;command" for command injection.

 

**WAVLINK Router AC1200 page /ledonoff.shtml hidden parameter "ufconf" Command Injection in api.cgi****Description:**

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 api.cgi has no filtering on parameter ufconf, and this is a hidden parameter which doesn't appear in POST body, but exist in cgi binary. This leads to command injection in page /ledonoff.shtml.

**Poc:**

Login is needed.

Visit /ledonoff.shtml.

When switching LED, it redirects to /cgi-bin/adm.cgi. Change url as /cgi-bin/api.cgi and add ufconf in POST body as a parameter. Use "xxx;command" for command injection.

**Command Injection occurs when deleting blacklist in WAVLINK Router AC1200 page /cli\_black\_list.shtml in firewall.cgi****Description:**

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 firewall.cgi has no filtering on parameter add_mac, which leads to command injection in page /cli\_black\_list.shtml.

**Poc:**

Login is needed.

Visit /cli\_black\_list.shtml.

When adding WIFI blacklist, it redirects to /cgi-bin/firewall.cgi with POST parameter add_mac. Use "xxx;command" for command injection.

**Command Injection occurs when adding blacklist in WAVLINK Router AC1200 page /cli\_black\_list.shtml in firewall.cgi****Description:**

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 firewall.cgi has no filtering on parameter del_mac and parameter flag, which leads to command injection in page /cli\_black\_list.shtml.

**Poc:**

Login is needed.

Visit /cli\_black\_list.shtml.

When deleting WIFI blacklist, it redirects to /cgi-bin/firewall.cgi with POST parameters: del_mac and flag. Use "xxx;command" for command injection.

**WAVLINK Router AC1200 page /man\_security.shtml Command Injection in firewall.cgi****Description:**

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 firewall.cgi has no filtering on parameters: remoteManagementEnabled, blockPortScanEnabled, pingFrmWANFilterEnabled and blockSynFloodEnabled, which leads to command injection in page /man\_security.shtml.

**Poc:**

Login is needed.

Visit /man\_security.shtml.

When setting system firewall, it redirects to /cgi-bin/firewall.cgi with POST parameters: remoteManagementEnabled, blockPortScanEnabled, pingFrmWANFilterEnabled and blockSynFloodEnabled. Use "xxx;command" for command injection.

**WAVLINK Router AC1200 page /login.shtml Command Injection in login.cgi****Description:**

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 login.cgi has no filtering on parameter key, which leads to command injection in page /login.shtml.

 

**Poc:**

Visit /login.shtml.

When clicking login, it redirects to /cgi-bin/login.cgi with POST parameter key. Use "xxx;command" for command injection.

**WAVLINK Router AC1200 page /nas\_disk.shtml Command Injection in nas.cgi****Description:**

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 nas.cgi has no filtering on parameters: User1Passwd and User1, which leads to command injection in page /nas\_disk.shtml.

**Poc:**

Login is needed.

Visit /nas\_disk.shtml.

When clicking the button, it redirects to /cgi-bin/nas.cgi with POST parameters: User1Passwd and User1. Use "xxx;command" for command injection.

**WAVLINK Router AC1200 page /qos.shtml hidden parameters Command Injection in qos.cgi****Description:**

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 qos.cgi has no filtering on parameters: cli_list and cli_num, which leads to command injection in page /qos.shtml.

**Poc:**

Login is needed.

Visit /qos.shtml.

 

When clicking the button, it redirects to /cgi-bin/qos.cgi. Modify POST packet and add parameters: cli_list and cli_num. Use "xxx;command" for command injection.

**WAVLINK Router AC1200 page /qos.shtml Command Injection in qos.cgi****Description:**

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 qos.cgi has no filtering on parameters: qos_bandwith and qos_dat, which leads to command injection in page /qos.shtml.

**Poc:**

Login is needed.

Visit /qos.shtml.

 

When clicking the button, it redirects to /cgi-bin/qos.cgi with POST parameters: qos_bandwith and qos_dat. Use "xxx;command" for command injection.

**WAVLINK Router AC1200 page /wifi\_multi\_ssid.shtml Command Injection in wireless.cgi****Description:**

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 wireless.cgi has no filtering on parameter hiddenSSID32g and SSID2G2, which leads to command injection in page /wifi\_multi\_ssid.shtml.

  

**Poc:**

Login is needed.

Visit /wifi\_multi\_ssid.shtml

When setting WIFI SSID to extend, it redirects to /cgi-bin/wireless.cgi with POST parameter hiddenSSID32g and SSID2G2. Use "xxx;command" for command injection.

 

**WAVLINK Router AC1200 page /wifi\_mesh.shtml hidden parameter Command Injection in wireless.cgi****Description:**

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 wireless.cgi has no filtering on parameters: mac_5g and Newname, which leads to command injection in page /wifi\_mesh.shtml.

**Poc:**

Login is needed.

Visit /wifi\_mesh.shtml

When clicking the button, it redirects to /cgi-bin/wireless.cgi. Modify the POST packet and add parameter mac_5g and Newname. Use "xxx;command" for command injection.

**Command Injection occurs when adding extender in WAVLINK Router AC1200 page /wifi\_mesh.shtml in wireless.cgi****Description:**

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 wireless.cgi has no filtering on parameter macAddr, which leads to command injection in page /wifi\_mesh.shtml.

**Poc:**

Login is needed.

Visit /wifi\_mesh.shtml

When adding the extender, it redirects to /cgi-bin/wireless.cgi with POST parameter macAddr. Use "xxx;command" for command injection.

**Command Injection occurs when clicking the button in WAVLINK Router AC1200 page /wifi\_mesh.shtml in wireless.cgi****Description:**

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 wireless.cgi has no filtering on parameters: delete_list, delete_al_mac, b_delete_list and b_delete_al_mac, which leads to command injection in page /wifi\_mesh.shtml.

**Poc:**

Login is needed.

Visit /wifi\_mesh.shtml  When clicking the button, it redirects to /cgi-bin/wireless.cgi with POST parameters: delete_list, delete_al_mac, b_delete_list and b_delete_al_mac. Use "xxx;command" for command injection.

CVE-2022-35538: othercveinfo/wavlink at main · TyeYeah/othercveinfo

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 wireless.cgi has no filtering on parameters: mac_5g and Newname, which leads to command injection in page /wifi_mesh.shtml.

CVE-2022-35537: othercveinfo/wavlink at main · TyeYeah/othercveinfo

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 nas.cgi has no filtering on parameters: User1Passwd and User1, which leads to command injection in page /nas_disk.shtml.

CVE-2022-35518: othercveinfo/README.md at main · TyeYeah/othercveinfo

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 firewall.cgi has no filtering on parameters: remoteManagementEnabled, blockPortScanEnabled, pingFrmWANFilterEnabled and blockSynFloodEnabled, which leads to command injection in page /man_security.shtml.

CVE-2022-35521: othercveinfo/README.md at main · TyeYeah/othercveinfo

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 api.cgi has no filtering on parameter ufconf, and this is a hidden parameter which doesn't appear in POST body, but exist in cgi binary. This leads to command injection in page /ledonoff.shtml.

CVE-2022-35520: othercveinfo/README.md at main · TyeYeah/othercveinfo

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 adm.cgi has no filtering on parameters: web_pskValue, wl_Method, wlan_ssid, EncrypType, rwan_ip, rwan_mask, rwan_gateway, ppp_username, ppp_passwd and ppp_setver, which leads to command injection in page /wizard_router_mesh.shtml.

CVE-2022-35517: othercveinfo/README.md at main · TyeYeah/othercveinfo

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 wireless.cgi has no filtering on parameter hiddenSSID32g and SSID2G2, which leads to command injection in page /wifi_multi_ssid.shtml.

CVE-2022-35534: othercveinfo/wavlink at main · TyeYeah/othercveinfo

WAVLINK WN572HP3, WN533A8, WN530H4, WN535G3, WN531P3 wireless.cgi has no filtering on parameter macAddr, which leads to command injection in page /wifi_mesh.shtml.

CVE-2022-35535: othercveinfo/wavlink at main · TyeYeah/othercveinfo

New research found troubling vulnerabilities in the 5G platforms carriers offer to wrangle embedded device data.

True 5G wireless data, with its ultrafast speeds and enhanced security protections, has been slow to roll out around the world. As the mobile technology proliferates—combining expanded speed and bandwidth with low latency connections—one of its most touted features is starting to come into focus. But the upgrade comes with its own raft of potential security exposures.

A massive new population of 5G-capable devices, from smart city sensors to agriculture robots and beyond, are gaining the ability to connect to the internet in places where Wi-Fi isn't practical or available. Individuals may even elect to trade their fiber optic internet connection for a home 5G receiver. New research that will be presented on Wednesday at the Black Hat security conference in Las Vegas, though, warns that the interfaces carriers have set up to manage internet of things data are riddled with security vulnerabilities they fear will dog the industry long term.

After years of examining potential security and privacy issues in mobile data radio frequency standards, Technical University of Berlin researcher Altaf Shaik says he was curious to investigate the application programming interfaces (APIs) carriers are offering to make IoT data accessible to developers. These are the conduits applications can use to pull, say, real-time bus tracking data or information about stock in a warehouse. Such APIs are ubiquitous in web services, but Shaik points out that they haven't been widely used in core telecommunications offerings. Looking at the 5G IoT APIs of 10 mobile carriers around the world, Shaik and his colleague Shinjo Park found common, widely-known API vulnerabilities in all of them, and some could be exploited to gain authorized access to data or even direct access to IoT devices on the network.

“There's a big knowledge gap, this is the beginning of a new type of attack in telecom,” Shaik told WIRED ahead of his presentation. “There's a whole platform where you get access to the APIs, there’s documentation, everything, and it's called something like ‘IoT service platform.’ Every operator in every country is going to be selling them if they're not already, and there are virtual operators and subcontracts, too, so there will be a ton of companies offering this kind of platform.”

The designs of IoT service platforms aren’t specified in the 5G standard and are up to each carrier and company to create and deploy. That means there's widespread variation in their quality and implementation. In addition to 5G, upgraded 4G networks can also support some IoT expansion, widening the number of carriers that may offer IoT service platforms and the APIs that feed them.

The researchers bought IoT plans on the 10 carriers they analyzed and got special data-only SIM cards for their networks of IoT devices. This way they had the same access to the platforms as any other customer in the ecosystem. They found that basic flaws in how the APIs were set up, like weak authentication or missing access controls, could reveal SIM card identifiers, SIM card secret keys, the identity of who purchased which SIM card, and their billing information. And in some cases, the researchers could even access large streams of other users' data or even identify and access their IoT devices by sending or replaying commands that they shouldn’t have been able to control.

The researchers went through disclosure processes with the 10 carriers they tested and said that the majority of vulnerabilities they found so far are being fixed. Shaik notes that the quality of security protections on the IoT service platforms varied widely, with some appearing more mature while others were “still sticking to the same old, bad security policies and principles.” He adds that the group isn't publicly naming the carriers they looked at in this work because of concerns about how widespread the issues might be. Seven of the carriers are based in Europe, two are in the United States, and one is in Asia.

“We found vulnerabilities that could be exploited to access other devices even though they don’t belong to us, just by being on the platform,” Shaik says. “Or we could talk to other IoT devices and send messages, extract information. It’s a big issue.”

Shaik emphasizes that he and his colleagues didn’t hack any other customers or do anything improper once they discovered the different flaws. But he points out that none of the carriers detected the researchers’ probing, which in itself indicates a lack of monitoring and safeguards, he says.

The findings are just a first step, but they underscore the challenges of securing massive new ecosystems as the full breadth and scale of 5G starts to appear on the horizon.

Tag

#wifi