My Atheros AR9271 USB device arrived! Now I’m back into my courses as originally planned. I now keep my course in one workspace and a Kali VM in another. I have used Kali before, but never under guidance – just fiddling around with a Live USB.
Step 1 today was changing the MAC address of my wi-fi adapter. Reminds me of the first time I lived in shared housing, back at Oxford University. To get ethernet access for my new PC after the old one packed it in, I had to submit my new computer’s ethernet MAC address for approval by the sysadmin. I couldn’t be bothered, so I changed the MAC address to match the old one instead.
Step 2 was setting up monitor mode on my wi-fi adapter. Even without manipulating any of the outputs of airodump-ng wlan0, the potential power here is obvious. I’m not in a high-tech location. Everyone’s routers are broadcasting freely, and everyone has at least a smartphone turned on and typically connected to publicly visible wi-fi. Since Viber is more popular than actual phone minutes or SMS, and virtually nobody takes steps towards anonymising themselves, there are privacy implications right off the bat – and I reckon almost nobody here is aware of it. The data itself is encrypted, of course, but the fact of the data traffic being visible at all is noteworthy – and pretty cool.
Step 3 was my first ever deauthentication signal with aireplay-ng –deauth. Or, in other words: with $23 of hardware incl. shipping, I booted my phone off my wi-fi, without touching it, and could keep it offline as long as I wanted, after 15 minutes of video lectures. Only ethics stops me from keeping my neighbours off the internet. This made it sink in just how easy it actually would be to cause general havoc with vulnerability hacking.
I wonder why societies or the media in general don’t seem to take security vulnerabilities very seriously? Many moons ago when I lived in –redacted–, there were rumours and mutterings followed by a full-blown scandal when it was discovered that the NSA’s Echelon program had a partner station there. In fairly short order, cries about national sovereignty and privacy violations were silenced with statements like “the data is all encrypted anyway”. Even if encryption in general use by the general public at the time was effective and reliable (spoiler: nope), data flow itself is useful information – such as if your spouse’s phone regularly connects to the router of the attractive neighbour.
That is what struck me most about Edward Snowden’s revelations – enormous outcries for a short period, followed by… essentially nothing. Despite the revelations that some of our online service providers, probably even chipset and OS manufacturers, are cooperating with foreign intelligence agencies to be able to manipulate or even access our personal data, most people don’t seem to take the slightest measures to protect their own data.
I look forward to learning a lot more about protecting data systems beyond the obvious steps I take already. Although I now also have to fight the impulse to boot the harbourmaster off his wi-fi.