VanguardLH wrote on 10.05.2021 22:51
> There are apps that will toggle wifi on/off based on your phone's
> connection with a particular cell tower, its GPS location, time of day,
> and so on.
Thanks for that j4velin WiFiAutoOff app as it seems to do what I want which
is turn off the phone's WiFi when I leave the house (so that the phone
doesn't constantly shout out that it's looking for my unique hidden SSID).
https://play.google.com/store/apps/details?id=de.j4velin.wifiAutoOf
There seemed to be a similar app I saw next to it of the name AutoWifi
https://play.google.com/store/apps/details?id=tech.edie.autowifi
But that kicked off a Google Play Protect warning so I didn't install it.
"Blocked by Play Protect... AutoWiFI... This app may be harmful"
While I was looking at that app I also saw this one which is different:
https://play.google.com/store/apps/details?id=com.alivezoned.autowifi
(It turns off the wifi when the screen blanks out - or based on a data
limit, or time limit configurable by the user.)
There were also apps that turned off the wifi on a schedule such as
https://play.google.com/store/apps/details?id=com.vlab.tools.wifiauto
I think the best idea is for the WiFi to be turned off when a given cellular
tower is no longer visible as that wouldn't require the GPS always to be on.
>> Is there an app which will turn off the WiFi based on no connection to
>> the AP SSID for a given period of time (perhaps for a quarter of an hour)?
>
> The numbers nailed to your house do not affect your security or privacy
> whether you are home or not. An SSID is just a string of characters,
> but often are memorable to the owner of the wifi router, like to show
> the SSIDs are for their wifi router, and which one is for 2.4 GHz and
> 5.0 GHz bands.
I appreciate the further details about what an SSID is but the unique part
is the BSSID and the location itself of your home which is part of the data
that is uploaded by almost every Android phone to many public servers (not
just Google servers).
Control access point inclusion in Google's Location services
https://support.google.com/maps/answer/1725632
The AP BSSID is unique as are your GPS coordinates, both of which are
uploaded by most Android phones to Mozilla, Google, Wigle, Kismet,
& other servers if you broadcast your SSID.
https://wigle.net/
https://play.google.com/store/apps/details?id=net.wigle.wigleandroid
https://play.google.com/store/apps/details?id=org.prowl.wifiscanner
> You don't operate an open (non-passworded) wifi router, do you?
The AP is passphrase protected. WPA2-PSK. Standard stuff.
> Even with a phone scanning for and reporting what SSIDs it
> found within its range, that won't provide access to those that are
> locked (passworded). Do you use short and weak wifi passkeys?
Long and unique (as much as I can make them long & unique anyway).
> In addition, devices that connect to your router are still going to
> present their MAC address. So, configure your wifi router to accept
> connects only from MAC addresses for *your* devices. Change MAC
> filtering mode from Allow-All to Allow, and specify the MAC addresses
> you allow connects to your router.
I'm not trying to prevent access to my home router by others because hiding
the broadcast doesn't really hide it from anyone determined to connect.
https://www.accessagility.com/blog/why-ssid-hiding-is-not-secure
I hide my SSID broadcast because I'm trying to stop people from uploading my
BSSID & GPS coordinates to Wigle, Google, Mozilla and other public servers.
https://www.zdnet.com/article/how-google-and-everyone-else-gets-wi-fi-location-data/
Even adding _nomap does NOT stop that from happening (Google says they'll
delete it but there are more public servers than just Google out there).
https://www.tomshardware.com/news/Google-Maps-Wi-Fi-Location-SSID,14000.html
> Presumably you already disabled WAN-side remote access to your router,
> and changed the login password to something other than the default, like
> a long strong password.
I can't make the router admin password longer than 8 characters though.
At least not on my router I can't.
It will accept a longer password but it stops checking at 8 characters.
> Don't know which phone you use. Mine doesn't broadcast any SSIDs that
> it found before nor those that are configured for auto-reconnect.
AFAIK, all phones with WiFi do this query for "hidden" SSIDs AFAIK (at least
if you don't want to type in the long SSID every time you connect).
So do all Windows PCs.
It's how WiFi works when your SSID broadcast from the AP is disabled.
> My phone scans for SSIDs, not broadcast them.
If you connected to a hidden SSID (that was set to be remembered) then the
phone would have to ask "are you there" which is a different kind of
broadcast.
https://www.alphr.com/should-broadcast-wifi-ssid/
You don't do this for security; you do it for privacy.
And even then it's a catch 22 (as I mentioned in the opening post).
https://apple.stackexchange.com/questions/244171/ios-10-warning-using-a-hidden-network-can-expose-personally-identifiable-inform
> The only reason I attempt to
> use unique SSIDs for the 2.4 and 5.0 bands of my wifi router is so that
> *I* recognize they are for my router.
A unique AP SSID helps keep you out of public butterfly hash tables.
https://www.ethicalhackx.com/wpa-psk-rainbow-tables-download/
The idiots who designed WPA-PSK screwed up the salting process by making it
based on the SSID itself.
https://www.tomshardware.com/reviews/wireless-security-hack,2981-5.html
> My phone sees all the SSIDs in the nearby neighborhood homes.
No it doesn't. Not by default anyway.
Your Android phone doesn't normally display the hidden AP SSIDs by default
(although there are plenty of 3rd party Android WiFi utilities which will
show the BSSID & signal strength for those hidden AP SSIDs).
https://play.google.com/store/apps/details?id=de.teamusec.ssidsnooper
> I don't know their passkeys nor would I be in the MAC filtering lists.
You could hack into WPA2-PSK if you knew how to use the butterfly hash
tables which are published on the net.
> Uploading of your SSID would be worthless. Whoever got it, like Google,
> won't be within range of connecting to that SSID.
It's a public database. Just like Wigle and Mozilla and God knows how many
others are out there. Do you trust all of them?
And why should they have your AP SSID/BSSID/GPS/SignalStrength anyway in a
public database without your express consent?
The only way to stop it is to hide the AP SSID broadcast as there is no
filtering on the phones that prevents your AP SSID from being uploaded even
if it ends with _nomap.
> Only those driving
> around your home will find your SSID *and* could possible use your wifi
> router if you didn't specify a long strong passkey *and* you allowed
> every MAC to connect to your wifi router.
You don't do it for security; you do it for privacy.
On principle alone if for no other reason.
Why should your AP SSID be in a public database on the Internet without
anyone ever asking for your permission to do that?
> Unclear if your concern is about an attack vector through your router,
> or if you are worried about someone tracking your location under the 100
> meter range of wifi by your phone by looking for your home's SSID and
> the phone announcing its MAC address.
It's a privacy issue on principle.
Why should your AP SSID be in a public database when nobody asked for your
permission to put it there?
BTW, you can also be tracked but let's not go there because most people
don't understand how these public lookups work and I don't feel like
explaining it because being tracked isn't my concern for this purpose.
https://developers.google.com/maps/documentation/geolocation/overview
Just know that it can be done (and if you want to argue about it, look it up
first because it can be done - but you have to know some bits of data about
the phone to do it).
> To eliminate someone from tailing you by keeping close enough to monitor
> your phone's wifi transmission means you have some nefarious reason for
> not wanting someone to know where you are.
You don't have any idea how these public databases can be abused to track
someone but that's not my main issue so when you educate yourself on how
they can be abused then tell me about tracking. (I don't want to go there.)
> So, change your home
> router's SSID to some random character string that has nothing to
> identify you, and change its SSID everytime you leave home. There are
> costs to hiding and being paranoid.
Of course there are costs to privacy.
Nobody said there wasn't.
And changing your SSID every time you leave home is more work than just
automatically shutting off the WiFi on the phone every time you leave home.
> Of course, if you are that paranoid or nefarious and want to eliminate
> anyone trailing you, just turn off wifi on your phone.
Of course. And bluetooth. And NFC. And probably a whole host of other
radios. But that wasn't the purpose nor intent.
> Also of course,
> you better configure your phone to NOT auto-reconnect to previously
> found wifi hotspots when your wifi is on, because scammers can use SSIDs
> of anyplace, like the Starbucks you visited before whos SSID is all of
> "starbucks".
Yup. The phone usually defaults to remembering all the WiFi connections
you've had in the past (but this can be changed).
> As for tracking your without having someone trail you
> physically by monitoring your wifi broadcasts, a gov't would have deep
> enough pockets to place thousands of "snoopy" devices that are within
> wifi range of each other to catch your phone's wifi transmissions,
> report what they caught in their range back to a database, and track you
> as you move around with your phone ... *if* you leave wifi on even when
> you have no intent of connecting to any hotspot while travelling.
Tracking is easier than that.
You need to educate yourself on how you can be tracked by the information in
these public databases. Google tries to limit the amount of abuse by
requiring a key and a limited number of queries - but under some
circumstances you _can_ be tracked quite easily from afar.
That is someone in Russia (for just an example) can track you in the United
States if they know a bit of data about you and your phone (technically
they're tracking your phone). Again you need to educate yourself because you
don't know this is possible and I'm not saying it's likely nor am I saying
that it's what I'm worried about - but you can't go on saying people can't
track you when they can (under certain circumstances) using this database.
https://developers.google.com/maps/documentation/geolocation/overview
Again, I'm not saying that is what I'm trying to prevent (because it's not).
I'm just saying it's possible under certain circumstances to track you.
>
https://www.youtube.com/watch?v=GvrB6S_O0BE
> (dated 2014)
The Machines That Betrayed Their Masters by Glenn Wilkinson
https://www.youtube.com/watch?v=GvrB6S_O0BE
I'll watch that hour long presentation soon.
> All about tracking you using wifi (and MAC) on your cell phone, not
> about invading your home network through your router.
The only thing I'm trying to do is not have people upload my MAC address and
SSID and GPS location to public servers on the Internet.
There is no reason for my data to be on the Internet without people asking
my permission but I can't stop their phone from uploading this information
unless I turn off the SSID broadcast (it doesn't matter that _nomap is in
the SSID for this purpose).
Also it helps to keep the SSID out of the hash tables (but like all
security, it can be defeated too).
Thanks for the suggestion of the j4velin wifiAutoOf app.
It's installed and I will be testing it soon.