Visitors of Music Festivals Sharing Their SSIDs!

WiFi ZoneIn January, I developed a tool to sniff Wi-Fi SSIDs. I decided to call it ‘hoover‘ (based on the vacuum cleaner brand). The original post is here. I’m often running this tool in my area to detect the presence of some people in the neighborhood or when I’m staying at hotels. But usually, the scan scope is very limited.

A friend had the wonderful idea to run hoover during a major Belgian event: The Rock Wechter music festival! Belgium is a wonderful country for music lovers. Plenty of festivals are organized across the country during the summer. They are covering all music styles! Such public events are great places to find good samples of citizens. During four days, 139.000 unique people attended the festival (source). And guess what people are always carying with them? Their smart phones of course!

The high number of visitors attending festivals represents a very good sample of “common users“. We have:

  • Belgian, foreigners
  • Young, old people
  • Male,female
  • Students, workers
  • French, Dutch speaking people (Yes, that’s Belgium!)
  • etc…

My friend had a chance to stay at a good location. This was an excellent opportunity to keep his laptop safely running hoover to collect broadcasted SSIDs. What can we discover from the (huge) log file? Here are some of my findings…

First numbers:

  • 29194 unique SSIDs were detected!
  • 6475 unique MAC addresses (devices)
No big surprise about the distribution across the manufacturers. Apple is the winner!
Manufacturers

(Click to enlarge)

 

Among the detected SSIDs, here is the top-20 (based on the seen requests):

Requests SSID
807891 Hotspot-Corelio
18853 trofanaroyal
13984 RWIFI
10693 FON_BELGACOM
9807 Groezrock
7775 free-hotspot.com
7042 default
7010 linksys
6899 RKVL-COMCAR
4891 TELENETHOTSPOT
4890 Wifi Ranst NIV0
4653 UZLeuven-gast
4584 zampass
4485 dlink
4055 shithappens
3735 Netwerk van Geert Delbaere
3729 St4rt
3713 wifi@home
3712 aspbs
3685 telenet-38C64

This top-20 is very interesting to conduct WiFi attacks later. We can see that SSIDs like “dlink” or “default” are commonly used. From an attacker’s point of view, this list is interesting to wisely choose the SSIDs which will increase your chances to attract devices to your rogue access point. I’m wondering what’s the first SSID (“Hotspot-Corelio“)? Corelio is a big Belgian media company which edits lot of newspapers. Maybe they were the sponsor of the official Wi-Fi access?

A fact: many people disclose their name via their SSIDs. There was plenty of networks with names. 169 SSIDs based on “Network of xxx” were detected. Some examples:

  • “Netwerk van Geert Van Assche”
  • “Beernaert-Geusens”
  • “Netwerk van Alex Van Hoydonck”
  • “Netwerk van Joost MUYLLE”
  • “Netwerk Dennis De Smaele”
  • “Netwerk van Dimitri De Schryver”
  • “Famille Moies-Delval”

Lof of SSIDs contained geographic details (airports, city names). This helps us to build a list of countries from where the festival visitors came:

  • France
  • Morocco
  • Italia
  • Germany
  • Holland
  • UK
  • Canada
  • Burma (Myanmar)
  • Luxembourg

What about the hardware used to build wireless networks? Lot of Wi-Fi access point owners do not change the default SSID or just add extensions like a number or a name. Below is the repartition of hardware based on common strings:

Wi-Fi Access Points Repartition

(Click to enlarge)

 

Where people do use Wi-Fi connectivity? Mostly in hotels:

Access Points Locations

(Click to enlarge)

They also use free networks:

Guest/Public Access Points

(Click to enlarge)

Of course, there are always some funny SSIDs:

  • Hide yo kids, hide yo wi-fi
  • LA TAVERNE with Big Boobs
  • ( . )( . )
  • Network of Darkness
  • true-story_W64_trojan.exe
  • 1heinekenplease
  • HP-Print-c1-LaserJet 400 MFP
  • Fort Knox-guest
  • www.lloretwifi.es +34672530193
  • boutrosboutrosgali
  • pretty fly for a WiFi
  • megavirus
  • FUCKOFF58bis
  • louloute qui boit le sperme ! ! (No comment – I won’t translate it)
  • Anonymous
  • trojan.exe

More events will be covered by my friend. He will try to perform the same operation. This will be a good opportunity to compare results.

Final disclaimer, no intrusion or attack of any kind was performed. The tool just listen passively for information broadcasted from Wi-Fi enabled devices.

The complete list of SSIDs is available here.

Post Navigation