Project Warwalk: PII, Social Engineering, and OSINT

Welcome back to the sixth entry of our research project, Project Warwalk. If this is your first time here, hello! To read the other entries related to this series and check out the glossary, click here .

This entry to this series marks a distinctive shift when we’re talking about WiFi and specifically SSIDs. The articles up to this point described issues with WiFi access points on a more technical level, such as objects and materials that degrade signal strength and infected devices connecting to a wireless network. The article today starts this shift by talking about stuff that affects the security of someone’s home or business network indirectly.

To begin, let’s define PII, Social Engineering, and OSINT.

PII, or Personally Identifiable Information, is anything that can accurately identify who you are. Some examples of PII are:

  • Street address
  • Email address
  • Phone number
  • Social Security Number
  • Date of Birth
  • Drivers License
  • Passport
  • Full name

Tied to this, there are other indicators that can help identify someone such as family and friends, hobbies, sports teams, jobs, or places they frequent.

In our glossary in the very first post of this series, we also gave a brief definition of what Social Engineering is. We defined it as framing someone’s reality in order to get them to achieve an outcome you’ve already predetermined. In the malicious sense this is framing someone’s reality with a couple of optimal outcomes. 1) To get a victim to give up sensitive information such as a username and password and/or 2) To get the victim to commit to an action that is out of character for them, such as entering commands into a command prompt/terminal and not understanding what it will do.

Social Engineering can take many forms, whether it’s in person, over the phone, or using other electronic communication medium (email, text, social media). This use of electronic communications is phishing which is a subset of Social Engineering.

The Social Engineering campaigns that are most effective rely on research to find PII and other indicators that gives someone insight into a person’s likes, dislikes, hobbies, beliefs, religion, and/or political affiliation. Some of this research is done using Open Source Intelligence (OSINT).

OSINT is using publicly available resources to collect information, analyze it, and make use of the findings.

In the second post in the series, we briefly touched on the overall statistics of this project and talked about SSIDs that reveal PII, which you can find here.

To recap, out of the 2565 SSIDs that we discovered, 353 were named using PII or information that gives an insight to things that they like. Out of the 353 SSIDs, the two most common types that reveal PII are those that use full or partial names (i.e. JaneDoe, JohnDoe, JaneAndJohnDoe) or full or partial physical addresses/locations (i.e. 123MainStreet, thequad). The number of SSIDs using these naming conversations are 270 and 31 respectively. Five SSIDs use contact information (email address) of the owner. The remaining SSIDs reveal potential usernames for their devices or online accounts, like jdoe1982, hobbies, pet names, sports teams, and tv/movie characters. These findings can also be used for password guessing attempts.

What can this disclosure of PII be used for?

In the case of someone using an email address for their SSID name, instead of a malicious actor attempting to crack the password for a protected wireless access point to get into the home/business network, they could simply phish their victim. The email address itself can lead to clues as to what platforms the target uses, groups they’re associated with, and a slew of other information that can go beyond a spear-phishing campaign. The email address SSIDs, as well as the network names that could be a username, is something a bad actor will attempt to find a password for if it’s worth the time and effort. Based on behavior of people we’ve observed over the years, some fall into the pattern of using the same username and password for all accounts. If a bad actor finds that John or Jane Doe have all their usernames as jdoe1982 and a password is discovered, more likely than not, that password is used for multiple accounts. While laziness isn’t the appropriate word, having to deal with security requirements for passwords is exhausting at times. That’s where we feel that people take the easy way and make it simple for themselves to access their accounts and devices. Having to keep track of dozens of usernames and passwords is mentally taxing. We get it. That behavior creates a single point of failure, however, and there are better ways to manage your passwords.

These SSIDs can lead to the construction of a profile of the person operating the wireless access point. If it’s a physical address, you can find out how much the house is worth, the full name(s) of the owner(s), and then expand from that. Political affiliation, family members, likes/dislikes, vices, events they attend, are just a smattering of what this profile might contain. This is all publicly available information.

The point we want to make in this writing is to severely limit what you use as an SSID for your wireless access point. By using something tied specifically to you, such as physical address, you are giving so much information about you away to an adversary who has nothing but time on their hands.

Out of curiosity, for those reading, drop us a message if you’ve received spam, phishing attempts, phone calls, or in person visits where you know for sure, or suspect, these communications are directly related to the SSID name of your WiFi. Access our contact form here.

This is a good point to stop, as we’ll be talking more about this in the next article in the series which focuses on the marketing side of these SSIDs, among other things.

We’ll see you next time.