I first became interested in the potential of Wigle (Wireless Geographic Logging Engine) and Wardriving for the purpose of OSINT just short of 3 years ago after reading Micah’s (@WebBreacher) excellent blog on it, which you can read here, https://osintcurio.us/2019/01/15/tracking-all-the-wifi-things/. Since then it has become one of my go to tools for OSINT.
I would encourage you to read Micah’s blog as my blog does not aim to replace it. It will also help you understand how Wigle works, which means I don’t need to do as much writing. What I want to do is share my experience of how Wigle has helped me with my OSINT research.
At the same time I was writing this Blog one of OSINT’s unsung heroes GONZO (@GONZOs_int) released a thread on Twitter, https://twitter.com/GONZOs_int/status/1466872414470651917 add this to your Wigle arsenal too.
You can use Wigle without an account but I would recommend creating one as you will then have more options available, such as being able to use the advanced search options. No need to provide anything other than, an email address, username and password to create your account.
I have never received another email from Wigle since I authenticated my account, which we like, I don’t see much activity from my uBlock Origin extension, which we also like. Wigle will ask permission to access you location, which you can block and the site will still work fine.
From an OPSEC perspective you should not have your browser set up, so websites can automatically access your webcams, microphones or location etc. Remember I tweeted a Top Tip about how a VPN may not be enough to hide your location due to what websites can access on your computer, check here to see if you are protected, z0ccc.github.io/LocateJS/
I do not usually use Wigle as my first port of call when I am carrying out an OSINT investigation. I like to build up as much information as I can about a subject as this can make searching Wigle more productive but I have had times where I have struggled with my research so have turned to Wigle.
There are three main search tools I feel you need to remember when using Wigle:-
BSSID – Device / Network Name
SSID – MAC Address
Location – Country, City, Street or even a postcode (ZIP)
Below is a screenshot of the advanced search options. The highlighted red boxes are what I use the most.
Micah demonstrated in his blog how easy it is to search for Apple iPhones because of the way Apple names the phone using your own name after you have set up your profile.
What if we only had a first name and a town or city where our subject lived. Can we search Wigle and find a physical address?
In the below image I know my subject is called David and that he lives in Derby in the UK. I have used the % wildcard after the name so that Wigle will return everything it has saved with the name David in it, in Derby.
Wigle has returned 35 results, which I do not think is an amount that we cannot research further.
In the next image below I picked an SSID that I am interested in. What you have to remember is how the coordinates are recorded on Wigle is subject to different variants and as you can see from Wigle’s own map, the location of the SSID we are interested in may not be plotted 100% accurately. The grey area is where Wigle has plotted the device / network location. The locations shown will be of the person who is doing the Wardriving at the time the device / network was recorded.
From a privacy perspective I have tried to anonymize the results without spoiling the methodology or result.
I am not a massive fan of Wigle’s own interactive map but we have to appreciate that Wigle is a community and they do not have infinite resources. For continuity purposes I have used the mapping site that Micah recommended https://www.mapcustomizer.com/ and I have plotted all the longitude and latitude coordinates that Wigle has provided.
It appears from the above map that our subject may live in or around the above area of Derby. In the UK we have a very useful data aggregation website called 192.com. It will give you a taster of the information it holds. You would need to create an account and pay for full access.
For our purposes the partial details it provides will suffice as we can use what it does give us to pivot into other areas, social media etc. I can tell you DE1 is the postcode of the above area. I initially searched on the above location, which gave me a list of people who lived on the Road of interest.
I then clicked through the results until I found one called David, which then brought up the full name, as below.
I used David%, don’t forget though that David could be david, Davy, davy, Dave or dave, etc, so you may need to do more than one search.
The example I have done above is purely fictitious however using the above methodology and plenty of tenacity has brought me good results. I have turned a first name and city into potential a home address as well as obtaining a last name and partner’s name. This opens up other avenues for us to explore.
It is by no way a forgone conclusion that you will find what you are looking for but Wigle is a powerful OSINT tool that cannot be ignored.
In this second scenario I only know my subject’s name and where they work and I know very little else. If you remember from a previous blog that myself and Ritu Gill (@OSINTtechniques) did, which you can read here, https://www.cqcore.uk/are-you-linked-in/ how easy it is to search LinkedIn for your subject. Well work places are subject to Wardriving too.
In this example we will say that our subject works at Television Centre, London. All the purple spots represent a device / network. By zooming in you can see the individual BSSID & SSID or you could scroll down the list of devices in the table of results.
(The different colours on the right image relate to the density and quality of service of the devices / network.)
I am not going to demonstrate the methodology again as you will now know what that is. In this case it is a matter of zooming in and looking at the BSSID device / network names, to see if you can find one of interest that will allow you to pivot onto a home address or other significant places.
Remember what I said earlier about how the network / devices are geolocated, with that in mind don’t discount all the dots that are on the roads / areas outside the building as you may find your subject’s device there too.
With the advent and popularity of internet connected vehicles, I have used Wigle to identify a make of vehicle and also locations visited by the subject in the vehicle, which then provided me with other pivot points to enhance my research.
We can search for Mercedes Benz infotainment models. Some models start with MB, so we can search Wigle for the MB, MB Hotspot or we could search for MBUX (Mercede Benz User Experience), Mercedes Benz of simply Mercedes and see which vehicles are broadcasting their SSID & BSSID.
In the below image I have searched for MB% as previous experience tells me that the SSID starts with MB on Mercedes infotainment systems. There is a caveat, internet connected cars have not been around as long as Wi-Fi so the data available on vehicles is still in its infancy however I did find a vehicle of interest at a place of work and Wigle showed me other significant locations it had been too
Another way to search for a vehicle, is by the MAC address, by obtaining the first 3 hex characters of the BSSID from http://standards-oui.ieee.org/oui/oui.txt and then by searching for Mercedes. Bear in mind though there maybe network cards from other manufacturers in Mercedes infotainment systems.
I obtained 3C:CE:15 which is for Mercedes Benz, USA and searched Wigle. Admittedly there were not many results but this one tickled me. (Who hasn’t done something similar)
Don’t forget you can search for Bluetooth devices in exactly the same way. Bluetooth has been around since about 1999 as a consumer product. With the rise in recent years of wearables and connected vehicles, Bluetooth has got a new lease of life. We can search Wigle in a similar fashion for Bluetooth devices as we can Wi-Fi.
I will do a quick example searching for device / network names beginning with Andy in the UK.
Similar to searching vehicles the dataset is not as in-depth as for Wi-Fi but it will surely only grow as the popularity of wearable technology increases and they are captured by people who are Wardriving.
And don’t forget we can search for a vehicle’s Bluetooth too.
Wigle can also be used to carry out reconnaissance as Wi-F- and Bluetooth can both be hacked. Wigle will show you the type of encryption being used on a device. This is beyond the scope of this Blog, but I encourage individuals and organisation’s to check Wigle to see if they are potentially vulnerable to an attack.
Lets do some privacy house keeping, turn off your Bluetooth and Wireless Hotspot when you do not need to use it, better still try and never use them. For those of you with Apple devices consider changing the default first name that Apple uses when you create your account on the phone. For those of you with Android phones don’t be tempted to use your first name to name your device. Keep it bland. If you find that you are on Wigle they will remove your device details from the website if you ask them at WiGLE-admin[at]WiGLE.net.
Copyright 2021 © cqcore All Rights Reserved