Wi-Fi Network Analysis Using the WiGLE Power-Up

by: reign | 2025-01-10

---

The Wireless Geographic Logging Engine (WiGLE) is a crowd-sourced platform that aggregates and curates geolocated Wi-Fi, Bluetooth, and cellular network observation data. As one of the largest open wireless network telemetry databases, WiGLE is an invaluable resource for wireless enthusiasts and security researchers, who commonly leverage it for wireless network discovery, wireless security assessments, cyber threat actor tracking, and several other wireless research efforts.

In this blog, we will explore three wireless access point (WAP) research use cases to illustrate how Synapse and the WiGLE Power-Up can be used to discover, analyze, and track wireless networks of interest.

The WiGLE Power-Up

The Synapse WiGLE Power-Up enables users to ingest Wi-Fi network data from WiGLE. It provides a set of commands and Node Actions for users to query and ingest WAP and observation data from the network search and details WiGLE API endpoints.

WiGLE identifies access points using beacon requests from wireless access points and trilaterates their locations based on user geolocation and signal strength data. The WiGLE Power-Up models these access points, and their associated observations using Wi-Fi access point (inet:wifi:ap), and telemetry (geo:telem) nodes respectively.

By analyzing this data in concert with wireless network enrichment data, such as Media Access Control (MAC) address vendor information and business data, researchers can obtain valuable insights about the WAPs, their geographic locations, and the entities that own or control the network.

To demonstrate the power of Synapse and the WiGLE Power-Up, let’s explore some wireless analysis use cases.

Use Case 1: Tracking Law Enforcement Vehicles

In Alan Meekings’ 2023 DEFCON 31 talk "Snoop On To Them, As They Snoop On To Us", he used WiGLE to discover and track Axon Enterprise Bluetooth-enabled body-worn cameras (BWC). Meekings discussed the historical challenges surrounding proving the presence of law enforcement body cameras at the scene of an incident, particularly in cases involving no-knock warrants and police misconduct. As a proof of concept, Meekings used WiGLE to identify Bluetooth-enabled devices with an Axon MAC Address, and juxtaposed them with known police stations to prove their likely connection with law enforcement officers.

As a Wi-Fi researcher, you want to extend Meekings’ use case to law enforcement vehicles. According to Axon product documentation, vehicles equipped with Axon devices use Wi-Fi technology to enable connectivity and communication. Let’s see how you can use WiGLE to identify and to track Wi-Fi networks associated with law enforcement vehicles.

Axon’s Network Technology

Axon is a leading provider of public safety solutions for law enforcement and other safety professionals. Their products include devices and technology like body-worn cameras, TASERs, and Evidence.com. These products are designed to integrate and communicate within local, in-vehicle wireless networks, and the broader Axon enterprise network, to facilitate situational awareness and rapid incident response. For instance, Axon Signal can wirelessly trigger a nearby body camera to start recording when a police vehicle light bar activates.

_images/Wigle_blog-post-Large.webp

Axon’s MAC Address Block Large (MA-L)

MAC addresses are globally unique identifiers assigned to a network interface card (NIC) to facilitate device identification and local area network communication. The first 3 octets of a MAC address represent the MAC Address Block Large (MA-L), previously known as the Organizationally Unique Identifier (OUI), which is a unique vendor identifier used to create an organization-specific MAC address.

Axon (formerly TASER International) is assigned the MA-L “00:25:DF”. Therefore, MAC addresses prefixed with this MA-L (e.g., 00:25:df:00:72:47) likely represent an Axon network device.

_images/taser_oui.png

Searching for Axon Wi-Fi Networks by BSSID prefix

The WiGLE API allows you to search for WAPs using various network attributes. One such attribute is the Basic Service Set Identifier (BSSID), which represents the 48-bit MAC address assigned to a wireless access point. You can query the database either using the full MAC address of a device, or its 24-bit MAC address prefix.

You can search for Wi-Fi Axon networks that have been submitted to WiGLE using the wigle.network.search command with the “--netid” parameter. Let’s search for wireless networks with the Axon BSSID prefix “00:25:DF”.

wigle.network.search --netid "00:25:DF" --yield

This query returns approximately 3,000 networks. (Note: WiGLE imposes daily rate limits on a per-user basis, so query results may vary). The Power-Up creates a Wi-Fi access point node (inet:wifi:ap) to represent each discovered network.

_images/search1.png

The wireless access points’ properties provide key information about each network:

  • :ssid - the service set ID (SSID) / name assigned to the wireless network.

  • :bssid - the network’s assigned MAC address.

  • :loc - WiGLE’s assessed primary location for the network.

  • :latlong - global positioning system (GPS) coordinates derived via trilateration.

  • :encryption - encryption protocol used to secure network communications.

  • :channel - frequency range used to transmit and receive data.

  • .seen - first and last time the network was observed.

When you sort the inet:wifi:ap table by :ssid, you notice that some SSIDs resemble Axon serial numbers (e.g., X81001683), as noted in the Axon Signal Sidearm and Axon Signal Vehicle documentation. This suggests that some Wi-Fi access points use the serial number as the SSID, further aiding in the identification of Axon devices.

Switching to Geospatial View, you can visualize the geographical distribution of Axon networks and identify which areas have a high concentration of Axon devices.

_images/geoview1.png

Zooming in on the networks detected in the United States you see that several networks precisely align with Interstate 40 (I-40) in Arizona. This alignment suggests that these networks are likely in-vehicle Wi-Fi networks observed by wardrivers traveling along the highway.

_images/highway.png

Tracking Axon In-Vehicle Wi-Fi Networks

In addition to recording a Wi-Fi network’s existence, WiGLE also logs each instance of the network being observed by a WiGLE user. These observations include details about the network, and the observer’s Global Positioning System (GPS) information. With sufficient data and an adequate observation period, you can use this information to establish a pattern of life for the network.

To demonstrate this, let’s enrich the access point inet:wifi:ap=(AXON-X6032638M, 00:25:df:28:0a:04), located in Dallas, TX, near two Dallas police stations that we have modeled as geo:place nodes.

_images/dpd1.png

Note: The police departments are indicated in red, and the WAP is indicated in green.

To ingest Wi-Fi network observation data, you use the WiGLE Power-Up wigle.network.detail command, and provide the BSSID of the target network.

wigle.network.detail --netid 00:25:df:28:0a:04 --yield

This query returns 48 network detail records collected between June 2021 and April 2022. The Power-Up creates 48 unique geo:telem nodes to represent each observation, linking them to the associated inet:wifi:ap node via the geo:telem:node property. By lifting the telemetry nodes for the WAP (shown in green), and the nearby Dallas police stations (shown in red), you can see that the WAP was observed at the Dallas Police Department (Southwest Patrol Division), and traveling along several roadways.

_images/dpd2.png

Between June 2021 and March 2022, there were 12 observations within 200 meters of the Dallas Police Department (DPD). The presence of the Axon Wi-Fi network at the police station over a 9-month period, combined with its movement along roadways, indicates that this is likely a law enforcement vehicle.

_images/dpd3.png

The access inet:wifi:ap=(AXON-X6033842L, 00:25:df:29:f1:16) was observed near another Dallas police station, the Dallas Police Department Jack Evans Police Headquarters.

_images/dpd4.png

By enriching this WAP witj the wigle.network.detail command, we obtain 17 observation records collected between October 2022 and September 2023.

_images/dpd5.png

Juxtaposing this telemetry with the AXON-X6032638M WAP telemetry, however, does not yield any observations recorded along roadways. Therefore you are not able to confidently identify this as a law enforcement vehicle Wi-Fi network.

Use Case 2: Wireless Security Audit

As a Wireless Security Engineer for Through the Wire Inc., you’ve been tasked with conducting a Wireless Security Audit for the Dallas Police Department's Jack Evans Headquarters. Your specific assignment is to conduct the discovery phase of the audit, which involves canvassing the target environment to identify present access points and their configuration settings.

Wi-Fi Network Discovery Using WiGLE

In addition to actively wardriving to discover wireless networks, you can leverage WiGLE to identify wireless networks previously detected by other wardrivers. The WiGLE Power-Up’s wigle.network.search command allows you to specify the GPS coordinates of a target environment and enumerate the wireless networks observed within a defined radius.

According to Google Maps, the Jack Evans Headquarters’ GPS coordinates are approximately 32.7678,-96.79455. Let’s search for APs identified within a 100 meter radius of the building by running the following Storm query:

wigle.network.search --latlong (32.7678,-96.79455) --radius 100m --yield
_images/audit1.png

The query identifies over 5,000 wireless access points. Although many of these networks may not be associated with the DPD, let’s apply the tag #audit.dpd to facilitate easier lifting in subsequent queries.

_images/audit2.png

Profiling the Access Points

By examining the access point’s .seen timestamps, we see that some of the wireless networks were initially detected as early as January 1, 1970, and observed as recently as July 22, 2024. Given that January 1, 1970 is the Unix Epoch, it is likely that some of the timestamps may be incorrect. However, to leverage all of the current and historical DPD wireless data for the audit, let’s include all of the returned results in our analysis.

_images/audit3_sample.png

SSID Analysis

Assuming the SSIDs are not spoofed or intentionally misleading, several appear to be indicative of the network’s device type, function, associated department, or owner/user.

Searching for the SSID strings “DPD” and “Police” reveals approximately 300 networks likely associated with the Dallas Police Department. For instance several SSIDs contain the string “Caruth Police Institute”, indicating a probable connection to the Caruth Police Institute, a Dallas Police Department training institute located in the Jack Evans Headquarters.

#audit.dpd +(:ssid~=dpd or :ssid~=police)
_images/audit4_dpd_police.png

Several SSIDs are also indicative of the network’s device type. For instance, over 40 access point SSIDs contain the string “HP”, indicating a Hewlett Packard (HP) network printer.

_images/audit5_hp.png

We even see SSIDs related to Axon Enterprise, indicating that the department has Axon wireless networks on the premises.

_images/audit6_axon.png

The SSID “BWCViewer” potentially indicates a body-worn camera wireless network, while networks with names starting with “IBR*” likely represent Cradlepoint routers, which facilitate network connectivity in law enforcement vehicles.

Some SSIDs suggest the network’s department or unit. For example, multiple network SSIDs contained or start with the strings like “Narcotics”, “NSA”, “Surveil” or “DEA”, which could indicate the Narcotics Division, the National Sheriffs Association, a DPD surveillance function, or a unit working with the Drug Enforcement Administration.

_images/audit7_narc.png

We even appear to have evidence of wireless networks linked to DPD leadership. For example, two SSIDs reference Kimberly Owens, the current Dallas Police Lieutenant.

_images/audit8_kim.png

BSSID Analysis

The first 3 octets of the BSSID (i.e., OUI, MA-L, etc.) can be used to determine the vendor or manufacturer of the network’s NIC. This information is useful for identifying the network device, and searching for potential vulnerabilities.

To represent the MAC address vendor information in Synapse, we can write a simple Storm macro that queries the MACVendorLookup API for OUI information.

// Query macvendorlookup.com API for MAC address OUI information

if ($node.form() = 'inet:mac') {
    $resp = $lib.inet.http.get(`https://www.macvendorlookup.com/api/v2/{$node.repr()}`)
    if ($resp.code != 200) {
        $lib.warn(`Failed to lookup mac {$node.repr()} - {$resp.code} {$resp.body}`)
    } else {
        [ :vendor ?= $resp.json().0.company ]
    }
}

By enriching the MAC addresses with the Macro, and using Synapse’s embedded column feature, we can easily see the vendor of the devices’ NIC.

_images/audit9_vendor.png

Wireless Network Encryption Analysis

We can obtain wireless encryption protocol statistics for the networks using Synapse’s built-in stats.countby command. This command allows you to count the number of occurrences of a specific property value for a set of nodes, and visualize the results in a bar chart.

To generate the network encryption statistics, we can specify :encryption as the command line value for the stats.countby command.

#audit.dpd | stats.countby :encryption --char "*" --reverse

The results indicate that nearly a dozen networks either have weak (WEP) or no encryption (None) configured.

_images/audit10_stats.png

Distinguishing Mobile and Fixed Devices

The WiGLE Power-Up’s wigle.network.detail command can be used to ingest observation telemetry, and determine if a wireless network is associated with the fixed or mobile device. This information is crucial for evaluating risks and prioritizing network security controls.

For example, the SSID and BSSID of the access point inet:wifi:ap=(HP-Print-af-LaserJet Pro M201dw, 34:68:95:2e:df:af) suggest that this is an Hewlett Packard wireless network printer. Enriching the WAP with WiGLE network detail data allows us to confirm if it's a fixed component of the department’s network.

wigle.network.detail --netid “34:68:95:2e:df:af” --yield

Running the command above reveals that the access point has only been observed 5 times at the DPD Headquarters building between 2019 and 2024, indicating that it’s a fixed device. This is a significant finding given the prevalence of HP printer vulnerabilities, and the unknown encryption status of the network.

_images/audit11_hp.png

Conversely, you can use the WiGLE Power-Up command below to obtain observation data for a suspected mobile network, like the Cradlepoint wireless network inet:wifi:ap=(IBR1700-036, 00:30:44:46:90:37).

wigle.network.detail --netid “00:30:44:46:90:37” --yield

The results from the command above reveal that this network was observed more than 100 times between 2022 and 2024. It was observed at key police locations such as the Jack Evans Headquarters, Dallas County - North Tower Detention Center, and Dallas Police Shooting Range, in addition to along various Dallas roadways.

_images/audit12_cradle.png

The network’s presence in various locations over a two year time period suggests that this is a Dallas Police Department mobile wireless network.

Use Case 3: Tracking Persons of Interest

Kenshoto, a renowned hacker collective, gained prominence for their legendary DEFCON Capture the Flag contests. Kenshoto served as the official DEFCON CTF organizers from 2005 to 2008 for DEFCON 13 through DEFCON 16. After stepping down as DEFCON CTF organizer in 2008, they have not been observed on the CTF scene.

As a long-time CTF enthusiast, you are interested in the group's current activities and whereabouts. Let’s see how you can use the WiGLE Power-Up to locate Kenshoto’s WAPs and track their movements.

Locating Kenshoto by SSID

The WiGLE Power-Up allows you to search for Wi-Fi networks by SSID. To hunt for Kenshoto wireless networks, you want to search for networks that have a “Kenshoto” SSID or contain “Kenshoto” in the name. To do this you can use the wigle.network.search command with the --ssid or --ssid-like options.

To identify wireless networks with a “Kenshoto” SSID you run the command below.

wigle.network.search --ssid “Kenshoto” --yield

This yields 4 access points located in Minnesota and the Washington, D.C. metro area. This location information is consistent with the known travel, work, and home locations of some of the Kenshoto members.

_images/kenshoto1_waps.png

Next, you search for WAP SSIDs containing the group’s name. However, this query doesn’t yield any results.

wigle.network.search --ssid-like “%Kenshoto%” --yield

Tracking Kenshoto’s Network Activity

To obtain the observation telemetry for the suspected Kenshoto networks, you use the WiGLE Power-Up’s network.detail Node Action.

_images/kenshoto2_enrich.png

The Power-Up returned a total of 28 telemetry nodes for two of the networks. The access point inet:wifi:ap=(kenshoto, 00:c0:ca:66:9a:ba) was observed in St. Peter, MN between 2014 and 2016.

_images/kenshoto3_mn.png

The clustering of observations in the same area over a 2 year time period, suggests that this access point belongs to a Kenshoto member who either lives, works, or visits family/friends in this area.

The inet:wifi:ap=(kenshoto, 3e:99:b5:e4:45:4e) was observed 8 times on 11/9/2022 at the Hyatt Regency Crystal City Hotel At Reagan National Airport in Arlington, VA.

_images/kenshoto4_va.png

Hotels in Crystal City, VA are commonly used to host various events and conferences due to their proximity to Washington, D.C., and large capacities. Since you use Synapse to track cybersecurity events (e.g., conferences, training events, Capture the Flag contests), you can use Synapse to search for events held at the Hyatt Regency Crystal City around the time of the Kenshoto WAP sighting.

To search for conferences and contests that took place within 2 days of the November 9, 2022 Kenshoto WAP observation, you can run the query below.

ou:conference ou:contest +.seen@=(20221109, +-2 days)

This command returns a conference node for the CYBERWARCON 2022 conference held at the Hyatt Regency Crystal City on November 10, 2022. CYBERWARCON is a one-day conference where experts highlight and exchange information regarding key cybersecurity threats, challenges, and solutions.

_images/kenshoto5_conf.png

Given the CYBERWARON’s focus on cybersecurity topics, and Kenshoto’s commitment to advancing the cybersecurity discipline, it is reasonable to assume that a Kenshoto group member would attend the conference.

Linking an Access Point to a Person

Now that you have established that CYBERWARCON 2022 was held at Hyatt Regency Crystal City Hotel during the same time period as the Kenshoto WAP observations, you want to use Synapse to identify a potential link between the WAP observations and a Kenshoto member.

While reviewing social media posts, you discover that on November 9, 2022 at 08:36 UTC Vertex Project Co-founder and Kenshoto founder Visi Stark tweeted that he was “heading down” to prepare for CYBERWARCON. This suggests that Mr. Stark was getting ready to travel to the CYBERWARCON conference location.

_images/kenshoto6_visi.png

Upon further review of posts made by Visi leading up to the conference, you discover that the Vertex Project was a CYBERWARCON 2022 sponsor. By running the query below, you identify several tweets made by Visi between September and November 2022 referencing a Vertex CYBERWARCON sponsorship.

inet:web:post:acct:user=invisig0th +:time@=(20220901, 20221201) +:text~=sponsor

This sponsorship increases the likelihood of Visi attending the conference.

_images/kenshoto7_sponsor.png

You also notice that on the morning of November 10, 2022, Visi tweeted a photo of conference attendees in CYBERWARCON’s main conference room at Hyatt Regency Crystal City Hotel. This tweet indicates that Visi was likely at the conference.

_images/kenshoto8_conf.png

WiGLE’s network data shows that the access point inet:wifi:ap=(kenshoto, 3e:99:b5:e4:45:4e) was first observed the Hyatt Regency Crystal City Hotel on November 9, 2022, and last observed on November 10, 2022.

Comparing the timestamps of Visi’s tweets with WiGLE’s Kenshoto access point telemetry suggests that this access point either belongs to or was being used by Kenshoto founder Visi Stark.

Summary

The WiGLE Power-Up enables wireless researchers and analysts to efficiently identify, track and examine wireless networks of interest. This blog explores several key WiGLE Power-Up use cases, such as detecting in-vehicle Axon wireless networks, enumerating and profiling access points near points of interest, and linking networks to specific individuals. Combining WiGLE’s extensive dataset with Synapse’s analytically rich features, like Geospatial View for mapping geographical data and the Storm query language for inspecting wireless network data, opens up limitless wireless network analysis possibilities.