Hardcoded Known WiFi Networks That Come With a Phone, Always Broadcast Even With Privacy Police Installed

[ProGamerGov]

Using Kali Linux and a 2Ghz USB wifi dongle with monitor mode, I observed that wifi networks which were installed by the carrier, broadcast whenever I turn my phone on. When I unlock my phone, turn it on, etc... these networks always broadcast, and the WiFi Privacy Police app cannot seem to stop these networks.

Not sure if it's possible to fix this. Testing on a Bell Canada Android phone, "BELL_WIFI" and "509251212" always broadcast probe requests when turning on/unlocking the phone, and are impossible to forget/remove.

This issue completely undermines the effectiveness of the app.

[BramBonne]

Hi @ProGamerGov! Thanks for being vigilant, and for checking the behavior of PrivacyPolice! :-)

I'm guessing that the carrier-installed networks were installed as 'Manually added' (thus, not added based on availability) networks. These networks are considered 'hidden' by the Android system, and are allowed by PrivacyPolice to broadcast probe requests. Indeed, because hidden networks do not send out beacons, the system would have no way for determining whether these networks are in range if probe requests wouldn't be broadcast.

Could you check via an app to see whether these networks are programatically deemed to be 'hidden'/'manually added' networks? Thanks!

[ProGamerGov]

@BramBonne What app would you suggest I use to determine this?

[ProGamerGov]

Doing some more digging, I found this blog post: https://www.skycure.com/blog/wifigate-how-mobile-carriers-expose-us-to-wi-fi-attacks/

It claims that the kind of attacks these hardcoded WiFi networks allow, have been caught in the wild.

[BramBonne]

I don't know of an app that will tell you which networks are installed as 'manually added'. However, if you have basic Android programming experience, you can try this out yourself by writing a small app which calls WifiManager's getConfiguredNetworks() method to see which networks are considered to be hidden by the Android system.

[ProGamerGov]

@BramBonne

The cause of the WiFi network is located in /system/etc/wifi/default_ap.conf

This file contans the following code:

network={
    ssid="BELL_WIFI"
    scan_ssid=1
    key_mgmt=WPA-EAP IEEE8021X
    eap=AKA
    pcsc=""
    priority=1
    vendor_spec_ssid=1
}
network={
    ssid="5099251212"
    scan_ssid=1
    key_mgmt=WPA-EAP IEEE8021X
    eap=AKA
    pcsc=""
    vendor_spec_ssid=1

It seems to broadcast these two networks every time the phone is turned on, and periodically during normal smartphone use.

I am not sure if modifying the file, deleting it, etc... will have any effect.

[ProGamerGov]

It also seems like a file called generalinfo_nw.conf may also be associated with the two problematic saved WiFi access points. Some users have reported that both the generalinfo_nw.conf and the default_ap.conf are "repaired" by the phone's firmware if you try to modify them. This may complicate attempts to resolve this issue.