What is the correct way of comparing the signature against the DB?

[braintweak]

Hello.
Sorry if I'm missing something, but I wasn't able to correctly use the tool.
I've compiled hostapd with a taxonomy option to get the device string, but wasn't able to get the devices names.
Since there is no manual - what is the correct way of comparing the string + mac with the gperf database (or the wifi.py itself)? I guess there should be a tool exactly for this?
Looks like compiled wifi_signature only accept .pcap files as source.

Comparing just the string from hostapd_cli via simple manual search did not succeed, sadly. I've tried it on 2 xiaomi mi5 phones (they had different signatures, I guess because of different firmwares) and 1 nexus 5 phone.
Maybe I need to setup the hostapd with certain parameters to capture all the needed frames?

Thank you in advance for this amazing idea and database!

[DentonGentry]

#1: How to lookup a signature
The wifi_signature tool extracts a text signature from a pcap file, as you noted. It is used in a unit test in tests/pcap_test.py, which walks through each pcap in testdata/pcaps and checks that the identification matches the expected ID.

The lookup of the text signature to find the type of device happens in the Python code. This bash function is a snippet showing a minimal implementation:

taxonomize() {
  sig="$1"
  mac="$2"
  python -c "import taxonomy; print ';'.join(taxonomy.identify_wifi_device('$sig', '$mac'))"
}

This is where history gets in the way: the taxonomy feature as published here was extracted from a larger Wi-Fi AP project which I worked on. Back then we had modified hostapd to export signatures to files in the filesystem, and the Python code was written to work in this environment.

The hostapd maintainers noted that nothing else in hostapd exports information to files, and asked that we add a hostapd_cli command instead. They are quite correct, but the result right now is that the signature database needs some glue code to get signatures from the rest of the system. The bash function shown above is one possible way to glue it together.

What I'd like to do, if the taxonomy idea gets traction, is to integrate it more naturally into systems using hostapd_cli.

#2: Xiaomi Mi5
It is definitely interesting that the signatures from your devices don't match the signatures collected in the database. There are a couple things which might be going on:

• devices often vary what they send based on environmental conditions, like signal strength or their battery level. We make an effort to collect signatures multiple times to try to catch these, but I'm sure we don't catch them all. Maybe yours differ in this way.
• as you note, it may be that later firmware updates changed the signature compared with what we collected in the DB. The Xiaomi Mi 5 I worked with was borrowed from a mobile device lab, I only had it for a day.
• clients do vary what they send based on what they saw in the AP's Beacon. We collect traces using multiple APs for that reason, but we might not have collected a signature which matches what you see when joining your AP.

If you'd like to pursue this, I'd ask you to capture a pcap while your Xiaomi devices are joining the Wi-Fi network. We'd trim the pcap to the essential packets for the signature, add the signatures to the DB, and add the pcap to testdata/pcaps as a unit test to make sure we don't break it in the future.

[braintweak]

To capture those two mi5 phones I'd like to request your sample hostapd config you've used for your captures (or in your defcon video?), I think the issue lays here.
Like you've said in your paper, the more complex AP standard is used, then more info is collected as a identifying string.
The signatures were indeed different with the default hostapd setup, which has set up hw_mode=b, and later different if I set up hw_mode=g (adding some info in the end).
I did not setup a WPA password, is it required?
Maybe I've did something else wrong, which I am not aware of, but I guess same configs would eliminate that possibility.