What is a station probe

Surf SOHO firmware 8.1.2. On the AP tab, there is a Nearby Device section that displays Station Probes. I checked the Surf SOHO manual for 8.1.3 from July 2021. It says nothing about Station Probes and nothing about Nearby Devices.

So, what is a station probe?

And, if memory serves there is a secret handshake you need to know before you can see AP entries. It was an option on another page, somewhere. Is this true? Thanks in advance.

I just upgraded to 8.1.3 and all of the mac addresses under nearby devices disappeared. I suspect they will return when they probe again. The list of mac addresses was up to 20 this morning.

I think this is when devices are scanning for wifi access points.

Router captures the « ping ».

What we do with this info I don’t know to be honest but perhaps gives us a peek into what kind of devices we have within our range at some point or another.

I checked mine and there’s a Sonos device probing my main router with a RSSI of -70. So most likely a neighbor close by.

Maybe this info could be used to sniff out hacking devices assuming of course the MAC address of the device entry is accurate enough.

I live in a very rural area of Iowa. Nearest neighbor is 1/4 of a mile away. All my computers have wifi turned off or have no wifi capability and are cabled with cat6. We have two android cell phones that are the only wifi users. The only other device I am suspicious of is a Samsung TV that has not been turned on in months.

So you should see your own devices in the device list.

I do believe people who drive by on the street may generate some probes as well on your router if their wifi is turned on their personal devices.

I saw one entry in my list which was tagged as an Alpine nav system. So either a parked vehicle nearby or someone driving by.

Majority of not all these entries aren’t nefarious. But there something called WAR driving whereby attackers will drive around with a laptop and wireless capture card scanning for networks to hack into.

Not sure how you’d pinpoint this kind of device in your nearby device list unless your list is short and you see some sketchy devices.

Im sure there might be a way for these hackers to perhaps masquerade their MAC address as something else so it doesn’t raise any red flags.

I don’t know of any défense though for this kind of threat other than ensuring wifi is secured with Wpa2 or WPA3 with a very strong random password or pass phrase. At least 16 characters I think.

Edit: other défenses, turn off wifi on router and APs when not in use. Not practical if you have IoT devices that may require 24/7 connections like thermostats and security cameras but in my case I disable my guest network as per a schedule. One less ssid to hack into.

According to this article, Apple has used a random MAC address while probing for nearby networks for quite a while. It did so, before adding the random MAC for after association with an SSID. Not sure if their random MAC for probes will still map back to Apple or not.

https://www.extremenetworks.com/extreme-networks-blog/wi-fi-mac-randomization-privacy-and-collateral-damage/

Collateral damage of randomized Mac addresses: any static IP assignment and firewall rules etc around them are irrelevant if using a random Mac address

Yup. Every coin has two sides.

This morning there are 36 different mac addresses in “nearby devices”. 3 are AP’s with SSIDs like “myBuick”, or “myChevrolet 5966”. The rest are all “Station Probe” with a wide variety of manufactures associated with the mac address. Everything from Rand McNally, Motorola, Garmine, Ampak, etc. All, including APs are marked as “Known Device”. I took that to mean that the router had associated the mac address with a device that is in my “Client List”. Because I have wifi turned off in all the devices except the two android phones this does not make any sense to me.

6 of the computers are older Dells w/Mint Linux running Einstein@home and none have wifi hardware, 2 are iMacs, 1 is an older mac-mini, and 1 is a new M1 mac-mini. All the Apple computers have wifi turned off.

The “probe” is the first step in the 802.11 communication process. Mobile clients send probe requests to discover networks within their proximity. These messages also include the data rates supported by the client. All APs that receive these requests will respond.

Accordingly, I don’t think these probes are an issue at all. They’ll certainly give you an idea of the clients that are/were in the vicinity but they certainly don’t suggest anything nefarious.

2 Likes

They must be cars going by then as I have no other houses near me. There closest one is a 1/4 of a mile away, then next is 3/4 of a mile away. That they are all marked as “known device” I still find puzzling.

My (very limited) understanding is that there are two types of probes.

–One can be summarized as “anyone doing Wifi ac on this channel” that is sent to all channels.
–The other type is “is the Starbucks SSID here?”. Not sure if this is also sent to all channels.

Seeing the 2nd type is a good reminder that you should tell the OS to “forget” public wifi networks after you have stopped using them.

Checking “Nearby Device” this morning I have 43 mac addresses in there. All different making me feel like they have to be phones in cars going by. I think a lot of new cars have cell phones built in. The computer that runs the car may have one. I think some GPS units may have one. What I don’t understand is why my surf soho records them all as “known device”.