In this article I will provide a tutorial on setting up a Raspberry Pi as a wireless access point in order to capture network traffic originating from or destined for wireless smart home devices, specifically the Amazon Echo smart speaker.
Recently, I have been interested in capturing and analyzing Amazon Echo traffic data. I struggled to capture the traffic data in my home WiFi environment due to a variety of complications I won't elaborate on, but I did eventually find a solution that will work for anyone who is having similar problems capturing Amazon Echo traffic data. Before I get into specifics first let's get the preliminaries out of the way.
Some things you will need:
- An Amazon Echo device
- A Raspberry Pi model 3 or newer, or an older model raspberry pi with a USB WiFi adapter.
- A minimum 16 GB microSD card, recommended at least class 10.
- A way to get a Raspbian OS image on the microSD card.
- A 2.5A micro-USB power supply, keyboard, mouse, HDMI cable, and monitor for your Raspberry Pi
- A wired ethernet connection to your Raspberry Pi.
- A phone with the Amazon Alexa app installed.
The first step in this process is to set up your Raspberry Pi as a wireless access point. After that you need to install wireshark on the Raspberry Pi. Then, you will need to connect your phone and then the Amazon Echo to the Raspberry Pi wireless access point. Now that the Amazon Echo is successfully connected to the access point, you can start a wireshark or your preferred network traffic capture tool to start capturing the Amazon Echo traffic
-
Use etcher (https://etcher.io/), or your preferred SD card flashing application, to flash a Rasbpian OS image on the microSD card. Insert the microSD card into the microSD card port on the Raspberry pi. Insert the HDMI cable, mouse, keyboard, power supply, ethernet cable, and the WiFi adapter (if you are using an older model Raspberry Pi) into their respective ports on the Raspberry Pi. Plug the HDMI cable into your monitor and the power supply into a power source to turn on the Raspberry Pi. Go through the startup process as instructed by Raspbian. Raspbian should perform an update, but just in case it fails, start up a terminal and enter in:
sudo apt-get update sudo apt-get upgrade -
Two programs we are going to need are hostapd and dnsmasq. To install them type these lines into a terminal session:
sudo apt-get install hostapd sudo apt-get install dnsmasq
If prompted for a y/n continue with installation, type y and hit enter.
After the programs are installed stop the processes by entering:
sudo systemctl stop hostapd sudo systemctl stop dnsmasq
-
In order to set up a wireless access point we need to set a static IP address for the wireless interface on the Raspberry Pi. This interface should be labeled wlan0 (if not, see note below). Enter the following to edit the dhpcd config file to set a static IP address for the wlan0 interface:
sudo nano /etc/dhcpcd.conf
Once this opens the config file in the terminal edit the file by adding this text to the end:
interface wlan0 static ip_address=192.168.0.10/24 denyinterfaces eth0 denyinterfaces wlan0Hit ctrl-x to exit and y and then enter to confirm the changes
- Note: If you are using an older model Pi and a WiFi adapter, you can run a iwconfig command to check the name of the WiFi interface and continue with the tutorial, replacing wlan0 with whatever your WiFi interface is called
-
We need a DHCP server to dynamically configure our network, and we will use dnsmasq to do this. First edit the necessary config files by entering:
sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.orig sudo nano /etc/dnsmasq.conf
Add this to the empty file:
interface=wlan0 dhcp-range=192.168.0.11,192.168.0.30,255.255.255.0,24hNow our access point will provide the IP addresses in this range to devices trying to connect to it.
-
We need to edit the hostapd config file by opening it:
sudo nano /etc/hostapd/hostapd.conf
...and editing it by adding:
interface=wlan0 bridge=br0 hw_mode=g channel=7 wmm_enabled=0 macaddr_acl=0 auth_algs=1 ignore_broadcast_ssid=0 wpa=2 wpa_key_mgmt=WPA-PSK wpa_pairwise=TKIP rsn_pairwise=CCMP ssid=SSID_NAME wpa_passphrase=PASSWORD123Change the ssid and wpa_passphrase to your desired name and password values for your access point.
Enter the following to edit the hostapd file:
sudo nano /etc/default/hostapd
and replace the line that starts with #DAEMON_CONF=”” to:
DAEMON_CONF="/etc/hostapd/hostapd.conf" -
In order to forward the wireless traffic to the ethernet cable enter:
sudo nano /etc/sysctl.conf
and replace the line starting with #net.ipv4.ip_forward=1 with:
net.ipv4.ip_forward=1Alternatively, just uncomment the line.
-
The next thing to do is to add the iptables rules by entering:
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"Next we need to make sure these rules load when booting by editing the rc.local file:
sudo nano /etc/rc.localand adding the following above the line starting with exit 0:
iptables-restore < /etc/iptables.ipv4.natexit and save the changes.
-
In order for the wireless traffic to access the internet we need to add a bridge that will transfer the traffic to the eth0 interface (the physical interface). We need to install a package called bridge-utils in order to accomplish this:
sudo apt-get install bridge-utils
Next, we add the bridge and connect eth0 to the bridge:
sudo brctl addbr br0 sudo brctl addif br0 eth0
Next we need to edit one last config file:
sudo nano /etc/network/interfaces
and add this text to the end of the file:
auto br0 iface br0 inet manual bridge_ports eth0 wlan0Now we are good to go. Go ahead an shutdown the Raspberry Pi for now, or you can reboot to confirm it is working by connecting your phone to the newly created WiFi access point and verifying it has internet connectivity.
On your newly created Raspberry Pi WiFi access point, open up a terminal and install wireshark:
https://gist.github.com/6a873cc899f752d8c96077d29ca944ae
Enter y when prompted to finish installation.
In order to connect the Echo to the access point, connect your phone to the access point, open up the Alexa app and begin to setup the Amazon Echo device. When prompted connect to the newly created Raspberry Pi WiFi access point.
-
Finally, we can accomplish the task we set out to do: capture Amazon Echo network traffic. Before we open up wireshark, let's get the Echo's MAC address. Once again, open up the Alexa app on your phone. Click the home icon in the bottom left-hand corner. You should see the your Amazon Echo device in the upper left-hand corner. Select the device to go into the device settings. The last option on this page is about. Tap on this, and you will see some information about your Echo device including the MAC address. Copy this down.
-
Open up wireshark as root on your Raspberry Pi by entering:
sudo wireshark
Start a capture without any capture filter on the br0 interface. Once the capture has started enter the following in the display filter:
mac.addr == 00:00:00:00:00:0replacing 00:00:00:00:00:00 with the MAC address you copied down in the last step. You should see the incoming and outgoing traffic for your Amazon Echo device now.
Now, you can capture and analyze all of the traffic related to your Amazon Echo, have at it!
This general process will also work for other wireless devices you wish to capture traffic from like the Google Home speaker, Apple HomePod, and all those other IoT devices you want to analyze.