Wifi is an interesting protocol when you get into the gritty details. There are two methods of scanning for active WiFi access points.
- 1) Turn the receiver on and listen on each channel for the beacon; or
2) Broadcast a "Who is there?" packet on each channel.
The first is completely anonymous. The scan is completely passive and nothing is transmitted from your wifi adapter. Now come the problems. The beacon (by default) is only transmitted every 100TU (102,400μs). To have some hope of hearing most Access Points, you'll need to wait for 2 beacon intervals - say 102,400μs x 2 per channel. We have 12 (or 14 in some areas) channels in the 2.4Ghz band, so a full scan would take 102,400μs x 2 x 12 = 2,457,600μs or about 2.5 seconds.
During this time, the receiver is in a high power usage mode - so battery life is negatively impacted and power usage for a wifi adapter sky-rockets. Sure, you can only run a scan lets say, every 30 seconds - but that still means you have the receiver powered up for 5 seconds out of every minute.
So we have implementation #2 - mostly referred to as Active Scanning. In this process, the wifi card transmits a probe request on the currently tuned channel. The probe request consists of:
- BSSID: Broadcast MAC address
- SSID: Zero length
- MAC: Your wifi MAC address
Now - your MAC Address is considered globally unique. The chances of getting two MAC addresses of the same value are... well, lets say I'd win at the lotto every week before that would happen in the wild. This is where things get interesting.
Active Scanning is the default in just about every device existing. The power requirements are much lower - after the initial probe request, the adapter only listens for a fraction of time compared to a passive scan (although this varies per manufacturer and driver).
However, what if we turn the tables a little?
I'm interested in seeing where you are going - not what access points are available. If I set up a device to purely sit silent and listen for these probe requests, then write the MAC address and timestamp to a file - then I can tell when you pass within range of my access point - for as long as you are in the area. When you move out of range, I'll stop getting your probe requests and it can be safe to assume you have left the area.
This in itself isn't very useful. However - what happens now if I have a large building (like an airport or shopping centre)? I can scatter these receivers on different channels throughout the building. As I can get an indication of what range I can receive your device from - I can log your probe requests - and timestamp them - as you pass between my access points.
Big deal right? Well - basic analysis of this kind of data from a shopping centre can tell me what shops you visit or what areas you like to spend time in. I can tell how long you spend in my building - and where you enter and leave. I can tell how fast you walked from one end to the other. I can tell if you visited the bathroom. I can likely tell if you drove to my building - or took the bus. For me (or any scary three letter organisations), this information is pure gold.
From an intelligence perspective, once I put a name to a MAC address, I can cross reference logs from many places and track you in any places that I can listen - and you will never know. I can drive past your house, listen for any probe requests and log those. If I see your MAC address anywhere else, I know exactly where you live - as well as the data about what you do while in my buildings.
At this point, let me reiterate that you don't need to do anything to allow me to collect this data. As long as the wifi adapter in your device (and the same principle applies to Bluetooth) is enabled, I can collect this data.
Thankfully, the solution to stop this tracking is simple. Turn off WiFi and Bluetooth unless you are actually using it. Not only will it give you a longer battery life for your phone, laptop or tablet device - you literally disappear from the radar.
There are already companies out there that sell WiFi and Bluetooth scanners designed to be fitted to street lamps, bollards, traffic signals, and more - for the express purpose of collecting this information.
Makes you think twice about leaving WiFi and Bluetooth turned on all the time, right?