Tracking people via WiFi (even when not connected)

 

So we all know about the ‘free wifi’ at airports, shopping centres etc – and we all expect it to be monitored beyond belief. What we don’t realise is that there is more to this than meets the eye – You are being tracked.

Wifi is an interesting protocol when you get into the gritty details. There are two methods of scanning for active WiFi access points.

    1) Turn the receiver on and listen on each channel for the beacon; or
    2) Broadcast a “Who is there?” packet on each channel.

The first is completely anonymous. The scan is completely passive and nothing is transmitted from your wifi adapter. Now come the problems. The beacon (by default) is only transmitted every 100TU (102,400μs). To have some hope of hearing most Access Points, you’ll need to wait for 2 beacon intervals – say 102,400μs x 2 per channel. We have 12 (or 14 in some areas) channels in the 2.4Ghz band, so a full scan would take 102,400μs x 2 x 12 = 2,457,600μs or about 2.5 seconds.

During this time, the receiver is in a high power usage mode – so battery life is negatively impacted and power usage for a wifi adapter sky-rockets. Sure, you can only run a scan lets say, every 30 seconds – but that still means you have the receiver powered up for 5 seconds out of every minute.

So we have implementation #2 – mostly referred to as Active Scanning. In this process, the wifi card transmits a probe request on the currently tuned channel. The probe request consists of:

  • BSSID: Broadcast MAC address
  • SSID: Zero length
  • MAC: Your wifi MAC address

Now – your MAC Address is considered globally unique. The chances of getting two MAC addresses of the same value are… well, lets say I’d win at the lotto every week before that would happen in the wild. This is where things get interesting.

Active Scanning is the default in just about every device existing. The power requirements are much lower – after the initial probe request, the adapter only listens for a fraction of time compared to a passive scan (although this varies per manufacturer and driver).

However, what if we turn the tables a little?

I’m interested in seeing where you are going – not what access points are available. If I set up a device to purely sit silent and listen for these probe requests, then write the MAC address and timestamp to a file – then I can tell when you pass within range of my access point – for as long as you are in the area. When you move out of range, I’ll stop getting your probe requests and it can be safe to assume you have left the area.

This in itself isn’t very useful. However – what happens now if I have a large building (like an airport or shopping centre)? I can scatter these receivers on different channels throughout the building. As I can get an indication of what range I can receive your device from – I can log your probe requests – and timestamp them – as you pass between my access points.

Big deal right? Well – basic analysis of this kind of data from a shopping centre can tell me what shops you visit or what areas you like to spend time in. I can tell how long you spend in my building – and where you enter and leave. I can tell how fast you walked from one end to the other. I can tell if you visited the bathroom. I can likely tell if you drove to my building – or took the bus. For me (or any scary three letter organisations), this information is pure gold.

From an intelligence perspective, once I put a name to a MAC address, I can cross reference logs from many places and track you in any places that I can listen – and you will never know. I can drive past your house, listen for any probe requests and log those. If I see your MAC address anywhere else, I know exactly where you live – as well as the data about what you do while in my buildings.

At this point, let me reiterate that you don’t need to do anything to allow me to collect this data. As long as the wifi adapter in your device (and the same principle applies to Bluetooth) is enabled, I can collect this data.

Thankfully, the solution to stop this tracking is simple. Turn off WiFi and Bluetooth unless you are actually using it. Not only will it give you a longer battery life for your phone, laptop or tablet device – you literally disappear from the radar.

There are already companies out there that sell WiFi and Bluetooth scanners designed to be fitted to street lamps, bollards, traffic signals, and more – for the express purpose of collecting this information.

Makes you think twice about leaving WiFi and Bluetooth turned on all the time, right?

  20 Responses to “Tracking people via WiFi (even when not connected)”

  1. Can this tracking still happen if the radio is on but in use? Say I have a smart watch connected to a phone via bluetooth BUT my wifi and cellular is off. Can one scan my bluetooth or does it become somehow harder?

  2. Great blog and very clear explanations!

    I have a question regarding those probe requests :
    On which channel are they sent? Are all the 14 channels possible? If yes, this means that we need to have 14 parallel receivers, each monitoring a different channel, not to miss any signal….
    What are the otger characteristics of the probe requests messages? How often are they sent? At which TX power?
    Do they contain any information on the last ssid that the device connected to?

    Thanks!
    Raffael

    • The professional scanners use a DSP receiver that covers all the wifi channels in one go. Yes, you could do it with standard wifi radios, but you’d need one on every channel to capture everything. That all changes when you start looking at DSP technology.

  3. Thanks for the quick response!

    Regarding the DSP receiver, do you have any example of such a product? Does it actually listen to all the wifi band of ~80 MHZ and separates each channel?

    Regarding the probe requests themselves, do you know more characteristics of these packets, like how often are they being sent, at which rx power, which data do they contain etc.?

    • Yes, current DSP equipment can monitor up to about 120Mhz at once. As such, it listens to the entire wifi spectrum at the same time. Sadly, I can’t find any links at the moment (on guest wifi while I get my car serviced!). The usage of direct sampling DSPs really change the game as far as RF monitoring goes. Essentially the new trend merges a DSP with a Software Defined Radio (SDR) to tune the receiver to the exact properties to receive / decode.

      DSPs are cheap and easy to use – the cheap RTL2832 chipset is cheap, nasty but is great as an introduction to DSP receivers.

  4. Hi!can this tracking happen on an android smartphone??..i.e. can an android smartphone be programmed to operate in monitor mode to capture wifi probe requests from wifi-enabled devices??

    • I don’t believe Android has the capability. It requires low level access to the radio hardware. Most controller based AP systems (Aruba, Motorola etc) has this functionality built in.

      Aruba for example call this their Analytics and Location Engine. There are also other less ‘innocent’ implementations of this type of technology.

  5. Is there any open source implementation of this? I’d like to see a system for offices that would let me know which employees (phones) were at which location, the first and last time of day at each zone. Such a table report would be great for front desk receptionist. Lots of value if people get past the creep factor. Patents have probably ruined this idea but it seems like an obvious next step in monitoring tools right?

  6. I don’t think we can do this analytics now. Because all the mobile devices using MAC randomization, so that it will make the MAC address random one. If we get get random MAC address every time then those analytics are impossible right?

    • I have yet to see any common devices that create random MAC addresses per wifi connection.

      • As of iOS 8 and Android 6, these devices are supposed to generate a random MAC address to be included in the probe request. When connected to the network they then provide their real MAC, but for the probe it is random.

    • Only during a probe request does randomization come into play…real MAC must be used to connect

      • the vast majority of wifi captures are probe requests from unassociated devices , they are the vast majority , so randomization is a big deal here

  7. Hi, just found your post! I actually built something that does this with Raspberry Pis. Its not all intrusive, I’m using this at home to do home automation by tracking just my phone. However, I do track every phone in my house at the same time…

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)