Tracking people via WiFi (even when not connected)

So we all know about the ‘free wifi’ at airports, shopping centres etc – and we all expect it to be monitored beyond belief. What we don’t realise is that there is more to this than meets the eye – You are being tracked.

Wifi is an interesting protocol when you get into the gritty details. There are two methods of scanning for active WiFi access points.

    1) Turn the receiver on and listen on each channel for the beacon; or
    2) Broadcast a “Who is there?” packet on each channel.

The first is completely anonymous. The scan is completely passive and nothing is transmitted from your wifi adapter. Now come the problems. The beacon (by default) is only transmitted every 100TU (102,400μs). To have some hope of hearing most Access Points, you’ll need to wait for 2 beacon intervals – say 102,400μs x 2 per channel. We have 12 (or 14 in some areas) channels in the 2.4Ghz band, so a full scan would take 102,400μs x 2 x 12 = 2,457,600μs or about 2.5 seconds.

During this time, the receiver is in a high power usage mode – so battery life is negatively impacted and power usage for a wifi adapter sky-rockets. Sure, you can only run a scan lets say, every 30 seconds – but that still means you have the receiver powered up for 5 seconds out of every minute.

So we have implementation #2 – mostly referred to as Active Scanning. In this process, the wifi card transmits a probe request on the currently tuned channel. The probe request consists of:

  • BSSID: Broadcast MAC address
  • SSID: Zero length
  • MAC: Your wifi MAC address

Now – your MAC Address is considered globally unique. The chances of getting two MAC addresses of the same value are… well, lets say I’d win at the lotto every week before that would happen in the wild. This is where things get interesting.

Active Scanning is the default in just about every device existing. The power requirements are much lower – after the initial probe request, the adapter only listens for a fraction of time compared to a passive scan (although this varies per manufacturer and driver).

However, what if we turn the tables a little?

I’m interested in seeing where you are going – not what access points are available. If I set up a device to purely sit silent and listen for these probe requests, then write the MAC address and timestamp to a file – then I can tell when you pass within range of my access point – for as long as you are in the area. When you move out of range, I’ll stop getting your probe requests and it can be safe to assume you have left the area.

This in itself isn’t very useful. However – what happens now if I have a large building (like an airport or shopping centre)? I can scatter these receivers on different channels throughout the building. As I can get an indication of what range I can receive your device from – I can log your probe requests – and timestamp them – as you pass between my access points.

Big deal right? Well – basic analysis of this kind of data from a shopping centre can tell me what shops you visit or what areas you like to spend time in. I can tell how long you spend in my building – and where you enter and leave. I can tell how fast you walked from one end to the other. I can tell if you visited the bathroom. I can likely tell if you drove to my building – or took the bus. For me (or any scary three letter organisations), this information is pure gold.

From an intelligence perspective, once I put a name to a MAC address, I can cross reference logs from many places and track you in any places that I can listen – and you will never know. I can drive past your house, listen for any probe requests and log those. If I see your MAC address anywhere else, I know exactly where you live – as well as the data about what you do while in my buildings.

At this point, let me reiterate that you don’t need to do anything to allow me to collect this data. As long as the wifi adapter in your device (and the same principle applies to Bluetooth) is enabled, I can collect this data.

Thankfully, the solution to stop this tracking is simple. Turn off WiFi and Bluetooth unless you are actually using it. Not only will it give you a longer battery life for your phone, laptop or tablet device – you literally disappear from the radar.

There are already companies out there that sell WiFi and Bluetooth scanners designed to be fitted to street lamps, bollards, traffic signals, and more – for the express purpose of collecting this information.

Makes you think twice about leaving WiFi and Bluetooth turned on all the time, right?


Skip to comment form

    • ShapeShifter499 on April 14, 2015 at 12:28 am
    • Reply

    Can this tracking still happen if the radio is on but in use? Say I have a smart watch connected to a phone via bluetooth BUT my wifi and cellular is off. Can one scan my bluetooth or does it become somehow harder?

    1. The same tracking can be done via Bluetooth as well. I have it on authority that bluetooth scanners have been installed at multiple intersections and at traffic lights around the world. Sadly, I can’t find further technical details…

      • Vipul Jindal on February 8, 2017 at 3:24 pm
      • Reply

      If its off. Then no.

    • Raffael on August 11, 2015 at 11:30 am
    • Reply

    Great blog and very clear explanations!

    I have a question regarding those probe requests :
    On which channel are they sent? Are all the 14 channels possible? If yes, this means that we need to have 14 parallel receivers, each monitoring a different channel, not to miss any signal….
    What are the otger characteristics of the probe requests messages? How often are they sent? At which TX power?
    Do they contain any information on the last ssid that the device connected to?


    1. The professional scanners use a DSP receiver that covers all the wifi channels in one go. Yes, you could do it with standard wifi radios, but you’d need one on every channel to capture everything. That all changes when you start looking at DSP technology.

    • Raffael on August 11, 2015 at 11:04 pm
    • Reply

    Thanks for the quick response!

    Regarding the DSP receiver, do you have any example of such a product? Does it actually listen to all the wifi band of ~80 MHZ and separates each channel?

    Regarding the probe requests themselves, do you know more characteristics of these packets, like how often are they being sent, at which rx power, which data do they contain etc.?

    1. Yes, current DSP equipment can monitor up to about 120Mhz at once. As such, it listens to the entire wifi spectrum at the same time. Sadly, I can’t find any links at the moment (on guest wifi while I get my car serviced!). The usage of direct sampling DSPs really change the game as far as RF monitoring goes. Essentially the new trend merges a DSP with a Software Defined Radio (SDR) to tune the receiver to the exact properties to receive / decode.

      DSPs are cheap and easy to use – the cheap RTL2832 chipset is cheap, nasty but is great as an introduction to DSP receivers.

    • anuhiyaM on May 31, 2016 at 9:36 pm
    • Reply

    Hi!can this tracking happen on an android smartphone??..i.e. can an android smartphone be programmed to operate in monitor mode to capture wifi probe requests from wifi-enabled devices??

    1. I don’t believe Android has the capability. It requires low level access to the radio hardware. Most controller based AP systems (Aruba, Motorola etc) has this functionality built in.

      Aruba for example call this their Analytics and Location Engine. There are also other less ‘innocent’ implementations of this type of technology.

    • David Sutherland on June 20, 2016 at 11:52 am
    • Reply

    Is there any open source implementation of this? I’d like to see a system for offices that would let me know which employees (phones) were at which location, the first and last time of day at each zone. Such a table report would be great for front desk receptionist. Lots of value if people get past the creep factor. Patents have probably ruined this idea but it seems like an obvious next step in monitoring tools right?

    1. I don’t believe there is anything OSS for this…. Would be interesting to hear though…

      • TeoRuscin on December 16, 2016 at 1:19 am
      • Reply

      Still looking for this? Very simple and cheap. Lots of ins and outs, but effective if MAC mining isn’t a privacy concern. Shoot me an email: thebeachtoday at Gmail dot com

    • venu on September 20, 2016 at 2:23 am
    • Reply

    I don’t think we can do this analytics now. Because all the mobile devices using MAC randomization, so that it will make the MAC address random one. If we get get random MAC address every time then those analytics are impossible right?

    1. I have yet to see any common devices that create random MAC addresses per wifi connection.

        • aby on October 28, 2016 at 10:23 pm
        • Reply

        As of iOS 8 and Android 6, these devices are supposed to generate a random MAC address to be included in the probe request. When connected to the network they then provide their real MAC, but for the probe it is random.

      • TeoRuscin on December 16, 2016 at 1:20 am
      • Reply

      Only during a probe request does randomization come into play…real MAC must be used to connect

        • Ahmed on August 24, 2017 at 10:54 pm
        • Reply

        the vast majority of wifi captures are probe requests from unassociated devices , they are the vast majority , so randomization is a big deal here

    • Zack on December 24, 2016 at 12:43 pm
    • Reply

    Hi, just found your post! I actually built something that does this with Raspberry Pis. Its not all intrusive, I’m using this at home to do home automation by tracking just my phone. However, I do track every phone in my house at the same time…

      • Paul on December 29, 2016 at 11:51 am
      • Reply

      Zack – can you share more detail?

        • Henry on January 28, 2017 at 2:51 am
        • Reply

        Zak’s name links to

    • vipobocif on September 21, 2017 at 6:43 am
    • Reply

    That’s why I use “MAC address scrambling” for my linux laptop –

  1. Hi there! great read, thanks:)
    We have a time and attendance SaaS and looking for an automated solution other than beacons when an employee enters into their respective office for the day.
    So ideally, we would like to register the employees mac id into our DB and when this employee comes into the office in the morning, get the time stamp and store in our DB.
    We currently have an app, where the employee has to manually clock in but hoping to come up with some cool automated way, to be able to get new clients. Thanks for your time!

      • Augustus Meyer on November 3, 2017 at 12:41 am
      • Reply

      I did the firmware for several cosumer grade MAC-detection devices for use in hotspots. You can email me at

  2. what user information can Bluetooth collect by default? phone/accesory id? and then if the system has some authentication also the username ?

    • Curtis Brazzell on January 9, 2018 at 7:22 am
    • Reply

    Please check out my open source solution for tracking with a raspberry pi. I’m doing just this! Works really well as a security system.

    1. This is a pretty good idea – and a great practical demonstration of what I was writing about 🙂

    • mike on January 22, 2018 at 7:34 am
    • Reply

    Why would it light up when I walk in the room and can it actually listen to conversations. Why would a company put one in the break room?

    • Tobias on January 30, 2018 at 7:42 am
    • Reply

    I’m wondering if SDR like “HackRF One” and “LimeSDR” can do this.

    1. Yes. However it depends on much more code. The advantage is that with the right RF hardware, you can monitor every channel at the same time.

    • Big Jim on March 13, 2018 at 7:18 am
    • Reply

    We wanted to implement mac address monitoring for crowd safety reasons but it appears that privacy laws stop us(GDPR) from implementing a solution. This thread is quite old now but I am thinking that that if we put up a sign saying if you don’t want to be tracked then turn off wifi then this will satisfy those who are genuinely concerned about being tracked.
    Any comments would turning off the wifi on a modern phone still stop the mac address being broadcast.

    • themonkey on March 23, 2018 at 1:50 pm
    • Reply

    Like anything that can be abused, it also present some amazing information that can be quite useful. How many people are at a bus stop and how long have they been there? Festival beer line backed up!

    I work in a few of these spaces and all of the uses are legit and help you more than you know. Ive seen installations of bluetooth scanners on the freeway to determine traffic flow. Ive also seen a phone with wifi switched off, transmit beacons anyways. 🙂

    Dont be so paranoid 🙂

      • Stewart Daniels on March 26, 2018 at 6:52 am
      • Reply

      It’s creepy, invasive, secretive, wildly unclear to the exact data which is being taken concerning advertising, who gets access, it can/ will be weaponized, and is a possible gateway to total privacy revocation by corperations/ governments.

      Me utterly despising the locating, catagorizing, monitoring, sub-dividing, tracking, facially recognizing, and beacon-ing for my ‘Convenience’ does not make me paranoid. Angry is a far better adjective.

      It’s a very disgusting practice to the majority of people who want their phones to simply operate as phones. And most would gladly pay extra to forgo the spying parts in a feature phone. Color me not impressed.

    • Auli on April 11, 2018 at 4:04 am
    • Reply

    Just installed certs in my ios device to enable auto-connection to wifi hotspots. I am wondering what the security risks of this are. If IOS is randomizing the MAC address when searching for hotspots, I suppose this chain of WiFi spots can then de-anonymize my MAC whenever I pass one of their hotspots…and of course when I signed up they got my real name.

    • Skndr on May 4, 2018 at 8:20 pm
    • Reply

    Really neat post about wifi location. I have tought about this for long time and I have given up on it after more and more apps are requiring location for normal functioning. To the article point for example is easier for someone to break in your house once he sure you are not around or a valuable stored in car on unattended parking lot could be easily identified.

    • Skndr on May 4, 2018 at 8:52 pm
    • Reply

    On MAC scrambling subject posts, the other side of the story is fixed MAC is necessary for security reason. I have MAC filtering and static DHCP assignment to each wireless client in all my access points with zero adminstrative access to the AP from the wireless segment. You have to physically cable to get to manage to the AP. This kind of security is not implementable with out MAC filtering. The only way I see MAC scrambling is if you are willing to sacrifice at least the first announcement of the wireless client with fake MAC and once the wireless client is sure is in the range of the right AP then do the second announcement with the right MAC address.

  3. We built an artwork with this Data. It shows visitors of the museum what data they are losing. The names of the WLANs used by the mobile phone can often be traced back to specific geopositions where someone has been in the past and of course also with which other people he/she was in the same places.

    • EDWARD RUTMAYER on August 14, 2018 at 10:53 am
    • Reply

    I have been interested in doing this for quite a while. I live in a condominium and we have had a number of incidents where cars have been broken into and ransacked. During at least one of these incidents I had wireshark listening in monitor mode and I know that these days thieves, just like everyone else, are carrying cell phones, probably with wifi enabled. I would love to take all the Mac addresses from that pcap file and cruise the surrounding neighborhood and produces a heat-map for those Mac addresses. Any ideas? I’m not yet a coder, so my preference would to use an app or chain together apps whether its via pc or android. If someone were to develop an application that could do this (lets call it mac-driving) what would be the go-to programming language to use?

    • Dale on September 6, 2018 at 3:33 am
    • Reply

    We’ve had multiple car prowls in my neighborhood and I’ve thought of using WiFi/Bluetooth scanning to help locate and identify the individual. Perhaps even snapping an image if the macs Are not equal to my neighbors.

    • justme on September 15, 2018 at 6:06 am
    • Reply

    My attention was to a device claiming there could be upto 5 wifi SSID set They claimed to be able to avoid randomisation. The trick was to set provider SSID as most of them also provide free hotspots.
    The device does not allow any client to connect, but in the connection attemt the real MAC is revealed.

    The logs are stored localy, and can be accessed remotely.
    It can be found on popular chinese webshops.

    • eric on September 20, 2018 at 3:25 am
    • Reply

    no privacy intrusions when this is activated?

  4. Are the devices that send probe request using any particular channel? e.g. the first ones.
    How do they choose the channels? Thanks.

Leave a Reply

Your email address will not be published.