Tracking people via WiFi (even when not connected)

So we all know about the ‘free wifi’ at airports, shopping centres etc – and we all expect it to be monitored beyond belief. What we don’t realise is that there is more to this than meets the eye – You are being tracked.

Wifi is an interesting protocol when you get into the gritty details. There are two methods of scanning for active WiFi access points.

    1) Turn the receiver on and listen on each channel for the beacon; or
    2) Broadcast a “Who is there?” packet on each channel.

The first is completely anonymous. The scan is completely passive and nothing is transmitted from your wifi adapter. Now come the problems. The beacon (by default) is only transmitted every 100TU (102,400μs). To have some hope of hearing most Access Points, you’ll need to wait for 2 beacon intervals – say 102,400μs x 2 per channel. We have 12 (or 14 in some areas) channels in the 2.4Ghz band, so a full scan would take 102,400μs x 2 x 12 = 2,457,600μs or about 2.5 seconds.

During this time, the receiver is in a high power usage mode – so battery life is negatively impacted and power usage for a wifi adapter sky-rockets. Sure, you can only run a scan lets say, every 30 seconds – but that still means you have the receiver powered up for 5 seconds out of every minute.

So we have implementation #2 – mostly referred to as Active Scanning. In this process, the wifi card transmits a probe request on the currently tuned channel. The probe request consists of:

  • BSSID: Broadcast MAC address
  • SSID: Zero length
  • MAC: Your wifi MAC address

Now – your MAC Address is considered globally unique. The chances of getting two MAC addresses of the same value are… well, lets say I’d win at the lotto every week before that would happen in the wild. This is where things get interesting.

Active Scanning is the default in just about every device existing. The power requirements are much lower – after the initial probe request, the adapter only listens for a fraction of time compared to a passive scan (although this varies per manufacturer and driver).

However, what if we turn the tables a little?

I’m interested in seeing where you are going – not what access points are available. If I set up a device to purely sit silent and listen for these probe requests, then write the MAC address and timestamp to a file – then I can tell when you pass within range of my access point – for as long as you are in the area. When you move out of range, I’ll stop getting your probe requests and it can be safe to assume you have left the area.

This in itself isn’t very useful. However – what happens now if I have a large building (like an airport or shopping centre)? I can scatter these receivers on different channels throughout the building. As I can get an indication of what range I can receive your device from – I can log your probe requests – and timestamp them – as you pass between my access points.

Big deal right? Well – basic analysis of this kind of data from a shopping centre can tell me what shops you visit or what areas you like to spend time in. I can tell how long you spend in my building – and where you enter and leave. I can tell how fast you walked from one end to the other. I can tell if you visited the bathroom. I can likely tell if you drove to my building – or took the bus. For me (or any scary three letter organisations), this information is pure gold.

From an intelligence perspective, once I put a name to a MAC address, I can cross reference logs from many places and track you in any places that I can listen – and you will never know. I can drive past your house, listen for any probe requests and log those. If I see your MAC address anywhere else, I know exactly where you live – as well as the data about what you do while in my buildings.

At this point, let me reiterate that you don’t need to do anything to allow me to collect this data. As long as the wifi adapter in your device (and the same principle applies to Bluetooth) is enabled, I can collect this data.

Thankfully, the solution to stop this tracking is simple. Turn off WiFi and Bluetooth unless you are actually using it. Not only will it give you a longer battery life for your phone, laptop or tablet device – you literally disappear from the radar.

There are already companies out there that sell WiFi and Bluetooth scanners designed to be fitted to street lamps, bollards, traffic signals, and more – for the express purpose of collecting this information.

Makes you think twice about leaving WiFi and Bluetooth turned on all the time, right?


Skip to comment form

    • ShapeShifter499 on April 14, 2015 at 12:28 am
    • Reply

    Can this tracking still happen if the radio is on but in use? Say I have a smart watch connected to a phone via bluetooth BUT my wifi and cellular is off. Can one scan my bluetooth or does it become somehow harder?

    1. The same tracking can be done via Bluetooth as well. I have it on authority that bluetooth scanners have been installed at multiple intersections and at traffic lights around the world. Sadly, I can’t find further technical details…

      • Vipul Jindal on February 8, 2017 at 3:24 pm
      • Reply

      If its off. Then no.

    • Raffael on August 11, 2015 at 11:30 am
    • Reply

    Great blog and very clear explanations!

    I have a question regarding those probe requests :
    On which channel are they sent? Are all the 14 channels possible? If yes, this means that we need to have 14 parallel receivers, each monitoring a different channel, not to miss any signal….
    What are the otger characteristics of the probe requests messages? How often are they sent? At which TX power?
    Do they contain any information on the last ssid that the device connected to?


    1. The professional scanners use a DSP receiver that covers all the wifi channels in one go. Yes, you could do it with standard wifi radios, but you’d need one on every channel to capture everything. That all changes when you start looking at DSP technology.

    • Raffael on August 11, 2015 at 11:04 pm
    • Reply

    Thanks for the quick response!

    Regarding the DSP receiver, do you have any example of such a product? Does it actually listen to all the wifi band of ~80 MHZ and separates each channel?

    Regarding the probe requests themselves, do you know more characteristics of these packets, like how often are they being sent, at which rx power, which data do they contain etc.?

    1. Yes, current DSP equipment can monitor up to about 120Mhz at once. As such, it listens to the entire wifi spectrum at the same time. Sadly, I can’t find any links at the moment (on guest wifi while I get my car serviced!). The usage of direct sampling DSPs really change the game as far as RF monitoring goes. Essentially the new trend merges a DSP with a Software Defined Radio (SDR) to tune the receiver to the exact properties to receive / decode.

      DSPs are cheap and easy to use – the cheap RTL2832 chipset is cheap, nasty but is great as an introduction to DSP receivers.

    • anuhiyaM on May 31, 2016 at 9:36 pm
    • Reply

    Hi!can this tracking happen on an android smartphone??..i.e. can an android smartphone be programmed to operate in monitor mode to capture wifi probe requests from wifi-enabled devices??

    1. I don’t believe Android has the capability. It requires low level access to the radio hardware. Most controller based AP systems (Aruba, Motorola etc) has this functionality built in.

      Aruba for example call this their Analytics and Location Engine. There are also other less ‘innocent’ implementations of this type of technology.

    • David Sutherland on June 20, 2016 at 11:52 am
    • Reply

    Is there any open source implementation of this? I’d like to see a system for offices that would let me know which employees (phones) were at which location, the first and last time of day at each zone. Such a table report would be great for front desk receptionist. Lots of value if people get past the creep factor. Patents have probably ruined this idea but it seems like an obvious next step in monitoring tools right?

    1. I don’t believe there is anything OSS for this…. Would be interesting to hear though…

      • TeoRuscin on December 16, 2016 at 1:19 am
      • Reply

      Still looking for this? Very simple and cheap. Lots of ins and outs, but effective if MAC mining isn’t a privacy concern. Shoot me an email: thebeachtoday at Gmail dot com

    • venu on September 20, 2016 at 2:23 am
    • Reply

    I don’t think we can do this analytics now. Because all the mobile devices using MAC randomization, so that it will make the MAC address random one. If we get get random MAC address every time then those analytics are impossible right?

    1. I have yet to see any common devices that create random MAC addresses per wifi connection.

        • aby on October 28, 2016 at 10:23 pm
        • Reply

        As of iOS 8 and Android 6, these devices are supposed to generate a random MAC address to be included in the probe request. When connected to the network they then provide their real MAC, but for the probe it is random.

      • TeoRuscin on December 16, 2016 at 1:20 am
      • Reply

      Only during a probe request does randomization come into play…real MAC must be used to connect

        • Ahmed on August 24, 2017 at 10:54 pm
        • Reply

        the vast majority of wifi captures are probe requests from unassociated devices , they are the vast majority , so randomization is a big deal here

    • Zack on December 24, 2016 at 12:43 pm
    • Reply

    Hi, just found your post! I actually built something that does this with Raspberry Pis. Its not all intrusive, I’m using this at home to do home automation by tracking just my phone. However, I do track every phone in my house at the same time…

      • Paul on December 29, 2016 at 11:51 am
      • Reply

      Zack – can you share more detail?

        • Henry on January 28, 2017 at 2:51 am
        • Reply

        Zak’s name links to

    • vipobocif on September 21, 2017 at 6:43 am
    • Reply

    That’s why I use “MAC address scrambling” for my linux laptop –

  1. Hi there! great read, thanks:)
    We have a time and attendance SaaS and looking for an automated solution other than beacons when an employee enters into their respective office for the day.
    So ideally, we would like to register the employees mac id into our DB and when this employee comes into the office in the morning, get the time stamp and store in our DB.
    We currently have an app, where the employee has to manually clock in but hoping to come up with some cool automated way, to be able to get new clients. Thanks for your time!

      • Augustus Meyer on November 3, 2017 at 12:41 am
      • Reply

      I did the firmware for several cosumer grade MAC-detection devices for use in hotspots. You can email me at

  2. what user information can Bluetooth collect by default? phone/accesory id? and then if the system has some authentication also the username ?

    • Curtis Brazzell on January 9, 2018 at 7:22 am
    • Reply

    Please check out my open source solution for tracking with a raspberry pi. I’m doing just this! Works really well as a security system.

    1. This is a pretty good idea – and a great practical demonstration of what I was writing about 🙂

Leave a Reply

Your email address will not be published.