Reproduced original address:
http://edwardkeeble.com/2014/02/passive-wifi-tracking/
Passive WiFi TrackingPosted February, by Edward
In the last year or so, there has been quite a few stories on the use of passive WiFi tracking by advertisers, retailers, and analytics startups. Most of these articles focus on the significant privacy and security concerns associated with this practice, but few of th EM get into the details about how the technology works. Have built a similar system for my project, Casual encounters, I think I can explain some of the inner workings of these Systems, how to avoid being tracked, and how, for the purposes or to determine their own level of exposure, someone Could build such a system. I'll state that I am by no means a expert on wireless networks, signal analysis, or anything of the sort, but I had co Nducted a fair bit of the trial and error, and it works for me. Your mileage may vary; Don ' t try this at home; etc, etc.
Probe Requests
When a Wi-Fi client (phone, laptop, etc) is looking to connect to a known network, the There is the approaches it can take. The first technique, which is used by laptops and most non-smartphone devices, involves scanning for Beacon Frames (packet s broadcast by WiFi routers in order to advertise their presence), waiting for a network that the client have previously co Nnected to, and initiating a connection with it. The second technique, which is used primarily by smartphones, involves periodically broadcasting packets called Probe Requ ESTs, which contain the unique MAC address of the client and (sometimes) the name of a network to which it has previously Connected. The advantage of the second technique is so by actively scanning for nearby routers, a phone can initiate a wireless con Nection faster than if it waits for the router to send out a Beacon Frame. While this certainly makes it more convenient to hop on a network, it also makes it possible to indiscriminately gather up This data anD use it to track people.
Monitor Mode
There is six modes in which a WiFi device can operate. Routers generally operate in Master mode, while clients operate in Managed mode. In order to pick-all nearby traffic, the a device needs to is operating in Monitor mode. Once set to Monitor mode, the device no longer advertises their presence, so, barring any physical indicators, it can be dif Ficult to determine if such a device is running nearby.
Protection
Avoiding being tracked by these kinds of systems are fairly simple, in theory. As long as you turn the WiFi radio off on your phone whenever you don't explicitly need it (generally, when you ' re away fr Om home, work, or anywhere trusted network), the phone would stop transmitting probe requests and you'll be UN Trackable (at least through this technique). Obviously, from a practical perspective, manually turning WiFi off every time-leave your house could become quite anno Ying.
If you use an Android device, there is a number of apps available which can simplify the process. AVG PrivacyFix, for example, allows your to set a group of trusted networks, around which your WiFi radio would be enabled. Once you leave the vicinity of these networks, the app automatically disables your radio. There is a number of similar paid and free apps available for Android. I have no personally used any of the them, so I can ' t speak to their efficacy.
If you use an IOS device, your options is much more limited. Unless you have jailbroken your device, Apple's sandboxing of third-party apps makes it impossible to build a utility to a utomatically disable WiFi. That's being said, IOS 7 introduced a swipe up menu which provides quick access to a number of settings, including WiFi. It still requires manual intervention every time you leave your house, but it beats wading through the settings.
Building a WiFi Tracker
Building a device to track smartphones are reasonably straightforward. you can, in fact, just use your MacBook. I could probably end this tutorial there, with some quick instructions on installing Wireshark and filtering for probe req Uests, but that wouldn ' t is very interesting, and it wouldn ' t really answer the question of how to build a network of TRAC King devices to deploy around a city or retail environment, as mentioned in the articles at the top of this post.
If you were building a network of these trackers, it would is prohibitively expensive (and logistically difficult) to DEPL Oy a laptop for each tracking node. Since the computing needs of the tracker is quite low, you can get away with using something as simple and cheap as a Ras Pberry Pi with a wireless adapter or (my preferred option) a small travel router like the Tp-link TR-3020, loaded with Ope N Firmware. Both approaches is inexpensive, offer a small form factor, and can is run off a 5V battery, making them ideal for the RT of Project.
The setup process for a Pi are actually quite a bit easier than the MR-3020, since most of the filesystem setup is taken CA Re of For your, but I prefer the router, as it offers a cheap, standalone solution. For that reason, I'll be detailing the process for the router here, and if you choose to go with a Raspberry Pi, keep th E following things in mind:
- You can likely skip ahead to Setting up Monitor Mode, since the earlier steps is just meant to get the router ' s filesyste M and swap space set up.
- The devices run different versions of Linux, so certain configuration files would be in different locations and you wil L use a different package manager than
opkg
.
- More powerful radios, such as the awus036h, could require a powered USB hub, since they draw more current than the Pi can Su Pply through its USB ports.
Setting up your router
Before we proceed, you'll need:
- A tp-link MR-3020 Router ($34.99 on Amazon. Similar routers, such as the Tp-link tl-wr703n should work, although I haven ' t tried them.
- A USB Flash Drive (2-4 GB should are plenty, although more are always better)
- An Ethernet cable
The decision MR-3020 came from my experience building a piratebox (a wonderful project devised by David Darts, W Hich have been adapted to run on a range of devices). The initial setup steps for this project and for a piratebox is identical, and since David did such a fine job explaining them, I thought I would simply link to his instructions ((http://daviddarts.com/piratebox-diy-openwrt/), rather than copy them all out again. You should follow these instructions the "Install including" for the section titled "Piratebox".
Setting up your USB drive
If you followed the instructions in the previous section, you should now has SSH access to your router and the router Sho Uld has access to the Internet. We'll now configure your USB drive to extend the filesystem on the router and provide additional memory.
- Format your USB drive into Partitions:a primary EXT4 partition and a swap partition. The swap partition should be between and 512MB.
- SSH into the router.
- Install packages to support the EXT4 filesystem:
- Plug the USB drive into the router.
Check the drive and partitions is being detected:
[email protected]:~# ls /dev | grep sdasdasda1sda2
Setting up the FileSystem
Now we'll setup sda1 as a pivot overlay on the root file system, as described Here:http://wiki.openwrt.org/doc/howto/ext Root#openwrt.
[email protected]:~# mkdir /mnt/sda1[email protected]:~# mount /dev/sda1 /mnt/sda1
Check that the drive mounted successfully (should return /dev/sda1 on /mnt/sda1 type ext4
):
[email protected]:~# mount | grep sda1
Copy files from the router ' s flash storage to the USB drive. This would ensure that all of the necessary configuration files is available when we reboot with the USB drive replacing T The He root file system, so and the network interfaces come up as expected.
[email protected]:~# tar -C /overlay -cvf - . | tar -C /mnt/sda1 -xf -
Edit/etc/config/fstab to AUTOMOUNT/DEV/SDA1.
[email protected]:~# vi /etc/config/fstab
Use the following configuration.
config global automount option from_fstab 1 option anon_mount 1config global autoswap option from_fstab 1 option anon_swap 0config mount option target /overlay option device /dev/sda1 option fstype ext4 option options rw,sync option enabled 1 option enabled_fsck 0config swap option device /dev/sda2 option enabled 0
Now reboot the router:
[email protected]:~# reboot
Once all of the lights on the router has come back on, SSH to the router again and check that the USB drive mounted Pro Perly.
[email protected]:~# mount | grep sda1/dev/sda1 on /overlay type ext4 (rw,sync,relatime,user_xattr,barrier=1,data=ordered)
If you can ' t SSH into the router, something might has gone wrong with copying the configuration files over to the USB dri Ve. Unplug the USB drive from the router and restart, the router by unplugging it power cable then plugging it back in. Leave the USB Drive unplugged so it doesn ' t mount. Once the router have restarted and you can SSH into it, plug the USB drive back in and go back through the previous steps T o Make sure do them correctly.
Setting up the Swap partition
The router does not has very much on-board memory, so if we try to execute any long-running processes, it'll likely run Out of memory and reboot itself. To check the available memory on the router, enter:
[email protected]:~# free
You'll notice that Swap have zeros across the board. We can use the swap partition we created earlier to ensure we have plenty of memory available. First, make sure the partition can function as swap:
[email protected]:~# mkswap /dev/sda2
Then turn activate the swap space:
[email protected]:~# swapon /dev/sda2
Now run free
again to make sure the space is allocated:
[email protected]:~# free total used free shared buffersMem: 29212 19160 10052 0 1972-/+ buffers: 17188 12024Swap: 475644 0 475644
This was great, but it won ' t stay active if we reboot the system, so we need the system know the It should activate Swap every time it starts up. You may have noticed a swap sections in we fstab file from earlier. In my experience, this doesn ' t always activate properly, so I had chosen to ignore it and create a separate startup scrip T to turn on the swap space. This have the added benefit of introducing us to startup scripts, in case we want to create one later to ensure our Scannin G Script restarts when the system resets.
Swap Startup Script
We'll start by creating the startup script:
[email protected]:~# vi /etc/init.d/swapon
Enter the following into the file and then save it:
#!/bin/ash /etc/rc.commonSTART=109STOP=151start() { echo "start swap" swapon /dev/sda2}stop(){ echo "stop"}
Make the script executable:
[email protected]:~# chmod +x /etc/init.d/swapon
Now we need to make a symlink from to our script to make the /etc/rc.d
system run it on startup:
[email protected]:~# ln -s /etc/init.d/swapon /etc/rc.d/S109swapon
If you ' re curious, the S109 part of the link name tells the system in which order the script should is run. If you list /etc/rc.d
the "files in," You'll see that they all start with s##. S109 should put our swap script at the end of the list, so it'll run after all of the system scripts.
Now reboot the system, SSH back on, and check if the swap space has been activated:
[email protected]:~# free total used free shared buffersMem: 29212 19276 9936 0 2152-/+ buffers: 17124 12088Swap: 475644 0 475644
If the swap didn ' t activate, double check that's set the Swapon script to executable.
Set up Monitor Mode
Now and the system is (mostly) set up, we can get to the fun stuff. We'll need to modify the router's wireless config in order to activate it and set it to monitor mode:
[email protected]:~# vi /etc/config/wireless
Comment out of the line that disables WiFi:
#option disabled 1
Use the following settings for Wifi-iface:
config wifi-iface option device radio0 option network lan option mode monitor option hidden 1
Then restart the WiFi interface:
[email protected]:~# wifi down; wifi up
Some error messages, like the ones below, but the wireless should still activate properly.
ifconfig: SIOCSIFHWADDR: Invalid argumentcommand failed: Device or resource busy (-16)
Check that wireless are up and in monitor mode:
[email protected]:~# iwconfiglo no wireless extensions.wlan0 IEEE 802.11bgn Mode:Monitor Frequency:2.412 GHz Tx-Power=15 dBm RTS thr:off Fragment thr:off Power Management:oneth0 no wireless extensions.br-lan no wireless extensions.
Install Required Packages
Now we'll install all of the packages and libraries required by our scanning script:
[email protected]:~# opkg update[email protected]:~# opkg upgrade tar wget[email protected]:~# opkg install python tcpdump unzip[email protected]:~# wget http://www.secdev.org/projects/scapy/files/scapy-latest.tar.gz[email protected]:~# tar -xvf scapy-latest.tar.gz[email protected]:~# cd scapy*[email protected]:~# python setup.py install[email protected]:~# cd ..; rm -rf scapy*
Test the scanning script
Edit The default git package on BusyBox seems to has trouble with HTTPS, but can download the source code as a zip file in Stead.
We'll need to clone the scanning script from Git:
[email protected]:~# mkdir /overlay/scripts; cd /overlay/scripts[email protected]:/overlay/scripts# wget http://bitbucket.org/edkeeble/wifi-scan/get/e2a08627f05d.zip --no-check-certificate -O wifiscan.zip[email protected]:/overlay/scripts# unzip wifiscan.zip[email protected]:/overlay/scripts# mv edkeeble-wifi-scan-e2a08627f05d wifi-scan
Because we ' re responsible humans, we aren ' t actually going to indiscriminately grab everyone ' s probe requests. We ' ll set up a whitelist, so we only print out requests from our own phones. Open the script in VI and edit WHITELIST to include your phone ' s MAC address:
[email protected]:/overlay/scripts# cd wifi-scan[email protected]:/overlay/scripts/wifi-scan# vi wifiscan.pyWHITELIST = [‘00:00:00:00:00:00’,] # Replace this with your phone’s MAC address
Now test the script:
[email protected]:/overlay/scripts/wifi-scan# python wifiscan.py wlan0
With the script running, get your phone out. While it would still send probe requests if it is the connected to a network, it seems to send them more frequently if it isn ' t Already connected. Go to your settings and disconnect from your The current network, but leave Wi-Fi turned on. You should start to see probe requests show on the terminal. The notice that some of the requests has an SSID while others does not. Probe requests without an SSID is considered broadcasts, designed to elicit responses from any access points in range.
Press to CTRL-c
Stop the scanning script. If it doesn ' t stop right away, hold down until you get back to the CTRL-c
terminal prompt.
WrapUp
There you go. You are now having a portable router which can track nearby smartphones through WiFi packets. Of course, our current script doesn ' t does very much and could be improved immensely. It could, for example, is modified to hop channels and pick up more data, start logging data, tracking devices between mul Tiple areas, etc.
Thanks for reading. I hope this article is helpful and shed some light on the specifics of what these tracking systems work. If you would like to reach me, you can find me on Twitter @edkeeble.
Passive WiFi Tracking