

Passive WiFi Tracking - primroot
http://edwardkeeble.com/2014/02/passive-wifi-tracking/

======
userbinator
My generic Android phone, like many others, has a different random MAC every
time I switch WiFi on and off since the manufacturer didn't write one to the
EEPROM. A lot of people find this to be a bug, but maybe it's an
"unintentional security feature"... it certainly is quite useful when using
limited free WiFi hotspots.

~~~
thejosh
This sounds like a perfect feature for iPhones / Android which could be
enabled.

------
chrischen
Doesn't iOS 8 do dynamic Mac addresses now? This would mitigate most privacy
concerns from WiFi tracking.

~~~
stove
It does but only if the device is locked and not associated to a wifi network.
Even if those conditions are met, the device will only broadcast the "random"
mac on set intervals and the locally generated mac will always have the
second-least-significant bit set to 1.

From a consumer perspective, it's quite easy: to prevent being tracked, don't
walk around with wifi turned on.

From an engineering perspective, toss out any mac with the U/L bit set to 1.

~~~
lucaspiller
> It does but only if the device is locked and not associated to a wifi
> network.

So that's why so many malls have 'free' wireless :-)

------
matthewmacleod
There seems to have been a surprising amount of attention paid to passive wifi
tracking recently. We did a hack weekend project on this last year
([http://matthewmacleod.co.uk/blog/passive-wifi-
tracking.html](http://matthewmacleod.co.uk/blog/passive-wifi-tracking.html) –
though I never got to write it up properly) and I've had a number of people
looking for more details.

This article's a pretty good approach. We used Kismet instead though – you can
control it using a nice TCP interface, and have it spit out the hardware MAC
addresses of any packets it sees.

Pretty interesting, but I'd never roll this out in a public place. Just seems
a little creepy…

------
alfg
I wrote a similar script (via aircrack) at a recent hackathon to gather wifi
nodes, and group them up by their access point (or if they weren't connected
to one). The data dump was then transformed into json and fed into a neat
little d3 chart.

The hardware was very minimal too, just an Arduino Yun with a cheap high-gain
antenna.

It was a fun project to hack on, but it definitely raised some eyebrows and
made me rethink about some of the privacy concerns around this.

------
akama
It's interesting the attention that passive wifi tracking is receiving.
Another person and I actually wrote software a client to install on raspberry
pi's and a server to store all the results. We deployed this on our college
campus and were shocked by how well we could track devices [1]. This is a
serious problem given a large scale of sensors.

[1] We only stored a bcrypt hash of the mac address given the privacy
concerns.

~~~
el_benhameen
I've been toying around with monitor mode on the Pi, and I'd love to see your
implementation if this. Do you have a write-up somewhere? (I have no nefarious
intentions, though that assertion is admittedly useless when it comes from a
stranger on the internet)

~~~
akama
Sure thing, I'm not sure if the code on github is stable, but the client is
[https://github.com/B0bby/StudySniffer](https://github.com/B0bby/StudySniffer),
and the server is
[https://github.com/UnrealAkama/SnifferServer](https://github.com/UnrealAkama/SnifferServer).

If you have any questions, just reach out to my email. I'll be glad to help.

~~~
el_benhameen
Much appreciated!

------
vbcr
genuine question - this sounds illegal? is it and if so why?

