Abstract—Nowadays almost everyone has a smartphone.
Smartphones are sending a lot of Wi-Fi packages. These packages are send even when they are not connected to a Wi-Fi network.
With all the information that smartphones are sending, it should be possible to track and count all the phones and say something about the amount of people in an area.
To get an inside in the Wi-Fi behavior of a smartphone, four different phones are analyzed. Every phone is tested in different circumstances. Since apps might change the behavior of a phone, additionally, different apps were tested in these circumstances as well to see if apps will increase the amount of Wi-Fi packages.
Not only have the tests been executed in a controlled environment, they have been accomplished in an uncontrolled environment as well. In a 3-hour measurement, more than 12.500 packages of unknown devices are captured and analyzed.
The results show interesting results, especially when it comes to iPhones. It seems that some iPhones are not always sending the real MAC-address of the phone when dispatching Wi-Fi packages.
iPhones can send locally administered MAC-addresses. These addresses are random and switched over time. Thus one iPhone can send multiple MAC-addresses. A measurement has been performed to count this changing of addresses and get an insight in the frequency of changing. With this information, more knowledge has been gained over the amount of iPhones in an area.
This paper will show that is possible to track people by capturing all packages that their smartphone sends and how this is done.
Index Terms— Passive Wifi tracking, locally administered MAC- addresses
I. INTRODUCTION
Pa s sive Wi -Fi is not new; it i s a l rea dy b ei n g u s ed b y s om e ma rketing companies. These companies tra ck s ma rtp hon es a nd ma ke personal marking ca mpaigns. Moreover, fes ti va l s a re u s i ng thi s technique to count the number of festiva l vi s i tors . Al th oug h compa nies are using the principle of passive Wi-Fi already, there a re a l ot of unknowns when mea s uri ng the Wi -Fi pa cka ges tha t s ma rtphones a re sending.
Sma rtphones are sending a lot of different packages. What kind a nd how many packages a phones sends depends on the vendor and type of phone. In this paper a more thorough analysis o f p a cka g es tra ns mitted is performed. This i ncludes the following s ub questions:
- Shoul d the s ens or l i s ten on one Wi -Fi cha nnel or i s hopping better?
- Whi ch type of packages are different phones s ending a nd
wha t i s the frequency of s ending?
- Wha t i s the benefit of heavi n g m u l ti pl e s ens ors cl os e together?
The pa per i s s tructured a s fol l ows . The rel a ted work i s i n s ecti on 2. In s ecti on 3, the method of the res ea rch wi l l be el aborated. The results can be found i n section 4. Th e p a per e n ds wi th a conclusion and discussion section i n s ection 5.
II. RELATED WORK A. Tracking of human beings
To determine the amount of people i n certain area wi th b a s i c Wi -Fi hardware, different methods ca n b e u s ed. Mo s t o f th es e methods [1] [2] [3]contain tra cking human beings instead of tracking thei r devices. To determine human beings, Doppler measurements ca n be used. [2] Another tra cking method [ 3] i s to m a ke a ra da r fi ngerprint of an area. To get a radar f i ng erpri nt o f a n a rea , th e s i gna l s trength i nforma ti on a t mul ti pl e ba s e s ta ti ons wi l l be mea sured. When a person moves, the signal s trength i nformation i s cha nging over ti me. [3]
B. Tracking of smartphones
Tra cki ng human beings has become relatively easy sin ce m os t huma n beings own a smartphone. [4] So instead of tra cking h um a n bei ngs, it is possible tra ck their phones. A s martphone peri o di ca ll y tra ns mits Wi-Fi packages. When a smartphone i s s endi ng a W i -F i pa ckage, it a lso sends i ts MAC-address. These MAC- a ddres s es a re uni que per devices a nd ca n therefore be used to tra ck a nd co unt s ma rtphones. [5]
C. Different Antennas
An a ntenna with a relative ly big gain will ca pture more wireless devi ces then an a ntenna with a relative ly small gain. [6] The dataset of a s mall gain antenna has been optimized compared to the dataset of a bi g gain a ntenna. However, a hi g h g a i n a ntenna h a s b etter performance when a wireless device is moving fast. [6] Since th ere wa s no opportunity to measure devices with different antennas, the mea surements i n this paper will be conducted with one sensor and a s i ngle a ntenna.
The analysis of passive Wi-Fi tracking
Wouter Bakker, University of Twente, Faculty EEMCS
III. METHOD
A. Distribution of channels and package types in a controlled environment
The 2,4 GHz Wi -Fi band has th i rteen d i ff erent ch a nn els i n Europe. Every Wi -Fi package has a p a cka g e typ e a nd a p a cka g e s ubtype. To be able to distinguish which package was send on which cha nnel, a test s etup was created. The test s etup con ta ins a W i - Fi s ensor a nd 4 s martphones. The sensor captures all the packages and s ends them to a MySQL da tabase. The Wi-Fi s ensor i s a B l uem a rk 510. To s ee if there is a big difference betw een d i f fere nt typ e o f phones, this test includes multiple phones. The tested phones a re:
- Appl e i Phone 4s running IOS 9.3.2 - Appl e i Phone 5s running IOS 9.3.2 - Sony Xperi a U running Android 5.1.1
- General Mobile – Android one running Android 6.0.1
Al l phones have been reset to factory default prior to the test to get a good baseline measurement. A l ist of 5 Wi -Fi networks is saved to every phone. To get a good insight i n the send Wi-Fi p a cka g es, a l l the phones are tested i n different circumstances.
Fi rs t test:
The phones are l aying on a table. No extra apps are i nstalled a nd the s creen is turned off. None of the s aved Wi-Fi networks are i n ra ng e of the phone.
Second test:
The phones are l aying on a table. No extra apps are i ns ta l l ed. Th e s creen is turned on. None of the s aved Wi-Fi networks are i n ra ng e of the phone.
Thi rd test:
The phones are l aying on a table. No extra apps are i ns ta l l ed. Th e s creen is turned off. All phones a re now connected to a saved Wi -F i network.
Fourth test:
The phones are l aying on a table. Facebook is installed as extra a p p a nd a Facebook user is l ogged in. The s creen is turned off . N on e o f the s aved Wi-Fi networks are i n ra nge of the phone.
Fi fth test:
The phones are l aying on a table. Skype is installed as extra app a n d a Skype user is l ogged in. The s creen is turned off. None of the s aved Wi -Fi networks are i n ra nge of the phone.
The Wi -Fi s ensor ca ptures all Wi-Fi packages for one hour and ea ch tes t i s repeated two times. This is to l ocate on which channel whi ch type pa ckage i s send. The s ensor s witches every s eco nd to o n e o f the 13 cha nnels. The channel is s elected at ra nd om. F ro m eve ry recei ved package the following i nformation is saved. Th e p a cka g e
type, the pa ckage s ub type, the RSSI, the channel, the ti me on which the pa ckage is received and the MAC-address from the sender.
After the mea s urement, the da ta ba s e conta i ns a l l Wi -Fi pa ckages from all Wi-Fi enabled devices i n ra nge of the s ensor. Onl y the pa ckages send from the tested phones are i nteres ti ng , s o a l l pa ckages where the received MAC-a ddress corresponds to th e re a l MAC-a ddress of the phone are s tored in a separate databa s e ta bl e a nd used for further a nalyses.
B. Distribution of channels and package types in an uncontrolled environment
In rea lity i t i s likely that the list of saved networks i s typ i ca l l y much hi gher than the 5 i n in controlled envi ronment. Furtherm ore , i t i s likely tha t the smartphone users i nstalled different types of apps on hi s s martphone. Or a t l east more a pps than the single one i n th e control l ed envi ronment. Therefore, a tes t i n a n uncontrol l ed envi ronment was performed.
For thi s test the same sensor was us ed a s i n th e co n trol l ed envi ronment. But now the sensor was battery powered a nd put in a ba ckpack. This backpack was ca rried through the center of Enschede for a few hours. In contrast to the controlled situation, the sensor i s not connected to the internet s o data i s buffered in the s ensor. After the wa lk, the sensor i s reconnected to the internet a nd a l l d a ta i s upl oaded to the MySQL da tabase. The s ensor a gain s witches e very s econd to one of the 13 cha nnel s a nd the s el ected cha nnel i s s elected at ra ndom. For every package th e s a me i nf orma ti on i s s a ved as i n the controlled experiment.
C. R used by IOS devices
Sta rti ng from IOS 8, Apple introduced ra ndom MAC-a ddress es [7]. When a phone is not connected to Wi-Fi network, i t sends probe requests. Together with that probe request i t a l s o s ends i t MAC - a ddress. When an iPhone running IOS 8 s ends a p ro be re ques t, i t ca n s end a random MAC-a ddress instead of the real MAC-a ddress of the phone. [7] To measure this ra ndom MAC-a ddress, a s ma l l tes t s etup was made. The i Phone 5s a nd the Bluemark 510 s ensor w e re put i n a box. To ensure the that the s ensor only receive s pa ck a ges from the i Phone a nd not from other Wi-Fi e na bl ed d evi ces , tw o mea surements a re taken. First, the box has bene p a cked w i th ti n foi l . The foil ensures that the Wi-Fi s i gna l s f ro m o u ts i de w i l l b e muted. Secondly, only the s ensor has been put i n the box to g e t a n i ns ight i n the performance of the box. The only received s igna l s f or the s ensor were the signals with a s i g na l s treng th l ow er th en - 60dBm. When the iPhone is put in the b ox, th e s ens o r re cei ved s i gnals up to 27dBm. To ca pture only th e p a cka g es , s end b y th e i Phone, all signals below -60dBm will disca rd. Ag a i n, th e s ens o r s wi tches to one of the thirteen ch a n nel s e very s eco nd a nd th e s elected channel is s elected at ra ndom. The Bluem a rk s ens or ca n i ndi ca ted i f a recei ved MAC-a ddres s i s a l oca l l y a dmi ni s tered a ddres s es or i s a uni vers a l l y a dmi ni s tered a ddres s es . Thi s i nformation is saved as well.
IV. RESULTS
A. Distribution of channels
When the tested smartphones are not conn ected to a W i -F i network they s end Wi-Fi packages to all Wi-Fi channels. Thi s W i - Fi pa ckages are equally distributed over all channels. See Fig ure 1 f o r the mea s urement res ul ts for the fi rs t tes t a s des cri bed i n the method section.
When the tes ted s ma rtphones a re connected to a Wi -Fi network the result is completely different. The smartphones almos t excl usively s end packages to the Wi-Fi channel o f th e co nn ected a ccess point. This result can be seen Figure 2, which is the re s ul t o f the thi rd test as descripted in the method. The connected channels i n the first measurement a re 5 a nd 13. The i Phone5s was in this case connected to the 5gHz version the of the network a n d th e s ens o r wa s not a ble to ca pture packages on the 5 GHz band. In the s eco nd mea surement the connected channels a re 1 a nd 9.
B. Distribution of package types
The type of pa cka ge a s ma rtphone i s s endi ng i s hi ghl y dependent on the Wi-Fi connectivity of the smartpho ne. W hen a s ma rtphone i s not connected to a Wi-Fi network i t w i l l o nl y s en d probe requests, but when the s martphone i s connected it will s end a l l types of packets. In Figure 3 a nd i n Figure 4 a re the measurement res ults of test one.
The tes t in the uncontrolled environment confirms th e f o und res ults in the controlled environment . Acco rd i ng to F i gure 7 a l l probe reques ts a re equa l l y di s tri buted over a l l cha nnel s . The a mount of null data packages is higher on the channels 1,6 a n d 11.
Whi ch ca n be explained. Access Point are s ending bacon f ra mes to a nnounce their SSID. The a mount of this b eaco n f ra m es i s m uch hi gher on the channels 1,6 a nd 11 s o it i s l i kel y th a t m u ch m o re s ma rtphones a re connected to these channels.
C. The impact of the screen
The s tate of the screen of the sma rtp ho nes i s a n i m ported fa ctor for the amount of packages a smartphone is sendi ng . W hen the s creen is on, test two, both a ndroid phones are s endi ng m u ch more pa ckets then the i n case when the s creen is off. The i Phones4s ha s the exact opposite behavior. The results are in Figure 5. It s eems tha t the Sony Xperia i s not sending any pa ckages when i ts s creen i s off.
D. The impact of apps
When Fa cebook or Skype i s i ns ta l l ed on a n i Phone 4s a n i ncrease of Wi -Fi packages is measured . On th e G enera l Mo bi l e phone, the a mount of packets va ries too much. So i t is not pos si bl e the s ay s omething useful over that measurement. The results ca n be found in Figure 6.
E. Rate of sending packages
The ti me between two received packages dep ends h i gh l y o n the type of s martphone, the energy s tate of the smartphone and the i ns talled a pps on the s martphone. The m i ni ma l ra te o f re cei ved probe requests was 9 request per hour and the maximum a mount of probe requests was 513 per hour.
The ma ximum amount of received null data packa g es w a s 97 pa ckages per hour.
F. The impact of more receivers
When the phone i s not connected to a Wi -Fi network a l l pa ckets were equally distributed over a l l W i -F i ch a nnel s . W hen a ddi ng more Wi -Fi s ens ors , the cha nge tha t you ca pture more pa ckages will i ncrease. When a s ensor is fixed to one of the 13 Wi -Fi cha nnels. The sensor will capture 1 out of the 13 packa ges . W h en a dding exact the same extra s ensor, but that s ens or w i l l l i s ten to a nother channel. The sensors will ca pture 2 out of the 13 pa ckag es . So to get i n theory a 100% cha nge, you need 13 s ensors. Al l sens ors mus t have the range a nd must in the place.
The a mount of phones that will detected depends on the ti me tha t s martphones are in ra nge of the sensors. When a p hon es i s a rel a tive short ti me i n ra nge of the s ensors it will send less pack a ges therefor more s ensors a re needed to detect the s martphone.
When a smartphone is connected to a Wi-Fi network i t s en ds mos t of this packages on the connected ch a nnel . To d etect th i s phones, it i s useful to detected that connected channel and s et th e s ensor to that channel. The a mount o f s ens o rs d ep ends o n th e a mount of channels that are i n use by the a ccess points nearby.
G. Locally administered MAC-addresses used by IOS devices
The tes ted iPhone 5s send all its probe requests with a l oca l l y a dministered MAC-address. That was the reason th a t i n a l l o ther mea s urements no probe reques ts from the i Phone 5s were regi stered. The MAC-addresses a re changing o ve r ti me a nd th e a vera ge period that MAC-a ddress is the same is a bout 20 minutes.
V. CONCLUSION
In concl usion, this paper shows that is it possible to determ i ne s ma rtphones by using Wi-Fi monitor s ens ors . Th e ch a nce th a t a s ma rtphone i s detected highly depend on the type of s martp hon e.
Moreover, the amount of packages a s martphone s ends depen d o n the us er configuration of the smartphone.
Al though the research takes many ci rcumstances i nto a ccount, i t ca n be improved i n next measurements. All phones u s ed i n th e control led experiment had no a cti ve s i m ca rd i ns ta l l ed, s o th e phones were not connected to a mobile data network. There w ere onl y 5 Wi -Fi networks saved on the s martph one, i t h a s n o t b een tes ted if a n increase of the saved networks will increase the a mount of probe requests send by a smartphone.
The res earch was done with one sensors which was s wi tchi ng between all 13 Wi -Fi channels. So the sensor was a bl e to ca p ture onl y one channel a t a ti me. A better measurement s etup cou l d u s e
13 s ensors. With 13 s ensors it is possible to ca pture a ll 13 ch a nn els a t the s ame time. Furthermore, no Wi-Fi packages send on the 5gHz Wi -Fi band were ca ptured. Relatively new ph ones w i l l a l so s end probe requests on this band.
The measurements on the ra ndom MAC-a ddresses ca n be done a new in a real Faraday ca ge to ensure that there is no interf eren ce from other Wi-Fi enabled devi ces.
VI. BIBLIOGRAPHY
[1] A. E. K. M. Y. Ahmed Saeed, "A Low-Overhead Robust WLAN Device-Free Passive Localization System," 2014.
[2] P. Falcone, "Localization and tracking of moving targets with WiFi-based passive radar," Rome, Italy, 2012.
[3] P. B. a. V. N. Padmanabhan, "RADAR: An In-Building RF-based User Location and Tracking System," in Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings.
IEEE (INFOCOM ’00), 2000.
[4] GfK, "GfK," 2015. [Online]. Available:
http://www.gfk.com/nl/insights/press -release/geen-groei- meer-in-bezit-mobiele -devices/.
[5] J. E. A.B.M. Musa, "Tracking Unmodified Smartphones Using Wi-Fi Monitors," Chicago, 2012.
[6] A. B. E. C. M. M. Naeim Abedi, "Assessment of antenna characteristic effects on pedestrian and cyclists travel-time estimation based on Bluetooth and WiFi MAC addresses,"
Australia, 2015.
[7] C. M. M. C. L. S. C. F. P. †.-D. Mathy Vanhoef†, "Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms," Lyon, France, 2016.
Figure 1: 5 saved networks
Figure 2: Connected to one Wi-Fi Network 0
5 10 15 20 25 30
1 2 3 4 5 6 7 8 9 10 11 12 13
RECEIVED WI-FI PACKAGES
WI-FI CHANNELS
5 saved Wi-Fi networks
Gerneral Mobile Measurement 1 Gerneral Mobile Measurement 2 Sony Measurement 1 Sony Measurement 2 iPhone 4s Measurement 1 iPhone 4s Measurement 2 iPhone 5s Measurement 1 iPhone 5s Measurement 2
0 10 20 30 40 50 60
1 2 3 4 5 6 7 8 9 10 11 12 13
RECEIVED WI-FI PACKAGES
WI-FI CHANNELS
Connected to one Wi-Fi network
Gerneral Mobile Measurement 1 Gerneral Mobile Measurement 2 Sony Measurement 1 Sony Measurement 2 iPhone 4s Measurement 1 iPhone 4s Measurement 2 iPhone 5s Measurement 1 iPhone 5s Measurement 2
Figure 3: Package distribution, when a smartphone is not connected to a Wi-Fi network
Figure 4: Package distribution when a smartphone is connected to a Wi-Fi network 0
50 100 150 200 250
Probe Probe res ponse
nul l da ta Nul l da ta qos
Bl ock Ack RTS QOS Da ta Da ta Bea con
RECEIVED WI-FI PACKAGES
WI-FI CHANNELS
5 Saved networks
Gerneral Mobile Measurement 1 Gerneral Mobile Measurement 2 Sony Measurement 1 Sony Measurement 2 iPhone 4s Measurement 1 iPhone 4s Measurement 2 iPhone 5s Measurement 1 iPhone 5s Measurement 2
0 20 40 60 80 100 120
Probe Probe res ponse
nul l da ta Nul l da ta qos
Bl ock Ack RTS QOS Da ta Da ta Bea con
RECEIVED WI-FI PACKAGES
WI-FI CHANNELS
connected to a Wi-Fi network
Gerneral Mobile Measurement 1 Gerneral Mobile Measurement 2 Sony Measurement 1 Sony Measurement 2 iPhone 4s Measurement 1 iPhone 4s Measurement 2 iPhone 5s Measurement 1 iPhone 5s Measurement 2
Figure 5: the impact of the screen
Figure 6: The impact of apps 0
100 200 300 400 500 600
Screen off (test one) Screen on (test two)
received Wi-Fi packages
Wi-Fi Channels
The impact of the screen
General Mobile mesurement 1 General Mobile mesurement 2 Sony mesurement 1 Sony mesurement 2 iPhone 4s mesurement 1 iPhone 4s mesurement 2 iPhone 5s mesurement 1 iPhone 5s mesurement 2
0 50 100 150 200 250
No extra apps installed Facebook Skype
received Wi-Fi packages
Wi-Fi Channels
The impact of Skype and Facebook
General Mobile mesurement 1 General Mobile mesurement 2 Sony mesurement 1 Sony mesurement 2 iPhone 4s mesurement 1 iPhone 4s mesurement 2 iPhone 5s mesurement 1 iPhone 5s mesurement 2
Figure 7: The center of Enschede 0
200 400 600 800 1000 1200
1 2 3 4 5 6 7 8 9 10 11 12 13
The center of Enschede
Probe Probe response null data Null data qos Block Ack RTS QOS Data Data Bacon