• No results found

The analysis of passive Wi-Fi tracking

N/A
N/A
Protected

Academic year: 2021

Share "The analysis of passive Wi-Fi tracking"

Copied!
8
0
0

Bezig met laden.... (Bekijk nu de volledige tekst)

Hele tekst

(1)

Abstract—Nowadays almost everyone has a smartphone.

Smartphones are sending a lot of Wi-Fi packages. These packages are send even when they are not connected to a Wi-Fi network.

With all the information that smartphones are sending, it should be possible to track and count all the phones and say something about the amount of people in an area.

To get an inside in the Wi-Fi behavior of a smartphone, four different phones are analyzed. Every phone is tested in different circumstances. Since apps might change the behavior of a phone, additionally, different apps were tested in these circumstances as well to see if apps will increase the amount of Wi-Fi packages.

Not only have the tests been executed in a controlled environment, they have been accomplished in an uncontrolled environment as well. In a 3-hour measurement, more than 12.500 packages of unknown devices are captured and analyzed.

The results show interesting results, especially when it comes to iPhones. It seems that some iPhones are not always sending the real MAC-address of the phone when dispatching Wi-Fi packages.

iPhones can send locally administered MAC-addresses. These addresses are random and switched over time. Thus one iPhone can send multiple MAC-addresses. A measurement has been performed to count this changing of addresses and get an insight in the frequency of changing. With this information, more knowledge has been gained over the amount of iPhones in an area.

This paper will show that is possible to track people by capturing all packages that their smartphone sends and how this is done.

Index Terms— Passive Wifi tracking, locally administered MAC- addresses

I. INTRODUCTION

Pa s sive Wi -Fi is not new; it i s a l rea dy b ei n g u s ed b y s om e ma rketing companies. These companies tra ck s ma rtp hon es a nd ma ke personal marking ca mpaigns. Moreover, fes ti va l s a re u s i ng thi s technique to count the number of festiva l vi s i tors . Al th oug h compa nies are using the principle of passive Wi-Fi already, there a re a l ot of unknowns when mea s uri ng the Wi -Fi pa cka ges tha t s ma rtphones a re sending.

Sma rtphones are sending a lot of different packages. What kind a nd how many packages a phones sends depends on the vendor and type of phone. In this paper a more thorough analysis o f p a cka g es tra ns mitted is performed. This i ncludes the following s ub questions:

- Shoul d the s ens or l i s ten on one Wi -Fi cha nnel or i s hopping better?

- Whi ch type of packages are different phones s ending a nd

wha t i s the frequency of s ending?

- Wha t i s the benefit of heavi n g m u l ti pl e s ens ors cl os e together?

The pa per i s s tructured a s fol l ows . The rel a ted work i s i n s ecti on 2. In s ecti on 3, the method of the res ea rch wi l l be el aborated. The results can be found i n section 4. Th e p a per e n ds wi th a conclusion and discussion section i n s ection 5.

II. RELATED WORK A. Tracking of human beings

To determine the amount of people i n certain area wi th b a s i c Wi -Fi hardware, different methods ca n b e u s ed. Mo s t o f th es e methods [1] [2] [3]contain tra cking human beings instead of tracking thei r devices. To determine human beings, Doppler measurements ca n be used. [2] Another tra cking method [ 3] i s to m a ke a ra da r fi ngerprint of an area. To get a radar f i ng erpri nt o f a n a rea , th e s i gna l s trength i nforma ti on a t mul ti pl e ba s e s ta ti ons wi l l be mea sured. When a person moves, the signal s trength i nformation i s cha nging over ti me. [3]

B. Tracking of smartphones

Tra cki ng human beings has become relatively easy sin ce m os t huma n beings own a smartphone. [4] So instead of tra cking h um a n bei ngs, it is possible tra ck their phones. A s martphone peri o di ca ll y tra ns mits Wi-Fi packages. When a smartphone i s s endi ng a W i -F i pa ckage, it a lso sends i ts MAC-address. These MAC- a ddres s es a re uni que per devices a nd ca n therefore be used to tra ck a nd co unt s ma rtphones. [5]

C. Different Antennas

An a ntenna with a relative ly big gain will ca pture more wireless devi ces then an a ntenna with a relative ly small gain. [6] The dataset of a s mall gain antenna has been optimized compared to the dataset of a bi g gain a ntenna. However, a hi g h g a i n a ntenna h a s b etter performance when a wireless device is moving fast. [6] Since th ere wa s no opportunity to measure devices with different antennas, the mea surements i n this paper will be conducted with one sensor and a s i ngle a ntenna.

The analysis of passive Wi-Fi tracking

Wouter Bakker, University of Twente, Faculty EEMCS

(2)

III. METHOD

A. Distribution of channels and package types in a controlled environment

The 2,4 GHz Wi -Fi band has th i rteen d i ff erent ch a nn els i n Europe. Every Wi -Fi package has a p a cka g e typ e a nd a p a cka g e s ubtype. To be able to distinguish which package was send on which cha nnel, a test s etup was created. The test s etup con ta ins a W i - Fi s ensor a nd 4 s martphones. The sensor captures all the packages and s ends them to a MySQL da tabase. The Wi-Fi s ensor i s a B l uem a rk 510. To s ee if there is a big difference betw een d i f fere nt typ e o f phones, this test includes multiple phones. The tested phones a re:

- Appl e i Phone 4s running IOS 9.3.2 - Appl e i Phone 5s running IOS 9.3.2 - Sony Xperi a U running Android 5.1.1

- General Mobile – Android one running Android 6.0.1

Al l phones have been reset to factory default prior to the test to get a good baseline measurement. A l ist of 5 Wi -Fi networks is saved to every phone. To get a good insight i n the send Wi-Fi p a cka g es, a l l the phones are tested i n different circumstances.

Fi rs t test:

The phones are l aying on a table. No extra apps are i nstalled a nd the s creen is turned off. None of the s aved Wi-Fi networks are i n ra ng e of the phone.

Second test:

The phones are l aying on a table. No extra apps are i ns ta l l ed. Th e s creen is turned on. None of the s aved Wi-Fi networks are i n ra ng e of the phone.

Thi rd test:

The phones are l aying on a table. No extra apps are i ns ta l l ed. Th e s creen is turned off. All phones a re now connected to a saved Wi -F i network.

Fourth test:

The phones are l aying on a table. Facebook is installed as extra a p p a nd a Facebook user is l ogged in. The s creen is turned off . N on e o f the s aved Wi-Fi networks are i n ra nge of the phone.

Fi fth test:

The phones are l aying on a table. Skype is installed as extra app a n d a Skype user is l ogged in. The s creen is turned off. None of the s aved Wi -Fi networks are i n ra nge of the phone.

The Wi -Fi s ensor ca ptures all Wi-Fi packages for one hour and ea ch tes t i s repeated two times. This is to l ocate on which channel whi ch type pa ckage i s send. The s ensor s witches every s eco nd to o n e o f the 13 cha nnels. The channel is s elected at ra nd om. F ro m eve ry recei ved package the following i nformation is saved. Th e p a cka g e

type, the pa ckage s ub type, the RSSI, the channel, the ti me on which the pa ckage is received and the MAC-address from the sender.

After the mea s urement, the da ta ba s e conta i ns a l l Wi -Fi pa ckages from all Wi-Fi enabled devices i n ra nge of the s ensor. Onl y the pa ckages send from the tested phones are i nteres ti ng , s o a l l pa ckages where the received MAC-a ddress corresponds to th e re a l MAC-a ddress of the phone are s tored in a separate databa s e ta bl e a nd used for further a nalyses.

B. Distribution of channels and package types in an uncontrolled environment

In rea lity i t i s likely that the list of saved networks i s typ i ca l l y much hi gher than the 5 i n in controlled envi ronment. Furtherm ore , i t i s likely tha t the smartphone users i nstalled different types of apps on hi s s martphone. Or a t l east more a pps than the single one i n th e control l ed envi ronment. Therefore, a tes t i n a n uncontrol l ed envi ronment was performed.

For thi s test the same sensor was us ed a s i n th e co n trol l ed envi ronment. But now the sensor was battery powered a nd put in a ba ckpack. This backpack was ca rried through the center of Enschede for a few hours. In contrast to the controlled situation, the sensor i s not connected to the internet s o data i s buffered in the s ensor. After the wa lk, the sensor i s reconnected to the internet a nd a l l d a ta i s upl oaded to the MySQL da tabase. The s ensor a gain s witches e very s econd to one of the 13 cha nnel s a nd the s el ected cha nnel i s s elected at ra ndom. For every package th e s a me i nf orma ti on i s s a ved as i n the controlled experiment.

C. R used by IOS devices

Sta rti ng from IOS 8, Apple introduced ra ndom MAC-a ddress es [7]. When a phone is not connected to Wi-Fi network, i t sends probe requests. Together with that probe request i t a l s o s ends i t MAC - a ddress. When an iPhone running IOS 8 s ends a p ro be re ques t, i t ca n s end a random MAC-a ddress instead of the real MAC-a ddress of the phone. [7] To measure this ra ndom MAC-a ddress, a s ma l l tes t s etup was made. The i Phone 5s a nd the Bluemark 510 s ensor w e re put i n a box. To ensure the that the s ensor only receive s pa ck a ges from the i Phone a nd not from other Wi-Fi e na bl ed d evi ces , tw o mea surements a re taken. First, the box has bene p a cked w i th ti n foi l . The foil ensures that the Wi-Fi s i gna l s f ro m o u ts i de w i l l b e muted. Secondly, only the s ensor has been put i n the box to g e t a n i ns ight i n the performance of the box. The only received s igna l s f or the s ensor were the signals with a s i g na l s treng th l ow er th en - 60dBm. When the iPhone is put in the b ox, th e s ens o r re cei ved s i gnals up to 27dBm. To ca pture only th e p a cka g es , s end b y th e i Phone, all signals below -60dBm will disca rd. Ag a i n, th e s ens o r s wi tches to one of the thirteen ch a n nel s e very s eco nd a nd th e s elected channel is s elected at ra ndom. The Bluem a rk s ens or ca n i ndi ca ted i f a recei ved MAC-a ddres s i s a l oca l l y a dmi ni s tered a ddres s es or i s a uni vers a l l y a dmi ni s tered a ddres s es . Thi s i nformation is saved as well.

(3)

IV. RESULTS

A. Distribution of channels

When the tested smartphones are not conn ected to a W i -F i network they s end Wi-Fi packages to all Wi-Fi channels. Thi s W i - Fi pa ckages are equally distributed over all channels. See Fig ure 1 f o r the mea s urement res ul ts for the fi rs t tes t a s des cri bed i n the method section.

When the tes ted s ma rtphones a re connected to a Wi -Fi network the result is completely different. The smartphones almos t excl usively s end packages to the Wi-Fi channel o f th e co nn ected a ccess point. This result can be seen Figure 2, which is the re s ul t o f the thi rd test as descripted in the method. The connected channels i n the first measurement a re 5 a nd 13. The i Phone5s was in this case connected to the 5gHz version the of the network a n d th e s ens o r wa s not a ble to ca pture packages on the 5 GHz band. In the s eco nd mea surement the connected channels a re 1 a nd 9.

B. Distribution of package types

The type of pa cka ge a s ma rtphone i s s endi ng i s hi ghl y dependent on the Wi-Fi connectivity of the smartpho ne. W hen a s ma rtphone i s not connected to a Wi-Fi network i t w i l l o nl y s en d probe requests, but when the s martphone i s connected it will s end a l l types of packets. In Figure 3 a nd i n Figure 4 a re the measurement res ults of test one.

The tes t in the uncontrolled environment confirms th e f o und res ults in the controlled environment . Acco rd i ng to F i gure 7 a l l probe reques ts a re equa l l y di s tri buted over a l l cha nnel s . The a mount of null data packages is higher on the channels 1,6 a n d 11.

Whi ch ca n be explained. Access Point are s ending bacon f ra mes to a nnounce their SSID. The a mount of this b eaco n f ra m es i s m uch hi gher on the channels 1,6 a nd 11 s o it i s l i kel y th a t m u ch m o re s ma rtphones a re connected to these channels.

C. The impact of the screen

The s tate of the screen of the sma rtp ho nes i s a n i m ported fa ctor for the amount of packages a smartphone is sendi ng . W hen the s creen is on, test two, both a ndroid phones are s endi ng m u ch more pa ckets then the i n case when the s creen is off. The i Phones4s ha s the exact opposite behavior. The results are in Figure 5. It s eems tha t the Sony Xperia i s not sending any pa ckages when i ts s creen i s off.

D. The impact of apps

When Fa cebook or Skype i s i ns ta l l ed on a n i Phone 4s a n i ncrease of Wi -Fi packages is measured . On th e G enera l Mo bi l e phone, the a mount of packets va ries too much. So i t is not pos si bl e the s ay s omething useful over that measurement. The results ca n be found in Figure 6.

E. Rate of sending packages

The ti me between two received packages dep ends h i gh l y o n the type of s martphone, the energy s tate of the smartphone and the i ns talled a pps on the s martphone. The m i ni ma l ra te o f re cei ved probe requests was 9 request per hour and the maximum a mount of probe requests was 513 per hour.

The ma ximum amount of received null data packa g es w a s 97 pa ckages per hour.

F. The impact of more receivers

When the phone i s not connected to a Wi -Fi network a l l pa ckets were equally distributed over a l l W i -F i ch a nnel s . W hen a ddi ng more Wi -Fi s ens ors , the cha nge tha t you ca pture more pa ckages will i ncrease. When a s ensor is fixed to one of the 13 Wi -Fi cha nnels. The sensor will capture 1 out of the 13 packa ges . W h en a dding exact the same extra s ensor, but that s ens or w i l l l i s ten to a nother channel. The sensors will ca pture 2 out of the 13 pa ckag es . So to get i n theory a 100% cha nge, you need 13 s ensors. Al l sens ors mus t have the range a nd must in the place.

The a mount of phones that will detected depends on the ti me tha t s martphones are in ra nge of the sensors. When a p hon es i s a rel a tive short ti me i n ra nge of the s ensors it will send less pack a ges therefor more s ensors a re needed to detect the s martphone.

When a smartphone is connected to a Wi-Fi network i t s en ds mos t of this packages on the connected ch a nnel . To d etect th i s phones, it i s useful to detected that connected channel and s et th e s ensor to that channel. The a mount o f s ens o rs d ep ends o n th e a mount of channels that are i n use by the a ccess points nearby.

G. Locally administered MAC-addresses used by IOS devices

The tes ted iPhone 5s send all its probe requests with a l oca l l y a dministered MAC-address. That was the reason th a t i n a l l o ther mea s urements no probe reques ts from the i Phone 5s were regi stered. The MAC-addresses a re changing o ve r ti me a nd th e a vera ge period that MAC-a ddress is the same is a bout 20 minutes.

V. CONCLUSION

In concl usion, this paper shows that is it possible to determ i ne s ma rtphones by using Wi-Fi monitor s ens ors . Th e ch a nce th a t a s ma rtphone i s detected highly depend on the type of s martp hon e.

Moreover, the amount of packages a s martphone s ends depen d o n the us er configuration of the smartphone.

Al though the research takes many ci rcumstances i nto a ccount, i t ca n be improved i n next measurements. All phones u s ed i n th e control led experiment had no a cti ve s i m ca rd i ns ta l l ed, s o th e phones were not connected to a mobile data network. There w ere onl y 5 Wi -Fi networks saved on the s martph one, i t h a s n o t b een tes ted if a n increase of the saved networks will increase the a mount of probe requests send by a smartphone.

The res earch was done with one sensors which was s wi tchi ng between all 13 Wi -Fi channels. So the sensor was a bl e to ca p ture onl y one channel a t a ti me. A better measurement s etup cou l d u s e

(4)

13 s ensors. With 13 s ensors it is possible to ca pture a ll 13 ch a nn els a t the s ame time. Furthermore, no Wi-Fi packages send on the 5gHz Wi -Fi band were ca ptured. Relatively new ph ones w i l l a l so s end probe requests on this band.

The measurements on the ra ndom MAC-a ddresses ca n be done a new in a real Faraday ca ge to ensure that there is no interf eren ce from other Wi-Fi enabled devi ces.

VI. BIBLIOGRAPHY

[1] A. E. K. M. Y. Ahmed Saeed, "A Low-Overhead Robust WLAN Device-Free Passive Localization System," 2014.

[2] P. Falcone, "Localization and tracking of moving targets with WiFi-based passive radar," Rome, Italy, 2012.

[3] P. B. a. V. N. Padmanabhan, "RADAR: An In-Building RF-based User Location and Tracking System," in Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings.

IEEE (INFOCOM ’00), 2000.

[4] GfK, "GfK," 2015. [Online]. Available:

http://www.gfk.com/nl/insights/press -release/geen-groei- meer-in-bezit-mobiele -devices/.

[5] J. E. A.B.M. Musa, "Tracking Unmodified Smartphones Using Wi-Fi Monitors," Chicago, 2012.

[6] A. B. E. C. M. M. Naeim Abedi, "Assessment of antenna characteristic effects on pedestrian and cyclists travel-time estimation based on Bluetooth and WiFi MAC addresses,"

Australia, 2015.

[7] C. M. M. C. L. S. C. F. P. †.-D. Mathy Vanhoef†, "Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms," Lyon, France, 2016.

(5)

Figure 1: 5 saved networks

Figure 2: Connected to one Wi-Fi Network 0

5 10 15 20 25 30

1 2 3 4 5 6 7 8 9 10 11 12 13

RECEIVED WI-FI PACKAGES

WI-FI CHANNELS

5 saved Wi-Fi networks

Gerneral Mobile Measurement 1 Gerneral Mobile Measurement 2 Sony Measurement 1 Sony Measurement 2 iPhone 4s Measurement 1 iPhone 4s Measurement 2 iPhone 5s Measurement 1 iPhone 5s Measurement 2

0 10 20 30 40 50 60

1 2 3 4 5 6 7 8 9 10 11 12 13

RECEIVED WI-FI PACKAGES

WI-FI CHANNELS

Connected to one Wi-Fi network

Gerneral Mobile Measurement 1 Gerneral Mobile Measurement 2 Sony Measurement 1 Sony Measurement 2 iPhone 4s Measurement 1 iPhone 4s Measurement 2 iPhone 5s Measurement 1 iPhone 5s Measurement 2

(6)

Figure 3: Package distribution, when a smartphone is not connected to a Wi-Fi network

Figure 4: Package distribution when a smartphone is connected to a Wi-Fi network 0

50 100 150 200 250

Probe Probe res ponse

nul l da ta Nul l da ta qos

Bl ock Ack RTS QOS Da ta Da ta Bea con

RECEIVED WI-FI PACKAGES

WI-FI CHANNELS

5 Saved networks

Gerneral Mobile Measurement 1 Gerneral Mobile Measurement 2 Sony Measurement 1 Sony Measurement 2 iPhone 4s Measurement 1 iPhone 4s Measurement 2 iPhone 5s Measurement 1 iPhone 5s Measurement 2

0 20 40 60 80 100 120

Probe Probe res ponse

nul l da ta Nul l da ta qos

Bl ock Ack RTS QOS Da ta Da ta Bea con

RECEIVED WI-FI PACKAGES

WI-FI CHANNELS

connected to a Wi-Fi network

Gerneral Mobile Measurement 1 Gerneral Mobile Measurement 2 Sony Measurement 1 Sony Measurement 2 iPhone 4s Measurement 1 iPhone 4s Measurement 2 iPhone 5s Measurement 1 iPhone 5s Measurement 2

(7)

Figure 5: the impact of the screen

Figure 6: The impact of apps 0

100 200 300 400 500 600

Screen off (test one) Screen on (test two)

received Wi-Fi packages

Wi-Fi Channels

The impact of the screen

General Mobile mesurement 1 General Mobile mesurement 2 Sony mesurement 1 Sony mesurement 2 iPhone 4s mesurement 1 iPhone 4s mesurement 2 iPhone 5s mesurement 1 iPhone 5s mesurement 2

0 50 100 150 200 250

No extra apps installed Facebook Skype

received Wi-Fi packages

Wi-Fi Channels

The impact of Skype and Facebook

General Mobile mesurement 1 General Mobile mesurement 2 Sony mesurement 1 Sony mesurement 2 iPhone 4s mesurement 1 iPhone 4s mesurement 2 iPhone 5s mesurement 1 iPhone 5s mesurement 2

(8)

Figure 7: The center of Enschede 0

200 400 600 800 1000 1200

1 2 3 4 5 6 7 8 9 10 11 12 13

The center of Enschede

Probe Probe response null data Null data qos Block Ack RTS QOS Data Data Bacon

Referenties

GERELATEERDE DOCUMENTEN

Wil je daadwerkelijk dat leerlingen met hun eigen device kunnen werken in de klas, dan moet de school een goed en degelijk wifi-netwerk hebben.. Dit is echt een basisvoorwaarde:

The definition of employee engagement is described as follows: “A collection of psychological forces that determine the direction of a person’s behavior in an organization

Answering the question of what       are the main motivating factors for users to track their own behavior could help developers of       future health-related self-tracking apps

Based on the overall findings of this study it can be concluded that the researched apps only had a moderate theoretical background since they included only a few elements

De stijging in vraag en aanbod van Quantified Self apps en het gebruik van deze apps voor het verbeteren of in stand houden van de eigen gezondheid hebben aanleiding gegeven

Van de meeste apps is ook een versie als gewone website, maar de app zorgt enerzijds voor gebrui- kersgemak en goed beeld, en anderzijds voor snelheid.. In feite zorgt een

Based on the main idea of this paper, to apply the concept of gamification on mobile app design taking the Elemental Tetrad Model into consideration, the four elements being Story,

Cuatro de cada cinco aplicaciones descargadas en smartphones y tabletas son juegos. Básicos, adictivos, gratuitos o de pago, nos atraen más que nunca a la pantalla. Un apartado