home · thoughts · recipes · notes · me

Tracking Your Every Move

The Internet in 2017

It’s hard to imagine a world without our devices. Anything with an electrical current running through it these days has Internet capabilities: our phones, media players, laptops, cameras, thermometers, refrigerators, toasters, … you get the drift.

This proliferation of technology provides us with a whirlwind of convenience, accessibility, customization, and more. But, it comes at a very severe cost that isn’t obvious on the surface: privacy. Now I’m not talking about your always-on GPS constantly transmitting exact coordinates (because disabling location means you can’t use Snapchat filters), full device information being available to any website, location and other metadata in any online photo uploads, “shadow profiles” created by social networks to track those of you that don’t even use them, tracking cookies that are “only” used for targeted advertisement, or any of the other privacy concerns that have risen in the recent data-mining craze.

I’m talking about a universal method to track a person’s location regardless of the type of device they use, what software they have installed, or what websites they visit. I’m talking about open WiFi networks.

Who Doesn’t Love Free WiFi?

When was the last time you checked your email on your phone or caught up on some studying on your laptop at a coffee shop while waiting for your upside-down oat milk latté using their free WiFi? Well, your device remembered that WiFi network so that you can join it automatically the next time your there. To do this, it actually actively searches for it any time you aren’t connected to WiFi.

If it’s done intelligently, the device will identify the network by what’s called a MAC address (Media Access Control address). This is a value that uniquely identifies any WiFi-enabled device – in this case, the router in the coffee shop. So this value coupled with the WiFi network name will be automatically joined if your device picks it up. If it’s not that smart, it’ll just try any WiFi network that matches the name.1

In addition to this automatic search & connect, most mobile devices also try out any open WiFi networks to try to get Internet access and save that precious data plan.

The Implications of a Universally Unique Identifier

Warning: This section is a bit more technical, but will highlight the implications of this device-specific, unique ID known as the MAC address.

A MAC address is just a value made of 6 pairs of hexadecimal numbers. The first 3 pairs are usually assigned and associated with a particular hardware manufacturer,2 such as Apple or Samsung:

$$ \underbrace{\texttt{A4:B8:05}}_{ \rlap{\text{one of the Apple Inc. prefixes}} }\texttt{:44:D3:AD} $$

These MAC addresses are used for routing Internet traffic – it’s (part of) how Facebook knows to send your ex-girlfriend’s new profile picture to you, not your neighbor. Facebook itself doesn’t see the MAC address, but your router does and keeps track of it.

So what? Well, any time you’re connected to a WiFi network, anyone else on that same network can also find out your MAC address. This isn’t a big deal on the surface, because that information is necessary for them to be able to communicate with you, but remember, it’s a unique ID for your device.

For example, on my home network, I can find all of my devices:

$ nmap -sn 192.168.0.0/24 | grep "MAC Address" | awk '{print $3}'
EC:08:xx:xx:xx:xx   # my router
B8:27:xx:xx:xx:xx   # my laptop
D4:63:xx:xx:xx:xx   # my TV
For simplicity, let’s call the MAC address the “device ID” from now on.

Now imagine you’re sitting in a coffee shop on their WiFi and find the device IDs of everyone else in the coffee shop. Then, you write them down on a napkin, pack your bags, and head to the coffee shop down the street. Here, you do the same thing, but this time, you hang out for a bit and enjoy your latte. Eventually, you scan for device IDs again and guess what you see… A new one that matches one on your napkin. That means… someone from the last coffee shop is here, too. You don’t know who they are yet (but you do know what kind of device it is! remember the prefix from before?), but you have tracked their location!

Let’s extrapolate this scenario further. You’ve created 25 clones of yourself (while holding your laptop, so that got cloned too! 🙌) and are now hanging out at 26 coffee shops at once. You are sipping your lattes and scanning for devices. You’ll see the coffee shop patrons, obviously, but because the passerby’s phones will occasionally try to connect to these free coffee shop WiFis, you’ll see their device IDs too. At the end of the day, you and your clones gather together and compare notes. You notice that there is a device that goes near coffee shop #1 to #7 to #8. Boom, you’re now tracking someone’s location. How do you know the location? Well, either your clones wrote down where they were, or you just ask Google to tell you, because of course Google has an extensive database of open WiFi in the entire country. You can thank Street View drivers and Android users for that.

Putting It All Together

Instead of unrealistic clones that are limited by the speed of a human’s brain, let’s harness the power of computers to gather this information for us. What if we had a program that would automatically scan & connect to all open WiFi networks, found all of the device IDs, and transmitted them to a central server. Then, we set up tiny devices all over the place to create a sort of surveillance network. Then, we can correlate device IDs at the central server in order to track individual devices across the network (and, the exact GPS location via Google).

In fact, I wrote a set of scripts to do this. You can find it here [Linux only]. Here is how it looks:

On the correlation server

Waiting for surveillance trackers...

Tracker #1 connected from (latitude, longitude)...
Tracker #2 connected from (latitude, longitude)...
Tracker #2 transmitted device dump (14 devices):
  - AA:BB:CC:DD:EE:FF [last seen @ 10:22am]
  - ...
Tracker #3 connected from (latitude, longitude)...
Tracker #1 transmitted device dump (3 devices):
  - AA:BB:CC:DD:EE:FF [last seen @ 10:30am]
  - ...
Correlated device! AA:BB:CC:DD:EE:FF tracked from #2 to #1. This is:
  (47.610190, -122.342558) -> (47.611043, -122.344688)

(here’s that path on Google Maps)

On an individual tracker

Detected open WiFi network: "Google Starbucks"... connected.
Found 14 unique devices:
  - AA:BB:CC:DD:EE:FF
  - ...
Detected open WiFi network: "I-Dont-Use-A-Password"... connected.
...
Transmitting findings to surveillance server... done.

Creepy, right? And I’m just an average person. Imagine if I had the resources of a massive corporation or the government.

iPhone connecting to Google Starbucks

Someone like Google doesn’t even need to go so far as to set up devices, they just need to become the free WiFi provider. Case in point… You can actually see your browser transmit this information when you click “Accept & Connect” (or whatever variation there-of), in your browser:

http://sbux-portal.appspot.com/splash?mac=[your-device-id]&apname=[wifi-device-id]

Do you really think they’re providing this out of the goodness of their virtual hearts? The government goes a step further: they can just use their arsenal of hacking tools to take over any wireless hotspot and transmit this same data, as evidenced by their Cherry Blossom project:

CherryBlossom is focused on compromising wireless networking devices, such as wireless routers and access points (APs), to achieve these goals.

Tasks for a Flytrap include (among others) the scan for email addresses, chat usernames, MAC addresses and VoIP numbers in passing network traffic to trigger additional actions, …

Conclusion

At the end of the day, what can we do about it? Well, it’s near-impossible to ensure your privacy across the Internet at large (especially not from the government) but for this particular attack vector, here is what you can try:

  • Don’t use open wireless networks.
  • Only have WiFi enabled when you’re using it.
  • Disable automatic wireless networking joining.
  • If your device supports it, change your MAC address frequently (MAC spoofing).

If you decide that connecting to an open WiFi network is worth it, never do anything involving secure data (passwords, account numbers, etc.). Anything you do on a wireless network can be seen, intercepted, and even modified by other users.

Anyone who steps back for a minute and observes our modern digital world might conclude that we have destroyed our privacy in exchange for convenience and false security.

— John Hawks


  1. This is actually an exploitation technique called a Man-in-the-Middle attack where you create a custom WiFi network and call it something generic (like “Starbucks”) and then devices will automatically try to connect to it because they recognize the name. ↩︎

  2. MAC addresses can be spoofed (faked), and not every manufacturer generates a unique ID for each their devices, but this applies as a general rule. ↩︎