Find The Source: WiFi Triangulation

[Michael] was playing with his ESP8266. Occasionally he would notice a WiFi access point come up with, what he described as, “a nasty name”. Perhaps curious about the kind of person who would have this sort of access point, or furious about the tarnishing of his formerly pure airspace, he decided to see if he could locate the router in question.

[Michael] built himself a warwalking machine. His ESP8266 went in along with a GPS module interfaced with a PIC micro controller. It was all housed in an off the shelf case with a keypad and OLED screen. He took his construction for a nice calming war walk around the neighborhood and came home with a nice pile of data to sort through. To save time, he placed the data in a SQL database and did the math using queries. After that it was a quick kludge to put together a website with the Google Maps API and some JavaScript to triangulate the computed results.

Sure enough, the person with the questionable WiFi access point shows up on the map.

80 thoughts on “Find The Source: WiFi Triangulation

      1. Hi,
        can you now change it to Trilateration since that’s what it is about?
        It would be interesting if someone actually used a triangulation approach with some kind of directional antenna…

  1. I may be off the base here, but wouldn’t it have been simpler to just create a dome out of cardboard and aluminum foil or something around the ESP so it blocks WiFi-signals from everywhere except the open mouth of the dome and use a few LEDs to measure signal strength? You could pretty much instantly tell which direction the signal is coming from simply by turning around and watching where the signal drops off.

    Probably not as fun, though.

    1. What you’ve just invented is a “dish”, and it’s not quite as strightforward as you’d think because 2.4GHz waves don’t quite travel line-of-sight, even if we ignore reflections. Still, it would be better than the method used here.

  2. I know that this isn’t a feel-good question, but what is the moral, ethical, and legal aspects of this? The SSID information is broadcasted, but does the location information not have some kind of expectations of privacy?

    I’m not asking about publishing PII, but rather vigilantism, since I would like to set up a broadband sniffer/fingerprinter/tracker on my balcony and this is encouraging me. Where do we, a community of peers, draw the line?

    Totally sincere question, here.

    1. Well… I look at it somewhat like a neighbor playing a radio. You can walk around and figure out who’s playing the radio. Nothing wrong with *that* per se. Granted, you don’t hear the wi-fi SSID, you only see it occasionally. But, the question is, what you *DO* with the information. Do you know the person, or maybe introduce yourself, (Calmly and nicely) and mention that maybe for the interests of others, they use a different SSID? Sure, that’s probably okay.
      And if they don’t change it well… tough. Deal with it. It’s when you start focusing scramblers their way, or harassing them, or breaking into their router to change their settings that it gets to the moral bad side. (You know, the equivalent of pointing your radio at them and turning it up loud)
      Just my 2 cents

      1. I would for example set up a long-range NFC reader, if I can hack it together, and read the passports, driver’s licenses, NFC CCs, and membership cards that any person carries past my apartment. I would also read license plates and speed, and note down every person who is speeding or behaving recklessly in traffic. If I can, I would use data mining to extract a group of the most vulnerable individuals from the data.
        This would be 24/7, 365 days a year, on a busy road in Helsinki, Finland. My motivation is political.

        Personally I would be outraged if I found out someone was including me in this dragnet, but I have learned to doubt what I should be outraged about and what not. Lots of people over-share the Personally Identifiable Information and would easily be the victims of identity theft, and I no longer feel I can differentiate between what is right and what is wrong because of the widespread surveillance of this type.

        1. The thing is – if you do this and you do get e.g. hacked or your home broken info and this info stolen (burglars taking your laptop, for ex.), it is very likely you will be found liable for any damages resulting from your reckless activity, possibly even for unauthorized/illegal surveillance. I don’t know the Finish laws, but here in France you would certainly run afoul of the personal data collection/protection laws.

          I understand your point about making a political statement, but it is better to do so in a way that does not land you in jail in the process. If you want to educate people about their “oversharing” of data (which they likely even aren’t aware of), it could be done e.g. using a sign showing some part of the data back to them that they would instantly recognize as theirs, but not storing/mining it.

          1. Oh, that’s a great idea! A simple 50 Euro LED projector could suffice for political opinion-building.

            Then if that’s not enough, bring out the big guns with persistence and data-mining. Then this would be an escalation, instead of an attack.

            AFAIK data protection laws are normalized across the EU. However, here in Finland we have ‘Every Man’s Law’, which in effect grants each individual regardless of age or creed some really extraordinary legal powers, such as for example the right to conduct surveillance and intercept communications. Publicizing such data is illegal.

            Regarding the need to keep data secure, you only need to take sufficient security measures. Force majeure laws still apply. Otherwise, much journalism would be impossible, I think.

        2. Hmmm.
          Don’t stoop to their level? You’re better than that…
          Once someone has crossed a line into blackmailing or predatory behavior they are no longer a hacker or activist. They become part of the scum on this earth.
          Slippery slope man.

          1. Oh yeah, I’m totally an angel among devils. The paragon of animals etc… =\

            No; my shit stinks, but if I stand by and do nothing then it’s just not my shit which stinks. I tried talking. I reported in school on Menwith Hill when I was in 9th grade, 15 years ago, and the teacher wanted to hear none of it. Not even my closest family listens. Snowden comes along, I say ‘I told you so’, they disliked me for being right. So who’s the scum here?

            SJWs are hating on the queers, and if Hillary wins the US presidential election then I have reasonable cause to fear that the NSA will target an persecute gays, much like what went on in the 1950s, but this time they have a huge database full of information that can be turned into crimes as quick as any media empire can sway public opinion.

            And that’s just the US. What happens if say Austria ceases control of something like Facebook servers on their soil while the far-right dictates what’s right and wrong? Or some privileged idiot decides they need to do an ‘social experiment’, and as their wont throws ethics to the wind…

          2. @ganzuul
            I’m confused by your post(s). If you don’t live in the United States how can you fear that the NSA might target that group? Gays and most other groups seem to have it made. Gov’t doesn’t do that anymore to them. Though yes there seems to be an overreach of power.
            I’m done with this topic. I don’t like to accuse but there are multiple flags here. Troll suspected. Waste of my time. If I want a good debate I’ll argue with somebody who knows more about rc transmitters for quads than I do! ;)
            Have a nice day!

        3. Aren’t many of the ‘professional’ RFID encrypted these days? And while on the subject, is there a noticeable percentage of people using shielded holders for RFID equipped ID/bank cards? I sometimes see RFID shielding holders in shops in passing, but am not sure how well they sell.

          1. The “professional” RFID stuff like passports have their main data encrypted. However you can still query the module for: “who are you and what encryption should we use?”, the result is that you can fingerprint the chip.
            Dutch public transport used to be using MIFARE chips. Those used an encryption that was broken as soon as someone seriously tried…. (as far as I know, they have now upgraded the system).

        4. “a long-range NFC reader,”

          I’d like to see that, considering that the NFC works via magnetic fields that don’t radiate. The field has to be strong enough at the target to excite the resonant circuit, and the target must cause a sufficient change in the field that the source senses it.

          In other words, if you try to read an NFC tag from say ten meters away, you need an oscillating field strong enough that it would make nearby metal objects sing and heat up from the eddy currents, and it would consequently be so strong that it wouldn’t hear the target device.

          Which is the entire point of NFC. It’s not based on radio – it’s an air-core resonant transformer – it works by induction.

          1. He could bury a coil under the sidewalk though, theoretically. Maybe even process and convert it to a WiFi signal for remote reading without wires.

          2. A fluctuating magnetic field transfers half its power to the electric component at a certain rate. The difference between the near-field and the far-field isn’t a brick wall. You can use an E field and an H field antenna to recover both components.

          3. The earths magnetic field radiates rather far. NFC readers are the same tech as a metal detector, and they can pick up objects several feet away with a small coil. Maximum range should be proportional to coil diameter, so reading NFC cards from the street should be doable.

          4. ” NFC readers are the same tech as a metal detector, and they can pick up objects several feet away”

            Yes and no. The NFC relies on the field source to induce enough energy into the target for the target to power itself, and then the target starts to modulate the field by tuning its resonant circuit in and out of sync. You have to provide a certain field density up to the target, and for several feet away that means immensely strong fields.

            With a very large field like wrapping your house with wire, you get all sorts of interference from pots and pans and cars driving by etc. that completely swamp the signal from something like an NFC tag in your wallet. It’s like trying to sense a single coin from a hoard with a metal detector – doesn’t work until you’re up very close.

      2. 1. if they are playing with their ssid, count on them being some sort of network professional.
        2. If you infringe on a bofh’s freedom you are liable to get hurt. . . You might find your wifi stops working, or other unfortunate, hard to remedy things.
        3. ANYTHING you do …. to your own machine …. is ok. Go set up a target in the garage and practice.
        4. to reinforce it…. walking up to someone with an offensive ssid and knocking on the door and asking them to change for your safe place is a BAD idea. You just made yourself a target.

        1. Your first point is not, or at least not anymore, valid. I see personalized SSID from people who I know are completely not into tech. That stuff is now a common-man kind of thing.
          As for people knocking on doors to ask to change it, I think any normal person will laugh in their face, and at best have them change it to ‘my_neighbor_is_an_idiot’ for a while

          1. +1
            A 60+ lady I know down the street is not a computer person at all. But she can read, so she has a custom SSID and a better password than me. And she remembers what her IP
            address is!

          2. Many people are starting to understand some minimum information about routers and I.P. addresses and their meaning here in the U.S. All of the routers in my neighborhood are using some sort of encryption and have assigned their own passwords – so they are at least cognizant of how to use their wireless access points and some administration. But I would thing as others have said – knocking on their doors and asking for them to change the I.D. would just get you a boat load of misery, especially when they already are upset about Government surveillance and persecution in other areas.

    2. I could be wrong here but I believe that your everyday normal wifi signal is considered public broadcasting. As in, the same as somene sitting on the porch and yelling. A person could point a camera at you and press record while standing across the street; perfectly legal.
      I don’t see much going on here from a moral standpoint. You, me, or the idiot with the offensive SSID can change it in minutes. I know that some of the commenters here can do it in seconds. SSID is not really considered identity of a device anymore, especially because some people still don’t understand how to change the setting from their defaults.
      Hypothetically, you could have the most offensive SSID possible and the neighborhood would just assume you got hacked.
      That said, I wouldn’t publish the data myself. Just feels wrong, even If it isn’t.

      1. The French guy mentioned unintentional publication. – It could happen to the people who believe they have the best intentions in the world. To me this means each of us has a responsibility to protect ourselves, because failing to do so compromises our social network too.

        I think we are being actively encouraged to neglect that responsibility, even if no one in their right mind has that intention.

      2. By that logic, your cell phone transmission is also public transmission. The ssid is visible to everyone, but an unencrypted, un-password protected network is your own fault.

    3. Where do you draw the line ? Is generating low resolution 3D layout plans of offices and dwellings from unintended RF emissions acceptable. First you calculate the GPS location of all RF sources at each frequency. Then you walk around the outside of the building for a 2D floor plan by measuring changes in absorption, reflection, refraction at each point in the RF path. Which admittedly would not be constant, as the source is not constant, and there would also be interference from surrounding sources, making it non trivial. But maybe use a coherent antenna array to control directionality. And then the next step would be to attach this to a drone and automatically fly it around the building. Google maps 3.0 ?

      1. !=O
        Yeah, that’s as far as my imagination went too. I’d draw the line where I lose interest in the project. I know that companies who used to do electronic warfare systems for military use are now installing commercial versions of the same on airports.

        “The first system developed by the Czech army in 1963 was known as PRP-1 Kopáč which could track 6 targets.”

        MIMO antennas being developed for mobile phones have to extract similar data and track base stations in real-time. The 1963 system required a large convoy of trucks. It seems that soon this system will be in a single IC. So I have good reason to use my imagination…

  3. Attach this to drone, send it for a cruise around neighborhood at several heights, and you can pinpoint all access points in buildings, floor and apartment included.

    What to do with such information, one may ask? Dah, this is about hacking, usage is more in areas of black/white hat activism…

    1. a) correlate the recorded MACs to manufacturer databases and find the houses with the sweetest tech. Houses with fancy network gear = they got money.
      b) list the non-protected ones (or ones with WEP) = free internet access to do things you don’t want to be traceable back to you.
      Or: do a and b, those that are positive for both = got money, but are too cheap to hire a pro, prime target to sniff more interesting stuff and it won’t be hard.

  4. If the name is ‘mutherfucker’ then just look for the house with the government plates and/or the VOTE TRUMP poster. :)
    (Maybe the last one might work better since he/she misspelled motherfucker?)

  5. I’m actually slightly disappointment by the dull SSID’s in my area, it’s all either the default device manufacturer or their family or first name or street name.

    But that in itself might be an interesting thing for one of those AI/heuristic/fuzzy analysis, if you make a map of areas and plot a heatmap of the areas with the largest amount of funny or rude or paranoid names you might have a way to determine the kind of neighborhood you are in. Could be an idea for one of those orgs like google/MS/apple? who scout areas.

  6. The technicalities are interesting (even if deficient).
    The little busybody who thinks he has a positive right not to be offensed needs a kick in the behind, and to grow up.
    I did not know Hackaday despicably sank into becoming an impediment to the first amendment…

    1. If I kept hearing someone yelling obscenities outside I would figure out who it is and tell them to shut up please. This isn’t a first amendment issue; nobody was silenced by the government.
      Unless you were joking. Your comment read strange and “…” didn’t help given the context.

      1. It’s not like they are yelling. It is more comparable to someone wearing a t-shirt with an obscene print. Just ignore them.

        Yelling is comparable to jamming other networks.

    1. All you need is NetStumbler software which is free at netstumbler. com and a DIY Cantenna made from your dad’s used coffee can from the trash.
      If you have a wif-fi dongle you can eliminate the antenna and antenna wire part. With this instructable above you dismantle a USB wi-fi dongle.

      The cantenna wave-guide is highly directional and acts as a gain antenna. The lazy susan can be taken from your mom’s dish cabinet or buy one from Dollar Store or Walmart. The lazy susan allows you to turn the wave-guide cleanly in an almost 360 degree circle along the same plane. The compass can be purchased cheaply from Walmart or any automotive parts store as it does not need to be a good compass. Even a flat hiking compass could be used. Line up the index pointer on the compass with the back of the cantenna. That’s where you take your bearing reading. Also remember to de-sensitise the compass from metal in the car by finding a good spot on the car seat.. Making a wooden stand above the cantenna also helps to de-sense the compass from the coffee can too. Use hot glue and not metal screws or brackets to secure everything. You’ll need a convenient spot for your laptop too. The seat is already taken.

      Wardriving with this is not noticeable as it sits on your passenger seat below the door frame. Tinted windows help. Just stop your car to get a bearing fix each time.Googlecompass . com is something new. And it really makes the triangulation part easier to do as it plots the bearing lines on a real map of your neighborhood anywhere in the world. It actually puts up a compass rose on the screen too. It’s a bit of a learning curve to use it. You have to be slightly smart to figure it out. Not a problem right? :-)

  7. Although all of this does bring up a question in my mind, I’m sure one of you will have the answer. Using “StingRay” to track cell phone point is not a triangulation or trilateration that I know of (unless it’s tied into towers local). And it’s not GPS being forced from a given phone. Other than maybe it using the local towers as a reference point and then communicating to them as I said – I wonder how it works, and if that type of tech works for this stuff – I mean it’s RF, so it’s a traceable signal. I suppose the nature of the signal, I.E. refraction or reflection makes a big difference too. Or is it the unit posing as a faux tower and the phone syncing into it without knowing? Therefore not applicable?

    1. The encryption standard is broken, most likely by design, so that these days with a 2TB RAID array and a GPU you can do a rainbow table attack against GSM in a comfortable time-span.

      The newer version of the standard is even weaker than the old.

    2. BobbyMac – The Harris line of products (i,e, StingRay, AmberJack, KingFish, etc) are mostly all triangulation as they use YAGI-UDA antennas (aka directional antenna). So you have to know the ESN etc. of the target cell phone and what cell phone frequency he is using at that moment (as they shift constantly). The cell phone tower can help with that if you have the correct equipment (i.e. Harris Corp.). The StingRay can emulate a cell phone tower and become a MITM attack (man in the middle). However, only the “usual suspects” can afford one or even allowed to buy them from Harris. A StingRay starts at $75,000 USD and can go up as high as $148,000 for the model II.

      My little “novel approach” posting* above your posting was the poor man’s version of a DIY stingray. But is only good for wi-fi. To make it work fro cell phones you would need a SDR dongle attached to the diy wave guide. But how do you decide who the target is? All you’ll get is encrypted voice traffic and even if you could break that you’d still need his ESN etc. to identify him.

      *CTRL-F and type: novel approach”. If the image has advertising around it close it and try again. It’s supposed to be a raw image from tinypic.

    1. I don’t recommend clicking that link if you can’t take a joke.
      I’ll admit that I laughed and considered purchasing one of their less ‘verbose’ shirts; but there is a line and it was crossed multiple times for me.
      I’m pretty sure the sellers aren’t racists, sexist, homophobic wife-beaters but some of the people who buy those are. If I met someone wearing one of the obviously not ironic ‘I hate group X’ shirts, they shouldn’t be expecting any respect from me. If they display their free speech, I may display mine. ;p
      Most private businesses can refuse service to anyone for any reason. That is exercising their right to free speech.
      I still want one of the simple ‘F U’ shirts though wouldn’t wear it in public.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s