Track Wi-Fi Devices In Your Home

How do you audit your home Wi-Fi network? Perhaps you log into your router and have a look at the connected devices. Sometimes you’ll find an unexpected guest, but a bit of detective work will usually lead you to the younger nephew’s game console or that forgotten ESP8266 on your bench.

Wouldn’t it be useful if your router could tell you where all the devices connected to it are? If you are [Zack Scholl], you can do all this and more, for his FIND-LF system logs Wi-Fi probe requests from all Wi-Fi devices within its range even if they are not connected, and triangulates their position from their relative signal strengths across several sniffing receivers. These receivers are a network of Raspberry Pis with their own FIND-LF server, and any probe requests they pick up are forwarded to [Zack]’s FIND server (another of his projects) which does the work of collating the locations of devices.

It’s an impressive piece of work, though with a Raspberry Pi at each receiver it could get a little pricey. [Zack] has done other work in this field aside from the two projects mentioned here, his other work includes an implementation of the [Harry Potter] Marauder’s Map.

This is by no means the only indoor location system we’ve seen over the years. One that uses ESP8266 modules for example, or this commercial product that is similar to the project shown here.

31 thoughts on “Track Wi-Fi Devices In Your Home

    1. I did something very much like this for my final year university project last academic year.
      Though it was designed for outside use so each module logged to an sd card which could be imported to a database and then an application I wrote would overlay each MAC addresses path using GMaps.
      Each ‘sniffer’ was the size of a pack of cigarettes and would run about 30 hours on its lithium battery.

      I have been contemplating writing it up for a HaD article; if there is interest I might do so.

    2. For FIND-LF ESP8266’s will not work. Though they can see other access points, I’m pretty sure they can’t sniff probe requests (which requires a Wi-Fi chip with monitor mode).

      If you use the normal FIND server by itself (link in article) you can instead download an App / CLI program onto the device that you want to track. In this case the devices probes the surrounding Wi-Fi access points itself, and these APs can include ESP8266 recievers (as you mention), Rokus, routers, etc. And since you don’t have to connect to them for it to work, so it will use information from your neighbor’s routers as well!

      By the way, I’m happy to answer any questions that come up for people that try this!

    1. Law Enforcement uses Moocher Hunter and a directional antenna to triangulate on the mac-address of the client of interest to catch someone borrowing someones wifi to download stuff. So you are saying Apple has a tool to circumvent that?

      1. Just like we can purchase rifles for hunting, or home defense they have been used for assassinations. Likewise computers can improve a companies efficiency or bring it to it’s knees. A tool is simply that, who you decide to use it is on you.

        I can understand why Apple would want to enable their customers to prevent tracking of themselves as super markets and ad firms use the exact same technology. We have the right to privacy.

    2. My understanding is that is irrelevant if the device is already a part of the network in question. The feature is intended to be used when scanning for WiFi connections in the wild.

      The MAC *must* be revealed, or at the very least consistent, in order to comply with some networks using MAC filtering. If the MAC was randomized on connection, then MAC filtering would fail.

    3. You would think that, but because the crystal oscillators inside RF device are not perfect (+/-100ppm).
      There is a new technique to detect devices that change their MAC address using SDR whereby the actual frequency offset of each device is measured, which is relatively stable once the device has warmed up. And when combination with other bits and bobs of meta data, they can be tracked, it is not trivial.

    4. You’re absolutely right – but currently MAC-address randomization will only occur if the iOS device is un-associated.

      You *can* use this system to track iPhones that are connected to a Wi-Fi network (e.g. your own!). I’ve tested this for iPhone 5s and it works just fine.

  1. Hmm. If I have a client I don’t recognize I change my wifi password. Should it reappear I’d do an inventory but usually what happens is that someone in the household reports that a device isn’t working and I think “ah, thats the one”. Put in the new password and that’s that.

    No raspberry pi or coding required.

  2. I love this idea for home automation, room presence sensors. Is anyone aware of a way to do something like this with RTL-SDR usb devices? I figure with 3 rtl-sdr dongles on 3 pi’s, you should be able to triangulate a wifi devices position within the home.

    1. RTL-SDR dongles have a max bandwidth of only 2 or 3 MHz. A WiFi signal is 20 MHz wide, so you can’t receive the signal with one of those dongles. Also, all of the dongles I know of can only receive up to around 1.8 GHz, whereas WiFi falls in the 2.4 GHz (or higher) range.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s