ESP8266 Turned Secretive WiFi Probe Request Sniffer

When a Wi-Fi device is switched on, it starts spewing out probe requests to try and find a familiar access point. These probe requests contain the device’s MAC address and the SSID of the hotspot it’s looking for, which can potentially be used to identify a specific device and where it’s been. After experimenting with these probe requests, [Amine Mehdi Mansouri] has created OpenMAC, a tiny ESP8266 based sniffer that could be hidden anywhere.

The device consists of an ESP-07S module, a regulator circuit for getting power from a USB-C connector, and a button for power cycling. An external antenna is required for the module, which can be selected based on the size or gain requirements for a specific deployment. [Amine] tested the OpenMAC at a local library (with permission), in combination with a number of his own little Wi-Fi repeaters to expand the reach of the network. All the recorded MAC addresses were logged to a server, where the data can be used for traffic analysis in and around the library, or even for tracking and locating specific devices.

This is nothing new, and is relatively common technique used for gathering information in retail locations, and could be also be used for more nefarious purposes. Newer versions of iOS, Android, and Windows 10 feature MAC address randomization which can limit the ability to track devices in this manner, but it isn’t always activated.

We’ve seen a number of projects that exploit probe requests. FIND-LF can be used for locating devices in your home, and Linger fools probe requests sniffers by replaying previously recorded requests.

20 thoughts on “ESP8266 Turned Secretive WiFi Probe Request Sniffer

  1. You would think that a device finding a wifi network does so by looking for a beacon, but I may be missing something here. It is still beyond me why you would spew your previous wifi networks into the air.

    1. Most devices do search for beacon packets passively, but also send probe requests to actively get a response from the access point. It helps speed up reconnecting to a known network, but obviously has its drawbacks as stated by OP.

    2. THis is why you must never, never use hidden SSIDs on any access point. For broadcast SSIDs, the client can just see the broadcasts, but if it has ever been connected to a hidden SSID it will from then on forever be asking if that one is available. How else could it find a non-broadcast SSID? For a while a lot of people were not broadcasting their access point SSIDS, thinking that was “safer,” but they were doing exactly the worst thing for privacy and safety!

      Luckily, most stacks use randomized MAC addresses for this purpose so you don’t get the real MAC address until the device connects. On the other hand, there is a simple way to avoid that issue and get the real MAC address anyway…

  2. I don’t need the detailed location tracking, but I’d love to use probe request frames to track devices in HomeAssistant…Thoughts? I have an RPI4 running HASS over Ethernet so it can watch wifi packets no problem…

      1. >this might also keep track of people you don’t have a record have, that have visited your house?

        This is exactly the use case I have in mind, which I am looking for a solution.

        A few years ago my house was broken into… and the DA wasn’t too keen on throwing the book at the perp (has done this at least 4 times before, but he’s an addict… and the main evidence was a stolen forged check which apparently didn’t “prove” he was on-site).

        While new cameras will help more, I’d still like to have something that could record MAC. Which _normally_ isn’t visible to my network. If this enables off-net MAC logging, it could help prove prior visits to case the house, etc.

    1. @sol says: “wheres the source code for this project?”

      No software I can find. Plus, when I click the button for the schematic I’m taken to a sign-up page that says: “Join now and get access to open-source projects & files”. It then wants to harvest my Email address. Wooosh, I’m outa there…

  3. This is only an tiny ESP-Board with voltage regulator. There is no code on the website or github of the OP. The website that is mentioned often has paywalls and zero information. The page is slow and buggy to. That is not open source, this is a commercial product.

  4. At a time when governments are tracking citizens, such small ‘cheating’ devices where someone is staying could seriously compromise data.
    It could turn out that when many such devices are at data collection points, the government will introduce a lockdown in the country.

  5. Hello , I have run the code but notice something
    can’t see android 8(and up) devices ?
    can it be that thy send something else ?
    I have uplaod same code and run it near 2 devices (android8 and android 5.1)
    but I could ony see the android 5.1 MAC address ,
    maybe from some version of android it sent something else?

    Thanks ,

Leave a Reply to sugarfree90 Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.