Close-In Surveillance Using Your Phone's Wi-Fi

This article talks about applications in retail, but the possibilities are endless.

Every smartphone these days comes equipped with a WiFi card. When the card is on and looking for networks to join, it's detectable by local routers. In your home, the router connects to your device, and then voila ­ you have the Internet on your phone. But in a retail environment, other in-store equipment can pick up your WiFi card, learn your device's unique ID number and use it to keep tabs on that device over time as you move through the store.

This gives offline companies the power to get incredibly specific data about how their customers behave. You could say it's the physical version of what Web-based vendors have spent millions of dollars trying to perfect ­ the science of behavioral tracking.

Basically, the system is using the MAC address to identify individual devices. Another article on the system is here.

Posted on November 1, 2013 at 6:32 AM • 48 Comments

Comments

WinterNovember 1, 2013 6:57 AM

I am curious. I always thought that Android phones shut down their WiFi when they go in sleep mode? Don't they?

Some GuyNovember 1, 2013 7:09 AM

@winter

That's the default on every Android phone I've used, but it can be manually set in the Wi-Fi advanced options.

qwertyuiopNovember 1, 2013 7:17 AM

@John Wilson

The bins weren't on Oxford Street, they were in the City of London; the article you linked to quite clearly states that. I know because I passed two every day walking between my office and the Underground. Oxford Street is a good 3 miles away.

(For those not familiar with some of our more quaint terminology, The City of London is, essentially, the financial district. It's the "Square Mile" that constituted the historic limits of London, but is now just a very small part of the bigger city.)

WinterNovember 1, 2013 7:25 AM

@John Wilson
"system which uses the GPS signals to track people in Shopping Malls ."

Don't you mean the GSM signals?

species5618November 1, 2013 8:18 AM

Presumably the device identity is also track able via bluetooth MAC too

O2Wifi in the UK appear to use MAC address to authenticate devices
Having signed up in a pub, you device works everywhere and knows who you are,
but requires a browser visit, i ruled out cookies as i often nuke my device, and load custom roms, from which restoring certain data is not possible

i will now attempt a login with the mac address changer tool above and see what i get

AlexNovember 1, 2013 9:03 AM

@species5618:
My office has been using our mobiles' Bluetooth MAC addys to determine if someone is / is not in the office and approximately where in the office they are. Accordingly, the PBX will forward calls to the person's mobile if they're not near their office or out of the office.

Mike AnthisNovember 1, 2013 9:10 AM

If you want to resist, trade phones with someone (that you trust) for awhile. If you can't stop the scooping, at least you can poop it up a bit.

Gary HibberdNovember 1, 2013 9:13 AM

Surely the best solution is to randomise the MAC address?! But it's seriously scary stuff! Next time I'm in my local store I'm going to be checking to see who is monitoring me... especially when I'm at the desert counter!

Clive RobinsonNovember 1, 2013 9:18 AM

@ jddjvy,

    Solution is to randomize your MAC address. Something like this?

I don't know about smart phones, but some routers etc use the MAC address for other things, and you can end up losing functionality or bricking them entirely.

I used to think it was bad programing on behalf of the software suppliers. But then I heard "lock-in" and other stories about ISP supplied units. Having heard other stories about what some of the major US router suppliers have (supposadly) done for the likes of the NSA it could even be due to some kind of "mal/spy ware"...

Whatever the cause it's probably wise to find out how to compleatly re-flash a smart-phone prior to making any changes.

Muddy RoadNovember 1, 2013 9:28 AM

Leave the phone in the car?

Alternately,

Can someone invent a case that blocks incoming-outgoing rf?

A technically correct case would be cheap to make I would guess, someone MUST know how.

That's important since batteries cannot be removed from some phones now, in particular iPhone.

AlexNovember 1, 2013 10:06 AM

@Muddy Road: Turning off the phone will accomplish the same thing (disabling RF). In theory turning the device to Airplane Mode or turning off Bluetooth / WiFi would accomplish the same thing, assuming you trust the phone to do what you're asking and assuming there aren't back doors in the firmware.

To all: Just curious, is it possible to sniff IMEI #s passively from nearby phones? My background in mobile phones is rather dated and digital was just coming out when I was in the field. Even then, we were switching to CDMA, so I only know about that system, which has since been depreciated.

Not really anonymousNovember 1, 2013 10:09 AM

There are cases for easypass devices that block radio waves. I don't know if there big enough for phones though.

MikeANovember 1, 2013 10:21 AM

IIRC, if you shield a modern phone from RF, it will jack up the power in an attempt to connect. So enclosing a device with a serious Li battery in a case that not only blocks RF but contains heat may not be a good thing. My phone, and its "understudy" both have removable batteries. How long will that remain true? OTOH, both lack WiFi and the current phone lacks Bluetooth, which can be turned off on the newer one, if both the manufacturer and the carrier can be trusted. Yeah, gotta stick with the old phone until it melts.

JohnstonNovember 1, 2013 11:15 AM

Smart phones are 95% vanity and 5% functionality for 100x the cost of a normal cell phone. And with that you get all sorts of liabilities. End of the day, people pay more for less.

ScottNovember 1, 2013 11:31 AM

@MikeA

If you use a farady cage, it does not need to contain heat, a 5mm mesh should be enough to block out all radio signals of concern. Battery life will probably still be a problem; I know my office gets a horrible signal, and I get horrible battery life at work. However, at that point you might as well just power it off or disable wifi.

@Johnston

I don't agree; I use my phone more for web browsing than anything else. The internet is fairly useful.

WaelNovember 1, 2013 12:09 PM

@ MikeA

if you shield a modern phone from RF, it will jack up the power in an attempt to connect. So enclosing a device with a serious Li battery in a case that not only blocks RF but contains heat may not be a good thing.
Phone manufacturers and Carriers as well as 3GPP specifications, and testing houses make sure this scenario is tested. Also, phones have algorithms for power management under varying signal level conditions ranging from full power to signal loss. Also, there are algorithms that monitor the temperature of the phone and scale processor frequency up or down. Beyond a certain temperature (around 65F - I forgot what it was set at last time I looked at it, but maybe it's in open source at https://www.codeaurora.org/) the phone will shutdown. Under signal loss conditions (which are tested before a device is ranged with a carrier), the phone will stop scanning for a signal pilot for some time then start again. It will not "jack up" power until it blows up the battery. The temperature may rise under lack of signal conditions or when the signal is low, and the PA (power amplifier) has to operate at a higher power, within nominal range.

HarryNovember 1, 2013 12:20 PM

"Can someone invent a case that blocks incoming-outgoing rf? "

Wrap phone in aluminum foil. To make sure it's blocking all signals, try calling the wrapped phone. If it doesn't ring, you're good to go. A lead-lined old-school camera case may also work.

TonyNovember 1, 2013 12:37 PM

What would be the point of a case that blocked RF ... yes it would stop people tracking you - but it would also prevent you from receiving calls/texts ... so you'd be better off to just turn the phone off (guaranteed to save battery life :-)

tryAmazonNovember 1, 2013 12:39 PM

@Muddy Road at November 1, 2013 9:28 AM

"Can someone invent a case that blocks incoming-outgoing rf? "

Try Amazon, they're available and reviews claim they work, though quite expensive there. I haven't looked all over the internet for cheaper.

ScottNovember 1, 2013 12:43 PM

@Tony

I wrote the same thing, then I realized, turning off the phone doesn't turn off the phone. There is still power, and the phone may still have the potential to be tracked. Also, newer high end phones don't allow you to remove the batteries, so no help there.

So you probbaly need to go with the Faraday cage or follow Stallman's lead if you want a guarantee of privacy.

AlexNovember 1, 2013 12:43 PM

@Johnston: No vanity here -- I want my old Blackberry back. It did everything I needed, and had a real keyboard. I'm using some Motorola Android thing. They claim it has the largest battery out of all the smartphones today and supposedly has the best battery life. Everything's relative. Still sucks in the battery life department.

stvsNovember 1, 2013 12:53 PM

I use Target's wifi when I shop there because, you know, wifi, knowing full well that they're sophisticated data collectors. But aside from changing out Target's DNS server to my preferred ones, I see this data leakage as on okay trade. After all, Target already knows exactly what I've purchased and where it is in their store, allowing them to "track" me through their store. And that's not counting all the black hemispheres on the ceiling.

The sort of data that's really useful in this context is aggregated non-individual data products, which can benefit both the vendor and their customers. I share much more specific personal GPS location data with my navigator vendor in return for accurate traffic conditions.

It's trivial to opt out of all such data tradeoffs just by turning off individual antennas, or going into airplane mode. This isn't a big deal.

JNovember 1, 2013 1:44 PM

@Scott: "Also, newer high end phones don't allow you to remove the batteries, so no help there."

Maybe we should stop buying phones with nonremovable batteries so they stop making them.

Andy LutomirskiNovember 1, 2013 1:57 PM

If this, in fact, true, it's mostly just Android and/or the wifi driver writers being dumb. There are two ways to look for APs: the client can send a "probe" or it can look for "beacon" frames. A probe is a broadcast from your device asking nearby APs to identify themselves. (Worse: you can probe for *specific* APs, which leaks all kinds of information.) A beacon is a broadcast from the APs -- you can listen completely passively.

On some frequencies, it's mandatory to wait for beacons before probing, but it seems reasonable to do this unconditionally.

Brian M.November 1, 2013 2:08 PM

Big data != big retail sales.

The tracking is actually a function of the premise that having a gargantuan amount of data leads to higher sales volume. That's not the case.

All of this follows the typical garden gnome pattern:
Collect garden gnomes.
Magic happens.
Reap great rewards.

It doesn't matter what is collected. The retail stores are collecting data based on the movements of their customers. The NSA is collecting everybody's communication data.

Magic happens. Or in all cases, no, it doesn't, something else happens, and it's called magic. The data is boiled and stretched, smooshed and spun and woven and knitted. If the data was a garment, it would be a bad fit even for an alien Elephant Man, let alone fit any customer.

The great rewards don't happen. The retailers are spending hundreds of thousands, if not millions, of dollars, and the result is not a stampede of customers. So the money is effectively wasted.

It's compulsive data hoarding, maybe data porn. A huge collection of garbage. As long as there are blinky lights and cute charts and graphs, common sense about big data's utility gets thrown out.

ScottNovember 1, 2013 2:21 PM

@Brian M

I wouldn't be so quick to dismiss it as useless. Analysis of where people move in the store, how much time people spend in particular areas, etc. can be really helpful for store layout and produce placement. Returns are not an exponential function of data, but they don't have to be.

I did something similar on ecommerce websites in the past; tracking paths from site entry to sale, seeing where people get stuck, etc. The more time people spend looking for something, the more likely they are to not buy it. I've even gone as far as to track every single click on a page to see exactly which links were pressed, and even finding things that people expected to be links but weren't.

The goal of data like this is to figure out how best to herd the consumers, and it's more useful than it seems.


On a side note; do you ever write something and then realize that you are the enemy?

Nick PNovember 1, 2013 2:37 PM

@ Brian M, Scott

It's actually very useful. Walmart pioneered retail datamining and it delivered the goods enough for them that they just kept expanding it. Far as I know, they keep everything. Product location, distance walked, etc. have an effect on sales so there's plenty of research on how to better understand the customers at a given store so they can maximize what is made on each one. This technology might help, might not.

Last one I heard stores were using in this category was sensors in the floor that detect and report foot traffic. The MAC address improves on it for more targeted profiling. I bet stores that push loyalty cards will figure out how to tie the systems together. Oh no, I just lost a potential consulting fee on that one. ;)

ScottNovember 1, 2013 2:44 PM

@Nick P

I'm wondering how long until someone figures out how to use google glass to track not only where people walk, but exactly what they are looking at.

Umm... I shouldn't mention these ideas publicly until I do the research and get the patent.

BryanNovember 1, 2013 4:21 PM

On a side note; do you ever write something and then realize that you are the enemy?
Yes. You know those little dome cameras you see over the checkouts at Target stores. They're not watching the shoppers...

Nick PNovember 1, 2013 4:29 PM

@ Bryan

Those cameras can even read the information on a check the customer pays with. The videos are also connected to the sales history so the company can pick a specific order, then go right to the video of it. Target's video surveillance capabilities are quite high end with their headquarters spending around 50% of their time doing work for police departments throughout the country. Shoplifters beware haha.

65535November 1, 2013 6:28 PM

Well, my smart phone just took a swim in the toilet. I tried to flush it but it would not go down the tube.

I’m going to tell the SBC lady that it got caught in the rain. And, I don’t want a new one! They can keep the one year contract... plus the geolocation and MAC information.

name.withheld.for.obvious.reasonsNovember 1, 2013 7:16 PM

Have to reiterate the issue surrounding FirstNET. The DOC, under DHS, has charged the NTIA to develop a implementation plan for deploying nationwide broadband. Over a year ago there was a big push by the governors association to get it deployed. The underlying thesis is that the 7 billion dollar wireless rollout architected by the FCC and underwritten by the taxpayer while they proclaim it is revenue neutral, it is not. The spectrum sale that is funding this is not going on the plus side of the taxpayer's ledger and is not being shown as a charge. The real problem though is what may be specified as one of the capabilities of FirstNET, coverage is prescribed as "every square foot of the United States". Additionally the system is to act as a bistatic radar system. Several articles be the AESS covers how a wifi network can be used to track individuals, vehicles, and animals. That would constitute a nationwide physical tracking system. I believe the comment period at the FCC is closed but my guess is there is more mischief afoot by the FEDs on this one. And what really pisses me off is that instead of deploying a nationwide system that citizens could use just pisses me off. Something like that could be a catalyst for economic opportunity. Instead it will be "potentially" used as an instrument of repression.

Spaceman SpiffNovember 1, 2013 7:28 PM

This is one reason why you should NEVER enable WiFi on your phone unless you really need to! I only enable mine at home, in the basement, and I live in a Faraday cage (an aluminum-sided house), or in a coffee shop or restaurant where I don't get decent data connectivity via 3g/4g/LTE.

tOM, OttawaNovember 2, 2013 12:57 AM

1. Airplane mode SHOULD turn off all transmissions/receptions & save battery life. Will it continue to be offered when the FAA says, Meh, use your devices whenever...."?

2. Turning off phone or removing battery should make it pretty quiet, tho useless...

3. Trackers could be listening for wifi, bluetooth, or the regular registration(IMEI, phone number) & calls to the cell provider. But cell transmissions are very intermittent - every 10-15 minutes usually unless on a call. So wifi/bluetooth are the tools of choice.

4. MAC randomization might fool wifi/bluetooth trackers - if the number is continually changed when there is no ongoing connection. A Tracker might be smart enuff to detect randomization and have enough precision to say, "123 went off, 234 is now active in the same place, now 456. I say they are the same.!" But crowds will confuse.

4. GPS is receive-only (& useless indoors), but some sensitive receivers might detect the receiver, like the UK vans checking for unlicensed TVs.

5. Best to go nude thru the world....

MattNovember 2, 2013 9:52 AM

I'd like to know how precisely (and accurately) they can locate a Wi-Fi radio. The article doesn't seem to mention this.

BPNovember 2, 2013 4:12 PM

I'm always seeing suggestions that certain PC components are radio enabled even though they're unconnected to the internet. It's pretty easy to validate the device by watching log messages. I don't use a cell phone, so it doesn't apply to me, but John Young at cryptome had an article up this week that gave instructions for building your own cell phone jammer. Probably illegal. Back when I was in college I knew a guy who showed us how he built devices that could let you make phone calls for free. He was a jerk. He used to pull the phone off the wall and listen to everyone who was in a room on both sides of the two rooms that had that trunk on the 9 floor building. Never saw what reason he'd want to listen to anyone for.

But I was on a fairly technologically innovative hall for 1975. Guy named Fred Collins got a whole bunch of us to buy old teletype machines that made a heck of a racket and he'd tune into the AP or UPI news feeds and then those of us who'd bought the machines from Western Union for $50 would print as long as our room mate would stand it or two hours, whichever was longer. Then Fred would switch it over to another teletype machine. We'd exchange those rolls of news feed and read what was going to be in the paper next day. Fred ran TV antenna cables all around the outsides of that building to get to each of our rooms, about five of us I think. It worked but wasn't exactly the most beautiful thing our building was known for. Fortunately not noticeable unless you were the building manager and they let us get away with a lot.

It was truly a cool thing to be able to show other people in 1975 - the news a day ahead of time. Of course now no one would understand the reason we found it so fascinating. But it was a truly cool thing to have for news junkies. Fred used a ham radio receiver to tune into the feed. It did work beautifully but was probably illegal as could be and a huge violation of the law I suspect. But that's how things get invented.

And the reason why we need that law protecting people like the guy who invented RSS who just recently committed suicide. What a tragedy.

Fred went off and got rich on video games back in the day, although his dad owned the company before Fred so I don't know if you can say Fred did it all by himself. But he gets a lot of credit for making all of us who knew him have a glimpse at what technology was capable of. He also had a huge tube transmitter that would hook up to a CB radio. I was playing around with that one day and Fred had to tell me to knock it off. Seems it put out such a powerful signal that the regular folks CB's would get the powerful jolt that the transmitter put out and could blow out the radios. Never did want to do it again after he told me that. But Fred's idea was that since there was six buildings all around that part of the campus, he could bounce the signal off a building and not be located. That was the first time I even knew he had an illegal setup. I think Fred was more into Ham radio and was just playing around with the new CB radios to see how far it was capable of transmitting. Perhaps 100 miles away to his family so he could avoid telephone calls. I think Fred had enough sense to know that AT&T would put you in the slammer if you made those little long distance calling boxes that the other guy on our dorm hall made.
Fred, and me and two other guys all went down to the Florida keys that spring of my first year in college. And we passed by Ft. Lauderdale and saw all the drunken guys who were there. We weren't into drinking so we went on down to the keys. Haven't been there since. I' imagine it's changed quite a bit. It was pretty run down with 1950s signs still up all over the place.

So that's my squid blogging from yester-year. You won't find any of that in the news.

CorwinNovember 3, 2013 12:48 PM

That sounds like a mapping of stimulus-response paths in all of everyone.

The Mirror is being built right in front of humanity's face, and it will scream in its face "THIS IS WHAT YOU ARE".
How long until the models that will be extracted from that pile of data become public knowledge?

That tech measures behaviors in controlled environments, and sample zillions of measures. How large is the quantum cloud of possible human behaviors? We'll KNOW, SOON.

Interesting times.

CallMeLateForSupperNovember 3, 2013 4:56 PM

@ 65535
.."my smart phone just took a swim in the toilet.."

Congratulations! And take heart: I am told that the symptoms of withdrawal from connectedness can be strong but do subside pretty quickly. From now on your visits to "the smallest room" can be bliss once more. :-)

I never felt the need for a cell phone and have never owned one. Corded phone purchased in 1982 for US$27 works fine.

FigureitoutNovember 3, 2013 7:40 PM

65535/CallMeLateForSupper Re:swimming smartphones
--Yeah congrats! Welcome to the club! There's like 5 of us, we're cool. :) I would've ripped it's guts apart first though, get useful components or just check it out. I accidentally reset my android but I wanted to try and use it for something else; it's on the backburner though. I have no desire for a smarty anymore, one of the many projects I want to make is an arduino phone, been done.

Clive RobinsonNovember 4, 2013 2:16 AM

@ Figureitout,

    ... I want to make is an arduino phone, been done.

Been there done that with a Microchip PIC24 microcontroler and a Motorola Java24 GSM module.

The aim --as I've said befor on this blog-- was not to make a "personal phone" --though it could do that-- but a secure USB memory device, which would automaticaly destroy any data it held if it was taken out of a geographical area, did not stay charged up, was connected to the wrong type of computer, sent an appropriate SMS or other data dial in or a whole host of other configurable kill options.

There are a number of these GSM/GPRS radio modems out there and they nearly all provide an RS232/ASCII compatable control/data interface running an augmented version of the old Hays AT modem protocol.

The problem was from a security asspect with all these modems is firstly they all have a basband CPU that's been "backdoored" as part of the GSM approvals process and likewise a SIM with it's own CPU that is "over the air" programable and has priority over anything you want to do.

Some of these SIM chips --about 18%-- still use 40bit DES or Single DES --to protect the OTA interface--, both of which are well and truely cracked by the likes of the NSA FBI and several equipment manufactures. Worse even when not using DES the actual keys are often handed out by the network providers to sub contractors with little or no checking...

Also those baseband chips in the radio modem are usually high end microcontrolers with lots of spare flash ROM and RAM where plenty of high end malware could be placed...

Danny MoulesNovember 4, 2013 7:22 AM

"Solution is to randomize your MAC address."

Solution is not to use WiFi when you don't need to. Also saves battery. Why do you need WiFi when shopping?

First guestion always worth asking:

"Can I lower the surface area?"

FigureitoutNovember 4, 2013 1:06 PM

Been there done that
Clive Robinson
--I know, that was a given...saw on Mike the goat's blog that hackaday had a GSM-cracker for $30. The hackaday crowd normally calls all the "hacks" rookie stuff but they were all speechless on that one. I don't know what to do w/ the rest, one person isn't going to make all that secure and a group gets infiltrated...meh...

iwormsNovember 7, 2013 2:46 AM

@Winter "I am curious. I always thought that Android phones shut down their WiFi when they go in sleep mode? Don't they?"

First, just because the screen is off, doesn't mean the OS is in sleep mode. Second, when the OS is really in sleep, the Wi-Fi firmware still scans without waking up the OS.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..