[LINK] mobile 802.11 - the parole bracelet for the man in the street

[Jon Seymour]

I thought I'd write up some discoveries I made recently about the
pervasiveness of 802.11-based location fixing.

The discoveries certainly opened my eyes. I guess I had always known
that 802.11 networks _could_ be used for location fixing purposes, but
I hadn't realised how extensively they _are_ being used for this
purpose. I was surprised at how pervasive the infrastructure is and
how trivial it is for a non-privileged person to interrogate it.

I also wonder about how this reality is going to mesh with the
emerging reality of people such as myself carrying portable Wifi
access points (such as the Vodafone Pocket Wifi device) in our
pockets.

Enjoy!

jon.

-------------------------------------------------------------------------------------------------------

from http://orwelliantremors.blogspot.com/2010/12/mobile-80211-parole-bracelet-for-man-in.html
...

I recently installed the "Find my iPhone" app on my iPhone.

I happened to notice that the position fix it gave on my iPhone was
more accurate when wifi was enabled than when only 3G was enabled.

This intrigued me, because I hadn't realised that WIFI networks are
routinely used for location fixing purposes.

So, I did some more digging. It appears Apple uses wifi location
services provided by skyhookwireless.com. This company has a database
of the MAC addresses of wifi access points and their approximate
locations. Applications deployed on devices equipped with a 802.11
wireless radio can scan the local environment for wifi access points,
take a note of the mac address and signal strengths thus found and
then exchange this information with the skyhookwireless API for an
estimate of the devices current location.

It didn't take long to discover, using a few google searches, that the
Skyhook API can be exercised by anyone with rudimentary programming
skills. The information returned by this API is the latitude and
longitude of the MAC address, as known to skyhookwireless.

It then dawned on me, that I could use the same technique that skyhook
uses to collect MAC addresses and discover all the MAC addresses in my
local neighbourhood. I could then use this information with the
skyhook API, to derive the corresponding physical locations of each
MAC address. I could then use this information, together with the
Google Maps API, to make create a map showing the location of each
wifi access point in my neighbourhood.

And so this I did, and here is the result.

The interactive version of the map (not shown) shows the MAC address
and human friendly network name of each wifi network in the immediate
neighbourhood of my home.

This was a cool hack for an afternoon and I wrote it up on facebook. A
friend then showed me a feature of current versions of firefox that
allows web applications to work out your current location and, with
your permission, exchange that information with the application
provider.

To see how this works for your self, point your Firefox browser at:
http://www.mozilla.com/en-US/firefox/geolocation/ and the click link
entitled "Give it a try!". You will need to respond in the affirmative
to a security warning that will appear at the top of the page. If you
do this, the a google map will be displayed showing your approximate
location. The results will be more accurate if you are connected to a
wifi network when you do this. Try zooming in to the maximum
resolution - you might be surprised how close it gets to where you
are.

Fortunately, this feature of Firefox is optional and they have taken
some care to ensure that a Firefox user does not unwittingly disclose
their location without their own consent. Furthermore, there is an
option available to disable the feature completely.

It was while researching this option that I noticed that URI used for
resolving physical locations pointed at a google API. Sure enough
Google has its own location services API, apparently ndependent of the
services provided by skyhookwireless.

With a little bit of playing, I worked out how to expose the Google
API to a command line shell, and this allowed me to probe the location
of arbitrary MAC addresses. expanded_mac="00-11-22-33-44-55" && \
ssid="YourNetworkSSID" && \ curl -s --header "Content-Type:
text/plain;" --data
"{\"version\":\"1.1.0\",\"request_address\":true,\"wifi_towers\":[{\"mac_address\":\"$expanded_mac\",\"ssid\":\"$ssid\",\"signal_strength\":-50}]}"
https://www.google.com:443/loc/json

I discovered two interesting differences between the Google API and
the Skyhook Wireless API. The first is that Google Wireless API was
able to resolve the MAC address of my Vodafone Pocket Wifi device
(more on the implications of that, below). The second is that if
Google doesn't recognize the MAC address it will fall back to using
the source IP address of the request to provide a less accurate
estimate of client's location. In my case, this means that Google
defaults the location to a location near the Sydney GPO.

I also tried using the MAC addresses of client devices, such as my
iPhone and iPad to see whether Google could resolve these. At first, I
got a fright when thought it was resolving a location for these
devices, but then realised it had actually fallen back to use the
source IP address of ADSL gateway and not the MAC address of
individual devices.

So, it is good news that neither Skyhook Wireless or Google appear to
be tracking client MAC addresses at present. On the otherhand, the
other thing I learnt today is that there is no technical reason why
they aren't doing it - the information about client MAC addresses is
just as exposed as information about access points, although, because
client MAC addresses tend to move about more than access points it is
perhaps not as valuable for location fixing purposes which is
apparently the market that both Skyhook Wireless and Google are
pursuing at this point in time.

However, it seems inevitable that someone, somewhere, will find the
temptation of capturing client-level MAC address/location/time-of-day
triples to be an opportunity too hard to resist. One can certainly
imagine security services looking at such a gold mine of information
with large eyes, wet lips and hungry stomachs.

And this is where the issue of pocket wifi becomes interesting. The
current infrastructure that Skyhook Wireless and Google have built is
designed to track access points, not clients. However, the rise of the
iPad has started to create a demand for a technology that Vodafone,
for example, is selling as the Pocket Wifi. These nifty little devices
package a 3G modem and 802.11 wifi device in a unit that is smaller
than a slim mobile phone (you know, the form factor that everyone
coveted before before the iPhone created the demand for large touch
surfaces). The chief advantage of such a device is that the consumer
can purchase a single 3G router and share the wireless connection
between gadgets such as the iPad and other devices like netbooks or
laptops and thereby avoid having to purchase a separate 3G plan for
each device.

The end result of this consumer convenience, however, is that a lot of
people are going to be walking around the streets carrying with
portable wireless access points in their pockets. And their MAC
addresses will end up in the access point databases of Skyhook
Wireless and Google. Eventually, someone will work out how to make a
buck from this information and the pressure will be one to keep it up
to date. [ An aside: Google's record of my Pocket Wifi device was at
least a week out of date, perhaps more ]

And once they have done that, the pressure to collect location
information from normal wifi clients will increase and then suddenly,
everyone carrying a wifi-enabled smartphone (e.g., almost everyone)
will be locatable, with exquisite precision, 24x7.

Scary, huh?