There are a lot of phones, tablets, laptops and other devices that transmit data on wireless networks. Most of them use an “active” scan technique (details) and they send packets around periodically.
Since all packets have a “source MAC address” field, I tried to record all MAC addresses that send packets around when my device is in range.
I used a Raspberry Pi 2 device with a WiFi antenna to capture network packets, my phone with a simple app to record the GPS route and my bike to move around the city :). Here are the results:
I managed to capture 10000 unique source MAC addresses in a few hours. Here is a plot (each red pixel is around where I first spotted a unique MAC address):
That line where there were very few red dots, I took the subway in each direction, so that explains it. On the left of the map, I met a friend and went for a beer. And by looking at the data afterwards, I managed to easily extract my friend’s MAC address: I searched for a source address that was in my range most of the time when we met. And there was only one result. Here are all the positions where I spotted packets from this exact MAC address:
I wanted to do more digging into this data, but I’m not sure what I can do with it.
What’s clear is that smartphones can easily be tracked and that there are a LOT of devices out there 🙂
Android applications are awesome. Especially the ones that talk to a service provider over the network.
I like to reverse engineer communication protocols / APIs between various client applications and their servers, since anything that my phone does, I could technically automate it or have access to the same functionality from my PC.
Today I looked into CleverTaxi, the largest solution to call a cab from your smartphone in Bucharest. I’ve noticed two problems:
– They talk to their server via HTTPS, but they don’t properly validate the certificate. So I could easily sniff all the API calls from my MITM network PC.
– The server API that makes the app work doesn’t require any authentication. For example, the app displays all the cab positions on top of the city map. For that functionality to work, the app makes a GET request to the server and gets a json response with the coordinates of all the cabs connected to the app. That API call is basically public and anyone can get the coordinates of all the cars, along with the company that owns each car. The positions are updated about each second, so I believe one could implement an algorithm that follows the feed of coordinates and tracks each car based on their position. I believe this is a privacy issue for the drivers.
Here I hooked the coordinate feed to Google Maps API (the icons were slightly changing position at 2 second interval):
“Everything around you that you call life was made up by people that were no smarter than you and you can change it, you can influence it, you can build your own things that other people can use.” (Steve Jobs)