Slashdot Mirror
WiFi Triangulation
mikegroovy writes "WiFi software
tracks you down: 'Positioning technology company Ekahau has released an updated version of its software, which allows devices to be physically tracked when they are connected to an 802.11 WLAN network.' Maybe connections that are made from the street(or outside of a predefined area) could be automatically disconnected... It may spell an end to warchalking."
there was a article in wired about students use triangulation in 802.11b networks for all kinds of crap. since they only have a wireless lan there, professors and students write software for it because everyone uses it on their laptops and pdas
For some more info check out the company's website. Here's the page on EPE. Looks like pretty neat technology. Easy to set up and accurate to within 1 meter. I doubt warchalkers will be deterred though. :)
Karma: Excellent (In Soviet Russia, karma pimps YOU)
>It may spell an end to warchalking.
I thought that warchalking existed more for those who are offering wireless access to alert others than revealing the open status of another's network. Any warchalkers want to chime in? Are you guys mostly ID'ing your own WAPs or the WAPs of others?
You should take a look at this article. Students at Dartmouth College have been using / developing wi-fi tracking systems for a while now. A nice way to track down your buddies at the campus.
..then enable some security on your AP! Even the cheapest APs available today support at least WEP, and it should take you about 30 seconds to enable it.
If J.K.R wrote Windows: Puteulanus fenestra mortalis!
One way to get around a measure like this is to obtain a surface which can reflect EM radiation at 2.4ghz, such as AMQ coated polycarbonates or crystalline-structured metallics. By using a small set of these "mirrors" at strategic locations, you could fool the software into thinking you're actually receiving from inside the CEO's office.
Since most modern triangulation techniques, including Ekahau's, depend on standard mathematical models of radius delta-reduction, it's trivial to set up your reflectors in such a way that the tracking mechanism can't deduce a logical place for your signal to originate from. Hopefully as location-spoofing becomes more commonplace, the government won't enact any laws restricting the use or registration of EM reflective surfaces.
Warchalking gets it's name from wardialing...where users would dial numbers until they found a computer that answered (see War Games).
Warchalking is like walking around with a wireless devices, finding a signal, and marking that fact. Usually that is not done by the people running the network.
of course the typical self-important hacker or cracker or whatever you want to call them doesn't think that way. they'll try to break in no matter what. and if they succeed they'll justify their *wrong* course of action by blaming the incompenance of the owner of the network.
Not hard but unfortunately not secure either. Due to a broken design the WEP mk1 scheme only gives 24 bits of security regardless of whether you have the 128 bit or 40 bit cards.
However this has since been fixed, and the fixed cards will be available fairly soon. In addition the new cards fix the original major inanity of WEP, the single key shared by every card. The newer cards will have built in certificates to suport 802.1x authentication.
While the triangulation scheme might be used for security purposes, it is no replacement for cryptography. In the first place the scheme appears to be working on signal strength rather than the arrival time of the signals. That is easily spoofed. Arrival time of the signals would be hidously expensive to do right (I used to do that type of thing, but not with IP routers and bridges in the way...)
It might be useful to use triangulation to detect when people were entering an leaving cells, but that can probably be done by just choosing the strongest signal.
I can imagine using this type of thing to track down criminal suspects, the sort of thing that the FBI have fun doing. It is not a replacement for cryptography and probably not even as secure as WEP mk1.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
Actually, from my understanding, you draw a line from each reciver that goes off forever in the direction the signal came from. Where these lines cross, is the location where the signal was sent from. At least, this is how they use triangulation to find the source of radio transmissions when they want to find lost ships at sea (find where their last radio transmission came from, and start searching from there), or other such uses.
One way to do it is to determine the direction the signal is coming from using two known points. This is quite easy, and can be done with even basic direction finders. Imagine that point A and point B are directly east/west of each other. Now, draw a ray from point A outward at, say, 45 degrees. Draw another ray starting at point B at, say, 275 degrees. Where they meet is the location. This form requires only two points.
The other way requires three sites. You use a timing method to determine how far away they are. Imagine points A, B, and C (the location of the points is basically arbitrary, so long as they aren't too far apart). Draw a circle with a radis of one inch from point A (indicating the signal, determined by timing is, we'll say one mile away), and another with a two inche radis from point B. In most (but not all) circumstances, the circles will meet at two points. Thus, in most (but not all) circumstances, two will not be enough. Now draw a circle around C (I can't give you a radis length as I am unwilling to do the math in my head) to intersect with one of the other two intersections. If you've done it right, no matter how hard you try, assuming you've drawn perferct circles, the circle around point C will only meet with one of the two A/B circle intersections. This make any sense???
Whiteboard capturing devices use a similar principle. Two microphones are at opposite ends of the whiteboard and an ulrasound emitter is attached to the pen. When you move the pen the CPU unit attached to the mikes triangulates the postion of the pen and renders the digital image of the whiteboard. I always thought it was a simple and elegant solution compared to the touch sensitive whiteboards that cost much more. Another company now has a mini version of this technology for iPaq which attaches to a normal writing pad and allows you save anything you write on your iPaq.
True. But with a wireless access point, you can't determine the direction the signal is coming from. So you can't get the angles. Instead you need to determine the distance from two of the access points to the target, forming one of 2 possible triangles, then use the third to determine which one of these is correct.
That's what my boss thought, too. You should be able to crack a somewhat busy network using 64 bits in about eight hours with AirSnort. It took me about sixteen to recover the password (longer because it was just one host and me running `ping -f -c 1 wifi` from my desktop).
:-)
WEP will only deter the laziest script kiddie... Sorry.
The reason your school network fails at such a low range is because of sub-standard installation. They are most likely using the "rubber duck" antennas that came with the APs and, probably placed them in an area that is behind rows of steel lockers on more than one side. A couple of omnidirectional dome antennas installed in the ceilings in strategic points throught the school, and you'll get an awesome signal form anywhere. As far as the supermarkets having range issues, I seriously doubt they'll have any problems. The next time you go to a supermarket look around. What do you see? OPEN SPACE! The only walls in there are the 7½' aisles. With 12' and higher ceilings, all they will need are three moderately high db gain 120 antennas and they'll have the whole store getting signal strength like you were sitting next to your AP at home. And who says that they'll go for 11b when most won't be implementing this type of service for at _least_ 2-3 years (In the US anyway).
Microsoft Research did some work on this a couple of years ago - they called it RADAR.
The equations they use are pretty simple, and they seem to be getting very optimistic results. They, too, use signal-strength triangulation, together with a model of the local area (so you feed in how many walls are between you and the AP, for instance), and some processing based on recent history. That's to say, four out of the five latest samples have you outside on the pavement, and one of them has a 50 yards away in the eastern wing, you're probably still on the pavement.
Venkata N. Padmanabhan has some more papers on this on his homepage. Victor Bahl has a demonstration here but I guess it only works on IE.
It takes much longer to crack it than 30 seconds. The reason it can be cracked is becouse of an insecurity of WEP encrypting a file every now and then weakly, still encrypted, but very weak, after you collect about 1000 of these packets software can determine the key from it.
On a not very used network it can take over a day of collect the desired packets to crack it, on a heavily used network a few hours.
actually u need three.
go test it out.
get a compass and two points 4 inches apart. if u know a user is 3 inches from one point and 2.5 inches from another point there would be two possible locations the user could be.
you need three points.
u only have signal strength(which is prop to distance) not angles. so you need three points to clarify any point in two dimensions. And four or more to more acurately place a point in 3 dimensions.
its like gps'es
http://www.howstuffworks.com/gps1.htm
There's simply no way that the triangulation is
based on ping times. They're talking about
measurements of less than a meter, which is
on the order of 3 nanoseconds at c. Much more
sensible is to triangulate based on signal
strength.
Yes, signal strength can be spoofed *downward*,
but for commercial cards, it can't be spoofed
*upward*, significantly, without the spoof being
clearly detectible. Therefore, I disagree: It
is a very useful supplement to perimeter security.
The ability to defeat does not invalidate a
security measure, unless the effort and expense
involved is below the cost/benefit threshold.
-I like my women like I like my tea: green-
This technology cannot currently triangulate a war{driv,chalk,walk}er.
I'm a researcher at Carnegie Mellon University who has been implementing this same system for the last two years.
This type of system relies on the client (pda/laptop) to gather the raw information for triangulation and send it to the server.
No accesspoint (that I'm aware of) is capable of gathering the information needed for triangulation.
Details:
An accesspoint only knows the signal strength between itself and its connected users.
Triangulation requires the signal strength between the client (pda/laptop) and at least three nearby accesspoints for 2d triangulation.
Current accesspoints do not record or calculate information for clients that are not currently connected to themselves.
It would be possible after modifying the firmware on the accesspoints. The manufactures have been extremely reluctant to give this information out (even under NDA.)
The most accurate information that could be gathered about war{driv,chalk,walk}ers is which accesspoint they are connected to.
Joshua Tree
The research group I work in used many of the same techquies that this software company uses to create Nibble which also can do positioning using Wifi; http://mmsl.cs.ucla.edu/nibble/. Free. GPL'd source is available too.
Things to note, however, about any 802.11 tracking software it that its accuracy is poor > 5 meters, unless you are using 5 or 6 *simultaneously* accessible access points (it even states this in the Ekahau manual). Tracking software can be thrown off by even seemingly minor enviornmental changes like crowds of people etc. Also some calibration is also required.
Don't worry about this shutting down free access points as it is way harder to do location tracking than it is to set up an encryption system (even really good VPN style encrytion) or a simple MAC address filter.
Mike
Rather than using signal strength for triangulation, you use it to record a "radio map", and compare your current position to the map. The basic steps are:
1) Walk around a room, recording the signal strength to each AP (so you get a file such as "Access Point #1, Avg signal: 96 AP#2, Avg signal: 74 ..."
). Netstumbler or other software can help you make this file.
Create a "profile" like this for every location you wish to map (roughly, one every square foot or meter). The number of profiles determines the granularity of the system, but too many profiles can cause "collisions" in the sense that different locations have similar profiles, for some reason or another. There are ways to combat this, one of which is to make an educated guess on the new location based on the last one. (i.e., the user could not have walked over 10m in one interval)
2) When a user connects, they can compare their current signal strength info ( such as AP#1, signal: 34 AP#2, signal: 74) to the map: the closest point is probably their location.
I did a simple euclidean distance calculation (taking each profile as a vector in some large space [cool how the pythagorean thm. generalizes, eh?]. There are many better ways, which I am researching this semester, but euclidean distance is fine for now.
I'm pretty sure this is why they must spend an hour per 10,000 square feet to "calibrate" the system. I had to do the same, but it was a *lot* slower; I need to make a tool to do this automagically.
This semester I am also looking to get my system working with an ipaq robot running familiar. It's the combination of the palm pilot robot kit and this positioning system. Hopefully, the little robot should know (roughly) where it is, and be able to be controlled via the internet.
Check out my webpage if you are interested in more details.
Odds are about 100% that if you are setting up multiple wifi base stations, you are placing them for optimal coverage of your own intended users. Wifi triangulation works best when the user is somewhere within the perimiter of the base stations, and works most poorly when the strongest received signal is a station on the perimiter.
So to accurately determine if someone is outside the intended coverage area, wouldn't you really need to deploy additional base stations? For instance, if you have three stations at your business, one near the front, and two in the rear corners of your building, and someone is wifi'ing in from the bus stop bench outside, he's going to hit the front station and not do much for the two in back. It's very hard to tell this user apart from someone just inside the building and very near the front base station. To settle this, you'd need a base station like across the street or something.
I don't see wifi triangulation as a practical way of identifying users outside the perimiter for this reason.
It's also worth noting that it would be a poor choice to place the base station right at the front of the building, because you'd be wasting 50% of the station's coverage area. But to pull the stations in toward the building's center would further degrade your triangulation abilities because relative signal strength differences would lower your triangulation precision.
Just tossing ideas out, I'd propose the best way to keep warchalkers out if that is your intention, is to deploy your base stations in such a way as to not provide (effective) coverage to areas outside your premisis. If your business is already too small to keep coverage just inside your building, then obviously buying several base stations to try for triangulation is patently absurd.
Of course, my final suggestion would be to openly allow public access, and use it as a P.R. booster. Free advertisement is handy, and in most cases, this would almost be free.
For the entrepeneur: I haven't seen anyone selling warchalking plaques yet. I bet there are some businesses out there (cafe's etc) that would buy a custom made brass or bronze wall plaque they could affix to the outside of their buildings to attract more customers.
I work for the Department of Redundancy Department.
All the Orinoco hardware eliminates the weak IVs. Not sure what other manufacturers do this. It's completely seperate from things like 802.1x EAP. What you're talking about (proprietary things) sound like Cisco LEAP (proprietary version of EAP, which has now bean licensed to most major WiFi makers and is showing up in the latest firmware revisions). A different IV is used for every packet sent either direction, so to completely rid yourself of weak IVs both the client adapters (all of them using the same WEP key) and the AP must avoid them. If even one client adapter is using weak IVs still, there is the potential for gathering enough to figure out the WEP key. However, with each additional client that eliminates weak IVs, the amount of time it takes to crack the WEP key grows.
An example: client and AP are both avoiding weak IVs: Airsnort and similar are completely ineffective (to the best of my knowledge).
AP avoids weak IVs while cheap client adapter with old firmware does not: Airsnort, etc. now can crack the key, but it takes many hours (we'll say 12 hours just to throw out a number).
Neither client adapter nor AP are avoiding weak IVs: Airsnort, etc. now take about half the time (we'll say 6 hours) to gain the WEP key, because there are proportionally twice as many packets with weak IVs being thrown across the network.
I'm kinda tired, so hopefully that makes sense.