Slashdot Mirror

← Back to Stories (view on slashdot.org)

WiFi Triangulation

Posted by michael on from the two-edged-sword dept.

mikegroovy writes "WiFi software tracks you down: 'Positioning technology company Ekahau has released an updated version of its software, which allows devices to be physically tracked when they are connected to an 802.11 WLAN network.' Maybe connections that are made from the street(or outside of a predefined area) could be automatically disconnected... It may spell an end to warchalking."

13 of 229 comments (clear)

  1. some additional info by t0rnt0pieces · · Score: 4, Informative

    For some more info check out the company's website. Here's the page on EPE. Looks like pretty neat technology. Easy to set up and accurate to within 1 meter. I doubt warchalkers will be deterred though. :)

    --
    Karma: Excellent (In Soviet Russia, karma pimps YOU)
  2. What is warchalking about? by gad_zuki! · · Score: 3, Informative

    >It may spell an end to warchalking.

    I thought that warchalking existed more for those who are offering wireless access to alert others than revealing the open status of another's network. Any warchalkers want to chime in? Are you guys mostly ID'ing your own WAPs or the WAPs of others?

  3. Not so new... by BrunoC · · Score: 5, Informative

    You should take a look at this article. Students at Dartmouth College have been using / developing wi-fi tracking systems for a while now. A nice way to track down your buddies at the campus.

  4. 802.11b Tracking by Wrexen · · Score: 5, Informative

    One way to get around a measure like this is to obtain a surface which can reflect EM radiation at 2.4ghz, such as AMQ coated polycarbonates or crystalline-structured metallics. By using a small set of these "mirrors" at strategic locations, you could fool the software into thinking you're actually receiving from inside the CEO's office.

    Since most modern triangulation techniques, including Ekahau's, depend on standard mathematical models of radius delta-reduction, it's trivial to set up your reflectors in such a way that the tracking mechanism can't deduce a logical place for your signal to originate from. Hopefully as location-spoofing becomes more commonplace, the government won't enact any laws restricting the use or registration of EM reflective surfaces.

  5. Re:Good God, are you Clueless? by Zeinfeld · · Score: 5, Informative
    It took me all of 30 seconds to enable 128 bit WEP and create a key on my new Linksys 802.11b router. Honestly, how hard is that for people to do?

    Not hard but unfortunately not secure either. Due to a broken design the WEP mk1 scheme only gives 24 bits of security regardless of whether you have the 128 bit or 40 bit cards.

    However this has since been fixed, and the fixed cards will be available fairly soon. In addition the new cards fix the original major inanity of WEP, the single key shared by every card. The newer cards will have built in certificates to suport 802.1x authentication.

    While the triangulation scheme might be used for security purposes, it is no replacement for cryptography. In the first place the scheme appears to be working on signal strength rather than the arrival time of the signals. That is easily spoofed. Arrival time of the signals would be hidously expensive to do right (I used to do that type of thing, but not with IP routers and bridges in the way...)

    It might be useful to use triangulation to detect when people were entering an leaving cells, but that can probably be done by just choosing the strongest signal.

    I can imagine using this type of thing to track down criminal suspects, the sort of thing that the FBI have fun doing. It is not a replacement for cryptography and probably not even as secure as WEP mk1.

    --
    Looking for an Information Security student project suggestion?
    Try http://dotcrimeManifesto.com/
  6. Re:Triangulation with one receiver? by grishnav · · Score: 4, Informative

    One way to do it is to determine the direction the signal is coming from using two known points. This is quite easy, and can be done with even basic direction finders. Imagine that point A and point B are directly east/west of each other. Now, draw a ray from point A outward at, say, 45 degrees. Draw another ray starting at point B at, say, 275 degrees. Where they meet is the location. This form requires only two points.

    The other way requires three sites. You use a timing method to determine how far away they are. Imagine points A, B, and C (the location of the points is basically arbitrary, so long as they aren't too far apart). Draw a circle with a radis of one inch from point A (indicating the signal, determined by timing is, we'll say one mile away), and another with a two inche radis from point B. In most (but not all) circumstances, the circles will meet at two points. Thus, in most (but not all) circumstances, two will not be enough. Now draw a circle around C (I can't give you a radis length as I am unwilling to do the math in my head) to intersect with one of the other two intersections. If you've done it right, no matter how hard you try, assuming you've drawn perferct circles, the circle around point C will only meet with one of the two A/B circle intersections. This make any sense???

  7. This is similar to whiteboard capturing by Dr.Luke · · Score: 4, Informative

    Whiteboard capturing devices use a similar principle. Two microphones are at opposite ends of the whiteboard and an ulrasound emitter is attached to the pen. When you move the pen the CPU unit attached to the mikes triangulates the postion of the pen and renders the digital image of the whiteboard. I always thought it was a simple and elegant solution compared to the touch sensitive whiteboards that cost much more. Another company now has a mini version of this technology for iPaq which attaches to a normal writing pad and allows you save anything you write on your iPaq.

  8. Re:Finally by mrjohnson · · Score: 3, Informative

    That's what my boss thought, too. You should be able to crack a somewhat busy network using 64 bits in about eight hours with AirSnort. It took me about sixteen to recover the password (longer because it was just one host and me running `ping -f -c 1 wifi` from my desktop).

    WEP will only deter the laziest script kiddie... Sorry. :-)

  9. How Microsoft did something like this by ntk · · Score: 4, Informative

    Microsoft Research did some work on this a couple of years ago - they called it RADAR.

    The equations they use are pretty simple, and they seem to be getting very optimistic results. They, too, use signal-strength triangulation, together with a model of the local area (so you feed in how many walls are between you and the AP, for instance), and some processing based on recent history. That's to say, four out of the five latest samples have you outside on the pavement, and one of them has a 50 yards away in the eastern wing, you're probably still on the pavement.

    Venkata N. Padmanabhan has some more papers on this on his homepage. Victor Bahl has a demonstration here but I guess it only works on IE.

  10. Re:Good God, are you Clueless? by aminorex · · Score: 3, Informative

    There's simply no way that the triangulation is
    based on ping times. They're talking about
    measurements of less than a meter, which is
    on the order of 3 nanoseconds at c. Much more
    sensible is to triangulate based on signal
    strength.

    Yes, signal strength can be spoofed *downward*,
    but for commercial cards, it can't be spoofed
    *upward*, significantly, without the spoof being
    clearly detectible. Therefore, I disagree: It
    is a very useful supplement to perimeter security.
    The ability to defeat does not invalidate a
    security measure, unless the effort and expense
    involved is below the cost/benefit threshold.

    --
    -I like my women like I like my tea: green-
  11. Re:end to warchalking? by jtree · · Score: 3, Informative

    This technology cannot currently triangulate a war{driv,chalk,walk}er.

    I'm a researcher at Carnegie Mellon University who has been implementing this same system for the last two years.

    This type of system relies on the client (pda/laptop) to gather the raw information for triangulation and send it to the server.

    No accesspoint (that I'm aware of) is capable of gathering the information needed for triangulation.

    Details:
    An accesspoint only knows the signal strength between itself and its connected users.
    Triangulation requires the signal strength between the client (pda/laptop) and at least three nearby accesspoints for 2d triangulation.
    Current accesspoints do not record or calculate information for clients that are not currently connected to themselves.

    It would be possible after modifying the firmware on the accesspoints. The manufactures have been extremely reluctant to give this information out (even under NDA.)

    The most accurate information that could be gathered about war{driv,chalk,walk}ers is which accesspoint they are connected to.

    Joshua Tree

  12. Free Wi-Fi Tracking Software by mtodd78 · · Score: 3, Informative

    The research group I work in used many of the same techquies that this software company uses to create Nibble which also can do positioning using Wifi; http://mmsl.cs.ucla.edu/nibble/. Free. GPL'd source is available too.

    Things to note, however, about any 802.11 tracking software it that its accuracy is poor > 5 meters, unless you are using 5 or 6 *simultaneously* accessible access points (it even states this in the Ekahau manual). Tracking software can be thrown off by even seemingly minor enviornmental changes like crowds of people etc. Also some calibration is also required.

    Don't worry about this shutting down free access points as it is way harder to do location tracking than it is to set up an encryption system (even really good VPN style encrytion) or a simple MAC address filter.

    Mike

  13. How this works (not triangulation) by kazad · · Score: 3, Informative
    Hi all, this is my first /. post. I did a research project last semester and implemented a system like this, and got about 1 meter accuracy on average.

    Rather than using signal strength for triangulation, you use it to record a "radio map", and compare your current position to the map. The basic steps are:

    1) Walk around a room, recording the signal strength to each AP (so you get a file such as "Access Point #1, Avg signal: 96 AP#2, Avg signal: 74 ..." ). Netstumbler or other software can help you make this file.

    Create a "profile" like this for every location you wish to map (roughly, one every square foot or meter). The number of profiles determines the granularity of the system, but too many profiles can cause "collisions" in the sense that different locations have similar profiles, for some reason or another. There are ways to combat this, one of which is to make an educated guess on the new location based on the last one. (i.e., the user could not have walked over 10m in one interval)

    2) When a user connects, they can compare their current signal strength info ( such as AP#1, signal: 34 AP#2, signal: 74) to the map: the closest point is probably their location.

    I did a simple euclidean distance calculation (taking each profile as a vector in some large space [cool how the pythagorean thm. generalizes, eh?]. There are many better ways, which I am researching this semester, but euclidean distance is fine for now.

    I'm pretty sure this is why they must spend an hour per 10,000 square feet to "calibrate" the system. I had to do the same, but it was a *lot* slower; I need to make a tool to do this automagically.

    This semester I am also looking to get my system working with an ipaq robot running familiar. It's the combination of the palm pilot robot kit and this positioning system. Hopefully, the little robot should know (roughly) where it is, and be able to be controlled via the internet.

    Check out my webpage if you are interested in more details.