WiFi Triangulation

mikegroovy writes "WiFi software tracks you down: 'Positioning technology company Ekahau has released an updated version of its software, which allows devices to be physically tracked when they are connected to an 802.11 WLAN network.' Maybe connections that are made from the street(or outside of a predefined area) could be automatically disconnected... It may spell an end to warchalking."

Good God, are you Clueless?

[Henry+V+.009]

Hint: War-chalking happens because people are clueless about their networks. The problem is networks that let everyone on board by default without any encryption.

Re:Good God, are you Clueless?

[LarsG]

Anyway, 128-bit WEP (actually just 104 bits) isn't safe.

We all know that. But an AP with WEP enabled is the digital equivalent of a "no trespass" sign, while an AP with no security at all is either set up by a clueless newbie or is deliberately left open to allow other people to get Internet access (which I'll do once I go wireless in my apartment).

In order to promote public accesspoints, I'd prefer that the law doesn't consider it trespass to use an unsecured AP for Internet access.

Re:Good God, are you Clueless?

[Zeinfeld]

It took me all of 30 seconds to enable 128 bit WEP and create a key on my new Linksys 802.11b router. Honestly, how hard is that for people to do?

Not hard but unfortunately not secure either. Due to a broken design the WEP mk1 scheme only gives 24 bits of security regardless of whether you have the 128 bit or 40 bit cards.

However this has since been fixed, and the fixed cards will be available fairly soon. In addition the new cards fix the original major inanity of WEP, the single key shared by every card. The newer cards will have built in certificates to suport 802.1x authentication.

While the triangulation scheme might be used for security purposes, it is no replacement for cryptography. In the first place the scheme appears to be working on signal strength rather than the arrival time of the signals. That is easily spoofed. Arrival time of the signals would be hidously expensive to do right (I used to do that type of thing, but not with IP routers and bridges in the way...)

It might be useful to use triangulation to detect when people were entering an leaving cells, but that can probably be done by just choosing the strongest signal.

I can imagine using this type of thing to track down criminal suspects, the sort of thing that the FBI have fun doing. It is not a replacement for cryptography and probably not even as secure as WEP mk1.

heh

[wolfgang_spangler]

"Ekahau reckons there is a market for networks used primarily for location-based purposes as opposed to carrying other data. "

Can't remember the last time I saw the word, "reckons" in a major publication. I reckon it was some time ago.

end to warchalking?

[cosyne]

Not likely. The systems that get picked up by war____ers are generally the ones that someone took out of the box and plugged into the wall. Anyone who bothers to set up a triangulation system would probably already be using MAC restriction or other security measures. (Technically, you can still see a secured network and mark its location, but you could do that with a triangulation-restricted network too).

oh, the irony...

[jaredcoleman]

There are a lot of benefits to having this ability. At work, I can now equip our parking officers with wireless PDA's and soon I will be able to make sure that they are not sleeping in the lobby of some building instead of writing parking tickets. Maybe they will actually be out to ticket people parked illegally while attempting to warchalk from their vehicle! Now that's irony!

Not so new...

[BrunoC]

You should take a look at this article. Students at Dartmouth College have been using / developing wi-fi tracking systems for a while now. A nice way to track down your buddies at the campus.

802.11b Tracking

[Wrexen]

One way to get around a measure like this is to obtain a surface which can reflect EM radiation at 2.4ghz, such as AMQ coated polycarbonates or crystalline-structured metallics. By using a small set of these "mirrors" at strategic locations, you could fool the software into thinking you're actually receiving from inside the CEO's office.

Since most modern triangulation techniques, including Ekahau's, depend on standard mathematical models of radius delta-reduction, it's trivial to set up your reflectors in such a way that the tracking mechanism can't deduce a logical place for your signal to originate from. Hopefully as location-spoofing becomes more commonplace, the government won't enact any laws restricting the use or registration of EM reflective surfaces.

Constantly diminishing signals are rare in RL

[addikt10]

Triangulation of EM is based on the assumption that the strength of a signal will diminish with the square of the distance from the source, or some other constant function with other signals.

When was the last time you were using wireless (especially through a wall) that had the same range from the access point in any direction?

I can't picture it working in a supermarket, with the metal shelving, compressors for the cold storage, etc. Sure, in a lab it'll work great, but with any kind of range or non-uniform building structures, not a chance.

Bah!

[NeoPotato]

I used to find people by pinging their computers! I'd ping a friend's laptop (using their Windows computer name), look at their IP, then go find them on campus. I think I scared a few people when I'd say "Stay right where you are" and walk over to the study room where they were hiding.

Although I guess using triangulation accurate to a meter would let me say "You're on my spot on on the couch. When I get back from class, you gotta move."

Uh oh

[dr_dank]

I found a new open network near my girlfriends apartment,opened up my browser to /. and saw this as the lead story.

Perhaps I'd better log off now....

Re:Uh oh

[Dr.Luke]

Mod up! This slashdotter has a girlfriend. That's much bigger news than WiFi triangulation!

Re:Uh oh

[Fnkmaster]

Funny thing happened the other day. My friend was over, opened up his laptop in the living room of my apartment, and started browsing. We had been making some DNS changes to a site we own, and he was checking them out, and told me they had propagated. I checked on box, and couldn't see them yet. This had us stymied for about 20 minutes until he checked his current IP address and hostname, which showed clearly that he was on Verizon DSL, whereas my apartment has ATT BB Cable - he was using the default Linksys SSID and his 802.11b card had picked up the neighbor's wireless access point accidentally. Whereupon we also discovered that we were easily able to use the default Linksys password to get onto the neighbor's router. Oh, and we found that our neighbor had three Windows boxes with open shares on them (nothing interesting in the shares though).

For a brief moment, I questioned why I am paying for a landline feed and not just piggybacking bandwidth off of my hapless neighbors.

How does it work?

[Omega+Hacker]

I can think of several ways it might work, but all of them present significant challengs. Relying on relative signal level would be ludicrous, because signal level changes dramatically with card orientation, reflections, and whatever's in the middle. Heck, I get significant variance in signal level on the fixed links between the antenna on my roof and neighbor's sites.

Using a GPS-like timing comparison might do the trick, but it's set up backwards. With GPS you have a bunch of atomic clocks in orbit, and one device correlates the relative signal phase between them. With APs, you have to have extremely accurate timing across all the APs, which is a very hard problem (I've researched it...). Once you have that, you can compare reception times of a packet from the device being tracked, and triangulate. Problem is 1 meter accuracy represents some scary clock accuracy numbers across several APs with just an Ethernet between them.

If anyone can think of any other way to pull this off (WITHOUT modifying the client, and ideally without any special hardware, i.e. implementable in the HostAP driver), post them here.

What about this

[iamdrscience]

Triangulation works great in two dimensions, but when you use a third you have to do quadrangulation (is that even a word? I'll bet it is) like say you work for a company in a five story office building, when you triangulate where a person is in relation to you distance wise and in which general direction, but you don't really know where he is, maybe he's 15 meters in front of you and maybe he's 5 meters in front of you, but three floors down. They could both register as the same with triangulation. I will start the quadrangulating WiFi revolution.

Re:Assimetric aerial (and a new hobby)

[driehuis]

Yes, it will confuse it.

Their method will probably even fail if you switch WiFi cards. I've got a Compaq WL110 which has a range of about 10 feet. My Lucent card on the other hand sees the access point from 100 feet, without line-of-sight (I assume the radio waves bounce off the ceiling through the window; no other way to explain _that_ range).

My access point has antennas that can be moved into different polarisations, and in an off-colour configuration, access without line-of-sight becomes really spotty: it works in one place, and a few feet to the side it stops.

But it seems to me the point of the seller is not to track abusers, but rather to track known-good devices in a known area. That alone is a cool concept, if you see what contortions people go through now when designing warehouse positioning systems. I've seen the results of an automated fork lift running through the wall of a warehouse because the reflective pad that marked the end of the aisle was covered in grime.

Hmmmm, I can envision the next hobby: sit outside a warehouse with a 2.4GHz klystron, wait until you hear the fork lift come down the aisle, then switch on the jammer and watch the fireworks :-)