Slashdot Mirror
Office Surveillance: Locating And Tracking 802.11b
securitas writes "The NY Times recently ran an article about locating and tracking users of 802.11b WiFi networks in three dimensions using triangulation (Google) with multiple base stations. The goal is to create context-aware networks that can allocate bandwidth and provide location-based services such as uploading relevant information to a PDA. The article can be seen in a new light when coupled with the growth in workplace surveillance of employees by corporate executives (Google / short version at IHT) and the associated practical, ethical and legal problems. Interlink Networks 802.11 wireless detection and tracking white paper (PDF)." (This seems as good a place as any to mention Kensington's handheld 802.11 detector; they claim it to be the only such device on the market today. This is the cheapest detector I've seen; have the others all disappeared?)
I think Radio Detectors work fairly well, too, but they don't tell you whether it's 802.11x or not, so I guess that is pretty good.
The signal gets weaker as it passes through walls. Therefore, the signal strength can not be easilly be correlated to a distance from the base station for purposes of triangulation.
Triangulation traditionally relies on measuring distance through signal strengths and so is limited to an outdoor environment, where the signal loss per kilometer can be predicted with much greater accuracy than in an indoor environment.
The article is short on technical details -- did they somehow also enter a 3D-model of how the building weakens radio signals, and use that in order to create three 3D-shapes at the point of intersection the transmitter can be located? Just like traditional triangulation, but with weirder shapes than simple spheres...
Perhaps a better way would be to use "ping" to check the travel times, rather than the signal strength, compensating for any delays imposed by TCP/IP-stacks and hardware etc. Is this even possible, or is the Signal/Noise ratio just too low?
And an LCD display showing ESSID's...
This is a pretty stupid approach from the communications theory point of view. 802.11b frames contain a pretty long preamble in front of the packet header and data payload. This preamble (basically 11-bit barker sequences convolved with a prn-sequence) have excellent autocorrelation characteristics since they must be used for time and frequency syncronization at the RX station.
By cross correlating the received signal with the (known) barker sequence at all three base stations precision would be increased drastically as it would be possible to measure the actual time lag (->way) the signal took to the receiver.
But rather than the bed, why not just put it in the wrist tag that most patients wear now? Then you wouldn't get any mix ups in the nursery, or any problems when patients go walkabout.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Positioning in office environments using WLAN really isn't that new. Microsoft did it in 2000 with the RADAR system (http://citeseer.nj.nec.com/bahl00radar.html), and loads of people have tried since.
:-(
There are two approaches to it:
1. Use signal strength to estimate range and then multilaterate. This usually does a poor job because you can't match distance reliably to signal strength because of wall attenuation etc. Also, most WLAN systems quantize the signal strength into a few bins.
2. Pattern recognition. Have a calibration phase where you put the device in lots of positions around the office, measuring the signal strengths to various stations. Record all this. Then try to match what you're seeing to this database of strengths to localise yourself. Problem is, the radio environment changes VERY easily, so you need lots of points in calibration. Plus, if the environment changes, so do the signal strengths!
The best I've seen for a WLAN system achieved accuracy to about 2 metres. That used quite a few WLAN dase stations, too. And they had a fair error on that too - enough that you wouldn't be able to guarantee which office you're in...
Location indoors is a tricky business. It's an active research area. The best so far is based on ultrasonics (the Bat system at (www.uk.research.att.com/bat). UWB looks good too (www.ubisense.net).
there used to be idetect, from www.idetect.co.sg.
based in singapore, i mailed them for prices, but they only had a product samples available, no real production was going on. now their site is down, have they dissapeared? their wifi finder was featured in wired magazine a few months back.
Erricsson MPS allows for location aware services on GSM phones. I've seen a demo from a WAP (hehehe) site that showed your location on a map, but that was a few years ago. I haven't seen anything after that.
ERRICSSON'S MOBILE POSITIONING SYSTEM (MPS)
The Ericsson mobile positioning system (MPS) (to be delivered to the Taiwanese company) is a server based solution that allows positioning services to be introduced into any GSM network that has Ericsson switching systems. The system will work with any GSM standard radio network and all existing GSM phones. At the heart of the Ericsson MPS is the mobile location centre (MLC), a system that allows user applications to access position information for GSM phones. An application programming interface (API) will be available to allow the development of custom applications. The MLC also handles access security and protects subscriber privacy by allowing GSM users to choose whether or not their phones and other devices are tracked.
Could this be used to stop war-driving, by not letting anybody in that hadn't the right 2d/3d position (eg: inside the company)?
It would probably not stop sniffing, but possibly it could prevent a break-in?
It occurs to me that this system could seal a major hole in the concept of wireless security. As we all know, the biggest problem with trying to lock down a wireless network is that it's basically just a radio broadcast and anyone within range can easily tap into the signal (whether they can get anywhere from there is another matter, but theoretically it's always possible to crack through software guards). But if the triangulation worked well enough, then a system could be set up to, say, detect if a client is sitting on the ground in the alley next to the building, and if so shut off the connection to that client. Or it could be used to limit wireless access to only clients in certain offices or floors - no access for random people in the lobby, for instance.
Karma: Chameleon (mostly affected when you come and go, you come and go)
About 3 years ago, researchers at MSR created a system called RADAR, that tracks users based on RF signal strength. At around the same time, researchers at MIT created Cricket, which does the same thing, but with auxilliary hardware.
The novelty here is simply *tracking* users instead of letting users locate themselves, and then optionally telling everyone else where they are. That's what makes this story sexy (oooh, they can see where I am!) But, users are much more likely to adopt one of the above approaches to location.
Following the links, Kensington doesn't list an MSRP or sell it directly, but the other links indicated the "going rate" for the toy is $22.00, and I think that's well within budget for a computer toy.
It could really use an external antenna though. If it had this, (or if the unit itself exhibited some amount of directional reception?) then it would be much more useful to find the actual location (down to say, which building on the storefront) the hotspot was at. The closer bench gets the better connectivity!
Maybe someone will post a hack shortly that shows how to jurry-rig an antenna port on the little bugger. I'd also like to "me too" a previous post that suggested an external power connection. Just keep the puppy sitting on your dash whilst driving around town until the green lights start climbing up.
Was anyone able to spot where these could be bought at? (this really looks like something ThinkGeek would carry)
I work for the Department of Redundancy Department.
I bought mine yesterday at the local Best Buy and they had at least a dozen. There's probably not a huge demand for this in Indiana though...
The thing doesn't work all that well. You press the button, then for two minutes it scans. I was 10 feet away from my WAP and it didn't show a signal. 8 feet: full signal, 12 feet: full signal - all within line-of-sight. It's a fun toy for $30, but It'd not a very practical/reliable tool.
Although it is fun to walk around downtown holding this little credit-card looking thing and acting like you're searching for radioactive emmisions... People get nervous when you point it at them and yell "Ah ha! It's YOU!" especially when it's right in front of a Borders book store and it's lit up like a Christmas tree.
Self realization: I was thinking of the immortal words of Socrates, who said: "I drank what?"
does not surprise anyone.
whereas before WiFi, a boss had to actually get up and ask around "have you seen Joe?" now he asks a computer by clicking on Joe's computer icon.
having worked in low-tech high surveillance offices before, I can tell you that this approach to managing people creates a really nasty environment. I can only imagine how much a high-tech high surveillance office would breed employee paranoia.
There is a whole market niche in medicine for location tracking, which includes beds, patients, and equipment. If seen products based on RF, and the RFID things are just starting to influence these products.
I've also seen products based on IR, where there are sensors along the ceilings and the IR transmitters are on the tops of devices to be tracked.
FDA Guidlines
A Vendor group here
One vendor's explanation here
Sleep is for the Weak
I don't believe this is covered by an NDA, because it was presented to the "general public" at Cisco Networkers 2003 and certain questions could not be answered in this general session because the speaker said he didn't know who had an NDA or not (implying anything he presented was not covered). So...
The 2.5 version of the Cisco WLSE due out in the Fall timeframe is supposed to have rouge AP detection. You would import the floor plans of your building into the system and place the APs where they are installed. The APs would use a new protocol to report information up to the WLSE (using a WDM [Wireless Domain Manager I think]) to store all the info (the WLSE would pull the info from this device, which right now is a designated AP but is supposed to be moved up into switch and router code so that they could host the information). You can then display maps with "hot" spots indicating the true triangulated location of rouge APs.
Other features include the ability to do a FA (Facilities Analysis) by using a special mode that temporariy puts all APs on the same channel and at max power. You would then walk the premesis with a laptop and it would take readings. The WLSE then would automatically program all the APs with appropriate channel information, and power ratings, for the best coverage.
Another big feature is that if an AP were to die the WLSE would automagically program the surrounding APs to boost their power to cover the "hole" in coverage temporarily until the AP could be replaced.
Technology is also supposed to be integrated into the CCX equipment, which almost all other vendors have signed up for, so that you can get true RF bandwidth utilization. So, not only APs but wireless cards in laptops, handhelds, etc, will all participate in taking bandwidth readings (how much of the time is someone transmitting) to create a true reading. It may also be possible (this is just a guess on my part) to create "hot spot" projections on your imported maps, so that you are told where a lot of wireless users are congregated, prompting you to install additional APs and lower the power on them so that you create more "cells" that are smaller to handle the larger load.
All in all, some pretty neat technology.
One pertinant thing I noted in the article was the following:
As part of that work, Dr. Junglas modified a Wi-Fi network that operated in the business school's two buildings so that each of its many base stations had a radius of about 15 feet.
Emphasis mine. This is an insanely dense network of AP's! At over $100 a pop for a cheap one, it seems wildly impractical to simply use stock access points with software corelation to figure out where people are - assuming such density is required.
In a commercial deployment, AP's are going to be deployed in such a way as to give good coverage without costing too damn much. ie: as few AP's as will give adequate coverage for the site.
There are other solutions, of course. Using a phased array antenna (sorry, no cool rotating dish) to get a direction and using signal strength to approximate range (random attenuation in the site will have a large affect on accuracy) or using multiple antennas in fixed locations to triangulate a source location (the more vectors you can get, the more accurate your fix will be) Using signal timing between different AP's (time difference between arriving signals) is plausible, but would add considerably to the cost (current AP's aren't equipped with ultra accurate clocks and transmission times over the network aren't accurate enough for the purpose.)
Phased arrays for direction finding use precise measurements between antenna elements to get their accuracy. They effectively use a harmonic tone to determing the shift angle between antennas, and thus the relative direction to the source. Accurately placing and orienting the AP's would be vital.
Locating wireless source points isn't exceptionally hard, and could be rather useful. But accuracy costs. Existing AP's would give limited accuracy, so this study used lots of them. More acurate location capability on an AP would cost more.
Take your pick.
Never attribute to malice what can as easily be the result of incompetence...
The signal gets weaker as it passes through walls. Therefore, the signal strength can not be easilly be correlated to a distance [...]
Perhaps a better way would be to use "ping" to check the travel times, rather than the signal strength, compensating for any delays imposed by TCP/IP-stacks and hardware etc. Is this even possible?
It's possible. But IMHO indoors the variability of the response time of the processor to the message will probably introduce far too much jitter for the result to be useful. Finding the right neighborhood, or even the right house, yes. Finding the right desk, no.
But I understand that some of the underlying net-discovery and scheduling protocols (where the cards are talking directly to each other and picking times to transmit) give you a much better measurement of transit time, which may be good enough for the purpose.
Perhaps someone with more intimate knowlege can fill us in.
= = = = =
Given a good measure of transit time, two base stations can construct a hyperboloid on which the mobile is located. (With uncertainty it's actually the space between two hyperboloids.) Add a third and you intersect two hyperboloids, giving you a curved line. Add a fourth and you've got it located to a single point (or two points if all four bases are in the same plane).
It's basically GPS or LORAN run backward (with an extra base station relative to LORAN to give you altitude, since you don't know you're "on the ocean's surface").
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way