Blog: How Tos

How can I be tracked using my mobile devices? Here’s how…

consultant-placeholder10 Ken Munro 13 Feb 2014

Wireless access point hacking has been pretty much done to death. There are some interesting attacks around spoofing RADIUS in WPA protected environments, but not that much more.

My interest is in the wireless client probe requests, similar to the Snoopy project’s interest in tracking and profiling mobile users through the use of WiFi. However, I haven’t got the time to go placing and maintaining wireless client sniffing sensors around UK cities.

Let’s say I want to target someone in a particular business, and I need to do it wirelessly for a number of possible reasons. I don’t know who my victim is, I just need someone from that office.

I walk past their office with something like airodump running, listening for probe requests. I get a stack of results, all jumbled up with other devices walking by the office, driving past, on a bus etc.

The busier the street, the more difficult it gets. Too much ‘noise’ to sift out the target devices. I could use a directional antenna to narrow the signal, but I’ll probably get attention from the Police as a result of pointing it places. Seen the BlueTooth sniper rifle? How that guy didn’t get shot, I’ll never know.

A 5 minute client stumble on a busy street in London last week found >1000 clients making probe requests. How was I going to narrow it down to the clients I wanted from that office?

It was simple when I thought about it. Just do it again! By leaving it an hour or two before doing a second stumble I could identify the static devices, those not moving out of range as they walk/drive/bus off to somewhere else like people who aren’t workers there.

Once I’d identified them all I had to do was come back after office hours for a third stumble- and get soaked in the rain. If they had disappeared in that time, there was an even higher probability that they were wireless devices owned by members of staff.

All the wireless clients that were consistent between stumble 1 and 2 were therefore likely to be inside the office I was interested in. If they disappeared in stumble 3 after the office shut, there was an even higher probability that they were the wireless devices that were owned by members of staff.

So, we now had a list of mobile device MAC addresses, and also a list of the client networks they were probing for. A quick lookup on ( (needs an account) and we can start building a picture of where the employees live. The home access points the clients were probing for are often mapped during war drives, hence we can see their GPS coordinates.

And now, should I want to, I can track the employees of the business wirelessly.

Want a stolen laptop to order? Maybe use a Wi-Fi Pineapple to grab domain creds or social media creds?

There are plenty of other ways to track people, but I think the principle of aggregating and diffing multiple client probe stumbles is quite useful, and besides, I feel better about getting soaked now!

Reminder: Turn off your mobile device Wi-Fi when you’re not using it.