Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

WiFi Triangulation 233

mikegroovy writes "WiFi software tracks you down: 'Positioning technology company Ekahau has released an updated version of its software, which allows devices to be physically tracked when they are connected to an 802.11 WLAN network.' Maybe connections that are made from the street(or outside of a predefined area) could be automatically disconnected... It may spell an end to warchalking."
This discussion has been archived. No new comments can be posted.

WiFi Triangulation

Comments Filter:
  • Finally (Score:2, Insightful)

    by rice_web ( 604109 )
    I hate the thought of other users being able to access my wireless connection. Even though I rarely have important files that I'm concerned about, it's nice to have some security.
    • Re:Finally (Score:2, Informative)

      by LarsG ( 31008 )
      ..then enable some security on your AP! Even the cheapest APs available today support at least WEP, and it should take you about 30 seconds to enable it.
      • Re:Finally (Score:2, Interesting)

        by Anonymous Coward
        it should take you about 30 seconds to enable it.
        And about 30 seconds to get through it too :P

        Actually, how long it takes to work through WEP depends on how much traffic you create. There are a few ways to use RC4 that really cut down on its security; WEP does most of these things.
        • Re:Finally (Score:2, Informative)

          by monthos ( 591823 )
          It takes much longer to crack it than 30 seconds. The reason it can be cracked is becouse of an insecurity of WEP encrypting a file every now and then weakly, still encrypted, but very weak, after you collect about 1000 of these packets software can determine the key from it.

          On a not very used network it can take over a day of collect the desired packets to crack it, on a heavily used network a few hours.

      • Re:Finally (Score:3, Informative)

        by mrjohnson ( 538567 )
        That's what my boss thought, too. You should be able to crack a somewhat busy network using 64 bits in about eight hours with AirSnort. It took me about sixteen to recover the password (longer because it was just one host and me running `ping -f -c 1 wifi` from my desktop).

        WEP will only deter the laziest script kiddie... Sorry. :-)
  • by Henry V .009 ( 518000 ) on Saturday October 19, 2002 @07:30PM (#4486954) Journal
    Hint: War-chalking happens because people are clueless about their networks. The problem is networks that let everyone on board by default without any encryption.
    • It took me all of 30 seconds to enable 128 bit WEP and create a key on my new Linksys 802.11b router. Honestly, how hard is that for people to do?
      • It takes me all of 30 seconds to program my VCR, but most non-techies can't do it.

        Anyway, 128-bit WEP (actually just 104 bits) isn't safe. The crack just takes twice as long.

        • by LarsG ( 31008 ) on Saturday October 19, 2002 @08:08PM (#4487187) Journal
          Anyway, 128-bit WEP (actually just 104 bits) isn't safe.

          We all know that. But an AP with WEP enabled is the digital equivalent of a "no trespass" sign, while an AP with no security at all is either set up by a clueless newbie or is deliberately left open to allow other people to get Internet access (which I'll do once I go wireless in my apartment).

          In order to promote public accesspoints, I'd prefer that the law doesn't consider it trespass to use an unsecured AP for Internet access.
        • But you would expect a VCR technician to be able to do it, so a network administrator should know how to set up their wifi network. It's a different story for home users, but a lot of the warchalking seems to be for companies.
          • by RollingThunder ( 88952 ) on Saturday October 19, 2002 @10:17PM (#4487780)
            You underestimate the people in marketing, sales, etc who have no techie traning, but are quite happy to go and buy a WAP, and plug that in at their office, so they can one-up their co-workers.

            That practice is one reason that even clued network admins need to regularly recheck their networks for AP's. Rogue ones will forever be a pain in the ass.
            • I'm not sure this "party line" of "check your network often for rogue APs" is all that sensible of a solution.

              I'm not saying there's anything wrong with doing it, if you so choose. I just feel like it's playing "whack a mole" with a technology that network admins would be better off dealing with "head-on".

              If a given environment requires a high level of security from people outside the building gaining network access, they should make efforts to block the radiation of the wi-fi signal beyond their perimeter. A farraday cage of sorts could be constructed to shield the signals from getting out. This might make a lot of sense in the construction of new bank buildings, for example. (Just place wire mesh behind the drywall that goes up against outer walls.)

              For those unwilling to go this far to solve the problem, it still seems like good network practices should "save the day". Let's say, for example, war-driver X does find your sale guy's new, unsecured access point, and gets on your corporate LAN. How is he/she any different from a visitor who decided to plug his laptop into an available network port when he sits down in one of your company's conference rooms for a meeting?

              In both cases, you'd assume the person wouldn't be able to do much more than get issued a valid IP address and be able to "ping" stuff. He/she doesn't have a username or password, so therefore, no security granted to modify or open any resources. (Or is your network lacking security on important files and/or directories, so all users get default access? If so, *there* is your primary issue!)

              Even if your only concern is that war-driver X not be able to bum free Internet access off of you - that's solvable too. If you set up a front-end that requires authentication before using the web (or ftp), you can stop that. Of course, your employees might resist the inconvenience of having to "log in again" to use the net each time.... but hey, you should really be logging what sites they're visiting anyway if you're concerned about security and legal liability.
              • You raise some good points, but Joe Salesman plugging in an AP - even if it's already strictly against policy - will usually be a big problem.

                If conference rooms are set up to allow outsiders, then if you're sane (and you were able to get your bosses to cough up the money, admittedly), it's set up in a DMZ of it's own, unlike the internal networks.

                Now, I set up my DHCP in a paranoid fashion - if I don't know the MAC, it doesn't get an address... but that's often not workable for bigger places, and if the WAP-adder has enough technical savvy, he may realize he needs to make his WAP pretend to be his old box by MAC, and get on that way. If the WAP is handing out it's own addresses to those that connect by it, now you can't MAC filter anymore.

                And once the person's on the inside LAN, a little bit of arpflooding (which, admittedly, your IDS should be picking up, but folks often don't have them internally because of the false alarms all the time) will make the switches failover and start acting like hubs - and he can sniff away at traffic to get passwords.

                In essence, I view it not as re-checking for AP's specifically, but just another part of the constant check and recheck of your setups that you need to do to see if something has been changed in a way to break access controls that exist. HIDS, NIDS, tripwire, etc all factor in to this, making sure you haven't opened up a new vulnerability is just part of the big picture. It won't make you safe in and of itself, but neither should it be ignored based on trust that the rest is all "strong enough".
        • by Idarubicin ( 579475 ) on Saturday October 19, 2002 @10:13PM (#4487757) Journal
          It takes me all of 30 seconds to program my VCR, but most non-techies can't do it.

          This may an important consideration for home wireless networks, but no excuse for corporate networks. Any business that has a "non-techie" building their network is inviting a whole lot of trouble--most of which probably won't be coming to them through their wireless AP.

      • It takes only 45 minutes for me to airsnort the WEP password of your network. Honestly, how hard is that for us warchalking people to do?
        • that 45 minute figure assumes that lots of data is being thrown around across it, and that nobody's going to notice you staying in the same place near their building for that length of time, loitering and looking shifty :)
        • Yes, but it's something that I would not do, whereas I have no problem using open bandwidth. The difference? One is using something that is (intentionally or not) provided for people. Like a drinking fountain. If one sees a drinking fountain, it is presumed that it is available to everybody. Now, you can hang around a food place in a mall, wait until they are not looking, and grab soda from their soda fountains - heck, even swipe food from them. But that's theft. You *know* you're not allowed, even if their security is 'easy to get past'.

          The difference between what is wrong versus what can be done seems to be something some people cannot grasp. Bike locks are easy to break. Are you out stealing bikes while warchalking?


      • by Gruturo ( 141223 ) on Saturday October 19, 2002 @08:04PM (#4487162)
        It took me all of 30 seconds to enable 128 bit WEP and create a key on my new Linksys 802.11b router. Honestly, how hard is that for people to do?

        It will take AirSnort all of 30 minutes to crack your 128Bit WEP encryption since it is so badly flawed that I'd rather go _without_ it.

        Really, _don't_ trust WEP. Search Google or Ask Slashdot about cracking it, have a look at what You'll find.

        The only reachable IP on my 802.11 net is the IPSEC gateway.
        • Last time I checked, airsnort and other wireless crackers needed on the order of millions of packets in order to determine the key for a weak key.

          Maybe you generate that many packets in 30 minutes (NOT), but the researchers said that it would take about a day to get the key from a network of active office users, and a few hours if the network is maxxed out.

          Your average home user won't generate that many packets in a week (except, perhaps, those playing quake) and only their neighbors will have the patience and opportunity to grab keys for a week without being caught.

          You should change your WEP as often as you change your passwords. Doing these things will keep freeloaders and those who are looking for an easy to break into network out. If someone is determined enough to break into your network, it won't matter what you do, they'll manage a way in. Even you know that if your life depended on getting access to someones home network, even with ssh, ipsec, etc, you could do it through other means.

      • by Zeinfeld ( 263942 ) on Saturday October 19, 2002 @08:11PM (#4487209) Homepage
        It took me all of 30 seconds to enable 128 bit WEP and create a key on my new Linksys 802.11b router. Honestly, how hard is that for people to do?

        Not hard but unfortunately not secure either. Due to a broken design the WEP mk1 scheme only gives 24 bits of security regardless of whether you have the 128 bit or 40 bit cards.

        However this has since been fixed, and the fixed cards will be available fairly soon. In addition the new cards fix the original major inanity of WEP, the single key shared by every card. The newer cards will have built in certificates to suport 802.1x authentication.

        While the triangulation scheme might be used for security purposes, it is no replacement for cryptography. In the first place the scheme appears to be working on signal strength rather than the arrival time of the signals. That is easily spoofed. Arrival time of the signals would be hidously expensive to do right (I used to do that type of thing, but not with IP routers and bridges in the way...)

        It might be useful to use triangulation to detect when people were entering an leaving cells, but that can probably be done by just choosing the strongest signal.

        I can imagine using this type of thing to track down criminal suspects, the sort of thing that the FBI have fun doing. It is not a replacement for cryptography and probably not even as secure as WEP mk1.

        • Don't forget, arrival times (read: ping) can also be spoofed from the client side easilly (this might require mods to the NIC's driver). So even if arrival time based triangulation were implemented, it could also potentially be bypassed.

          This is not a replacemet nor a supplement for security. I am unaware of any type of triangulation system that cannot easilly be spoofed by a sufficiently smart person.

          This is a neat trick you can use for practical purposes (such as smart shopping carts in grocery store, cheep "GPS" in the city, etc.) but worthless for security, etc.

          If anyone thinks i'm incorect, please reply. It would be interesting to hear other people's ideas on spoofing triangulations.
          • There's simply no way that the triangulation is
            based on ping times. They're talking about
            measurements of less than a meter, which is
            on the order of 3 nanoseconds at c. Much more
            sensible is to triangulate based on signal

            Yes, signal strength can be spoofed *downward*,
            but for commercial cards, it can't be spoofed
            *upward*, significantly, without the spoof being
            clearly detectible. Therefore, I disagree: It
            is a very useful supplement to perimeter security.
            The ability to defeat does not invalidate a
            security measure, unless the effort and expense
            involved is below the cost/benefit threshold.

      • How hard is it for people to do?

        It's not that it's hard, it's that the kinds of people who are generally setting these things up have been roped into doing so, and often don't have the first clue about security in general. Nor do they care - they're not usually frontliners who deal with security breaches on a day-by-day basis, and probably couldn't detect a security breach if/when it happened to them.

        Very few SMEs - at least in Australia - 'can afford' to hire a fulltime sysadmin with any level of security knowledge. Sad, yet true...

    • by Anonymous Coward
      so becuase a network isn't under the tightest security possible everyone has the right to go in it and do as they will? i know, i know: people *are* going to take advantage of those networks because they are there. but i don't think you can justify it by saying the security was lax.
      • I didn't attempt to justify it. But as for lax security...

        For most of these networks, a normal functioning laptop equipped with a wireless card will automatically sign on to the network with no input from the user at all, just by bringing the laptop into the general vicinity.

        No it's not lax security. I think it qualifies as no security at all.

        And if you make absolutely no attempt at privacy, if you put your computer network outside in public places (the street), then no, you don't have much right to privacy.
    • I could be wrong, but I thought the point of warchalking was to mark your _own_ wireless network so that others could use it.

      • Warchalking gets it's name from wardialing...where users would dial numbers until they found a computer that answered (see War Games).

        Warchalking is like walking around with a wireless devices, finding a signal, and marking that fact. Usually that is not done by the people running the network.
      • You are, in fact, wrong. Wolfgang is right in his description of the relation between warchalking and wardialing. That covers the "war" aspect. The "chalking" aspect is derived from the marks hobos would use indicating safe places to sleep, houses with guard dogs to avoid, farmer's daughters to sleep with, etc... The nomadic lifestyle leaving marks for other nomads saying "hey, there's something interesting here."

        Normally, then, the owner of the network would not be party to either the "war" or "chalk" methods.
    • No, I'm not clueless, and I let everyone on board my wireless LAN without any encryption or password protection on purpose. Also, besides giving away bandwidth that I pay for to people I don't know for free, I have been known on occasion to do this with software that I write. No kidding! I just put it up on a web site and people I've never met download it for nothing. Amazing!
  • heh (Score:5, Funny)

    by wolfgang_spangler ( 40539 ) on Saturday October 19, 2002 @07:32PM (#4486963) Homepage
    "Ekahau reckons there is a market for networks used primarily for location-based purposes as opposed to carrying other data. "

    Can't remember the last time I saw the word, "reckons" in a major publication. I reckon it was some time ago.
    • His use of the word "reckon" is either serendipitous or clever because it is also a part of naval and aeronautical navigation jargon. To some people, it connotes trigonometry.

      "Dead reckoning" is triangulation of your location based on your previous location and the speed, direction and duration of your travel.

      I suspect it got its name from a bunch of hippies trying to find a Jerry Garcia concert ;-)

  • cornell (Score:2, Informative)

    by Anonymous Coward
    there was a article in wired about students use triangulation in 802.11b networks for all kinds of crap. since they only have a wireless lan there, professors and students write software for it because everyone uses it on their laptops and pdas
    • Re:cornell (Score:2, Informative)

      since they only have a wireless lan there,

      That's quite amusing, as I appear to be writing this comment from *on-campus* over a *land line*. But our operating systems course does feature an ad hoc routing assignment which uses handhelds w/ wireless ethernet cards.
  • some additional info (Score:4, Informative)

    by t0rnt0pieces ( 594277 ) on Saturday October 19, 2002 @07:33PM (#4486969)
    For some more info check out the company's website [ekahau.com]. Here's the page on EPE [ekahau.com]. Looks like pretty neat technology. Easy to set up and accurate to within 1 meter. I doubt warchalkers will be deterred though. :)
    • Not really clear on how much cooperation is needed from the "tracked device". The fact that the ekahu site lists requirements for such devices is a bit confusing.

      And yeah, yeah, triangulation and signal strength and stuff, but does this software do it the hard way or depend on the truthful clients?

  • by cosyne ( 324176 ) on Saturday October 19, 2002 @07:34PM (#4486970) Homepage
    Not likely. The systems that get picked up by war____ers are generally the ones that someone took out of the box and plugged into the wall. Anyone who bothers to set up a triangulation system would probably already be using MAC restriction or other security measures. (Technically, you can still see a secured network and mark its location, but you could do that with a triangulation-restricted network too).
    • by jtree ( 612760 )
      This technology cannot currently triangulate a war{driv,chalk,walk}er.

      I'm a researcher at Carnegie Mellon University who has been implementing this same system for the last two years.

      This type of system relies on the client (pda/laptop) to gather the raw information for triangulation and send it to the server.

      No accesspoint (that I'm aware of) is capable of gathering the information needed for triangulation.

      An accesspoint only knows the signal strength between itself and its connected users.
      Triangulation requires the signal strength between the client (pda/laptop) and at least three nearby accesspoints for 2d triangulation.
      Current accesspoints do not record or calculate information for clients that are not currently connected to themselves.

      It would be possible after modifying the firmware on the accesspoints. The manufactures have been extremely reluctant to give this information out (even under NDA.)

      The most accurate information that could be gathered about war{driv,chalk,walk}ers is which accesspoint they are connected to.

      Joshua Tree
      • This technology cannot currently triangulate a war{driv,chalk,walk}er.

        Well, I dunno. The implication is that the APs can triangulate, but i don't see anything in the article saying it's not the client doing the triangulation. Or maybe they have a deal with some manufactuer to get more info from the AP, or maybe you have to set up a comptuer with a PC card. Ooooor, you could just set up some simple 2.4GHz receivers which give you signal strengths and/or delays for tringulation (although that's pretty clearly not what these guys are doing).

        PS- you forgot warflyers [slashdot.org].
  • by gad_zuki! ( 70830 ) on Saturday October 19, 2002 @07:36PM (#4486985)
    >It may spell an end to warchalking.

    I thought that warchalking existed more for those who are offering wireless access to alert others than revealing the open status of another's network. Any warchalkers want to chime in? Are you guys mostly ID'ing your own WAPs or the WAPs of others?
  • range? (Score:3, Interesting)

    by bogusbrainbonus ( 547948 ) on Saturday October 19, 2002 @07:40PM (#4487009)
    So they can triangulate on you and determine the position up to one meter, but from what range?

    The 802.11b network at my school fails after 50 feet.

    Don't throw away that chalk just yet!

    • So they can triangulate on you and determine the position up to one meter, but from what range?
      The 802.11b network at my school fails after 50 feet.

      ?? If you are within range, you can connect, but you can be tracked (and thus expelled if intruding).
      If you are outside range, you can't be tracked, but you CAN'T CONNECT EITHER.

      So the idea holds true regardless of the range!
    • Re:range? (Score:2, Informative)

      by NDeans ( 611232 )
      The reason your school network fails at such a low range is because of sub-standard installation. They are most likely using the "rubber duck" antennas that came with the APs and, probably placed them in an area that is behind rows of steel lockers on more than one side. A couple of omnidirectional dome antennas installed in the ceilings in strategic points throught the school, and you'll get an awesome signal form anywhere. As far as the supermarkets having range issues, I seriously doubt they'll have any problems. The next time you go to a supermarket look around. What do you see? OPEN SPACE! The only walls in there are the 7½' aisles. With 12' and higher ceilings, all they will need are three moderately high db gain 120 antennas and they'll have the whole store getting signal strength like you were sitting next to your AP at home. And who says that they'll go for 11b when most won't be implementing this type of service for at _least_ 2-3 years (In the US anyway).
  • by jaredcoleman ( 616268 ) on Saturday October 19, 2002 @07:41PM (#4487011)
    There are a lot of benefits to having this ability. At work, I can now equip our parking officers with wireless PDA's and soon I will be able to make sure that they are not sleeping in the lobby of some building instead of writing parking tickets. Maybe they will actually be out to ticket people parked illegally while attempting to warchalk from their vehicle! Now that's irony!
  • Not so new... (Score:5, Informative)

    by BrunoC ( 540199 ) <brunoc.gmail@com> on Saturday October 19, 2002 @07:41PM (#4487015)
    You should take a look at this [wired.com] article. Students at Dartmouth College have been using / developing wi-fi tracking systems for a while now. A nice way to track down your buddies at the campus.
  • 802.11b Tracking (Score:5, Informative)

    by Wrexen ( 151642 ) on Saturday October 19, 2002 @07:45PM (#4487037) Homepage
    One way to get around a measure like this is to obtain a surface which can reflect EM radiation at 2.4ghz, such as AMQ coated polycarbonates or crystalline-structured metallics. By using a small set of these "mirrors" at strategic locations, you could fool the software into thinking you're actually receiving from inside the CEO's office.

    Since most modern triangulation techniques, including Ekahau's, depend on standard mathematical models of radius delta-reduction, it's trivial to set up your reflectors in such a way that the tracking mechanism can't deduce a logical place for your signal to originate from. Hopefully as location-spoofing becomes more commonplace, the government won't enact any laws restricting the use or registration of EM reflective surfaces.

    • Just use a slightly directional antenna--anything that relies on signal strength to triangulate you will end up being way off. If you set it up carefully, you can even choose your "virtual" location. And, no, the government can't really outlaw directional antennas.

    • Right, because you know, everyone who is anyone has AMD jacketed polycarbonation.

  • by addikt10 ( 461932 ) on Saturday October 19, 2002 @07:48PM (#4487055)
    Triangulation of EM is based on the assumption that the strength of a signal will diminish with the square of the distance from the source, or some other constant function with other signals.

    When was the last time you were using wireless (especially through a wall) that had the same range from the access point in any direction?

    I can't picture it working in a supermarket, with the metal shelving, compressors for the cold storage, etc. Sure, in a lab it'll work great, but with any kind of range or non-uniform building structures, not a chance.
    • Triangulation only needs to know the angle to the signal from two seperated points that are a known distance from each other. You know, like a triangle.
    • If the system used triangulation, you would be right. But it doesn't. All that is required is that relative signal strengths are reasonably reproducible for each location and that you have enough measurements to distinguish all locations you are interested in. The system internally produces a map of which combinations of signal strengths correspond to which locations. To reduce the number of calibration points you need, you can try use interpolation between nearby measurements, which will usually work reasonably well/
  • by coupland ( 160334 ) <(moc.liamtoh) (ta) (esahcd)> on Saturday October 19, 2002 @07:51PM (#4487077) Journal
    Since a huge proportion of us who have publicly-accessible Wi-Fi networks do so by choice you have to wonder what the value of tracking users is. If people use my hub I'm okay with it as long as they're not abusing it, more power (or bandwidth) to them. I don't need to track people using my hub, if I didn't want them I would spend a few minutes reading about security and prevent people from using my hub. The only people who would need to track users would be corporations but their security departments are so damn paranoid they're barely ready to admit Ethernet may be secure, let alone cool shit like Wi-Fi.
  • The technology to fool technology tends to always be slightly ahead. Expect WiFi location spoofing to follow.
  • Bah! (Score:5, Funny)

    by NeoPotato ( 444954 ) on Saturday October 19, 2002 @07:53PM (#4487093)
    I used to find people by pinging their computers! I'd ping a friend's laptop (using their Windows computer name), look at their IP, then go find them on campus. I think I scared a few people when I'd say "Stay right where you are" and walk over to the study room where they were hiding.

    Although I guess using triangulation accurate to a meter would let me say "You're on my spot on on the couch. When I get back from class, you gotta move."
    • Re:Bah! (Score:2, Funny)

      by mindstrm ( 20013 )

      OR when you get on irc and notice someone is online from the university computer lab.... so you find someone else online from the same lab, and start asking them to describe said person.

      Then you pretend you are psychic by explaining to the first person what they are wearing, what they are doing, etcterea.

      Is that creepy or what?

      • Re:Bah! (Score:2, Funny)

        by NeoPotato ( 444954 )
        Then you pretend you are psychic by explaining to the first person what they are wearing, what they are doing, etcterea.

        Is that creepy or what?

        Or you can type "INCOMING" and chuck a pen their way. Nothing like a virtual warning before getting tagged in the head with a flying object.
  • by notestein ( 445412 ) on Saturday October 19, 2002 @07:58PM (#4487132) Homepage Journal
    After digging through their site, it seems that they locate you by the following:

    Calibrate the positioning model - Move around the area while clicking the map to record sample points containing received signal strength intensity (RSSI) samples. No information about the access point locations is required

    And it implies that triangulation is not involved:

    Ekahau technology offers more comprehensive feature set than any competing technology on the market. The calibration-based approach is radically different from other commercial techniques, which mostly rely on signal propagation and triangulation for solving the location.

    So perhaps if you bump the power of your signal from the outside they will think you are inside.
  • Uh oh (Score:5, Funny)

    by dr_dank ( 472072 ) on Saturday October 19, 2002 @08:04PM (#4487166) Homepage Journal
    I found a new open network near my girlfriends apartment,opened up my browser to /. and saw this as the lead story.

    Perhaps I'd better log off now....
    • Re:Uh oh (Score:5, Funny)

      by Dr.Luke ( 611066 ) on Saturday October 19, 2002 @08:58PM (#4487418)
      Mod up! This slashdotter has a girlfriend. That's much bigger news than WiFi triangulation!
      • near my girlfriends apartment
        This slashdotter has a girlfriend

        Are you sure that she's not a girl he's stalking and pretending she's his girlfriend? Sounds more likely. Uh-oh, gotta go!
    • Re:Uh oh (Score:5, Interesting)

      by Fnkmaster ( 89084 ) on Saturday October 19, 2002 @09:17PM (#4487490)
      Funny thing happened the other day. My friend was over, opened up his laptop in the living room of my apartment, and started browsing. We had been making some DNS changes to a site we own, and he was checking them out, and told me they had propagated. I checked on box, and couldn't see them yet. This had us stymied for about 20 minutes until he checked his current IP address and hostname, which showed clearly that he was on Verizon DSL, whereas my apartment has ATT BB Cable - he was using the default Linksys SSID and his 802.11b card had picked up the neighbor's wireless access point accidentally. Whereupon we also discovered that we were easily able to use the default Linksys password to get onto the neighbor's router. Oh, and we found that our neighbor had three Windows boxes with open shares on them (nothing interesting in the shares though).

      For a brief moment, I questioned why I am paying for a landline feed and not just piggybacking bandwidth off of my hapless neighbors.

      • Re:Uh oh (Score:2, Funny)

        by Gabrill ( 556503 )
        Good for you for not taking the easy piracy. They say most theives are opportunists, and this was a prime opportunity to put gay porn in their windows shares. HAHAHAHAHA.
  • I am walking down the street right now hijacking a wireless connection and nothing is happen to...[End of Transmission]
  • How does it work? (Score:5, Interesting)

    by Omega Hacker ( 6676 ) <omega.omegacs@net> on Saturday October 19, 2002 @08:16PM (#4487230)
    I can think of several ways it might work, but all of them present significant challengs. Relying on relative signal level would be ludicrous, because signal level changes dramatically with card orientation, reflections, and whatever's in the middle. Heck, I get significant variance in signal level on the fixed links between the antenna on my roof and neighbor's sites.

    Using a GPS-like timing comparison might do the trick, but it's set up backwards. With GPS you have a bunch of atomic clocks in orbit, and one device correlates the relative signal phase between them. With APs, you have to have extremely accurate timing across all the APs, which is a very hard problem (I've researched it...). Once you have that, you can compare reception times of a packet from the device being tracked, and triangulate. Problem is 1 meter accuracy represents some scary clock accuracy numbers across several APs with just an Ethernet between them.

    If anyone can think of any other way to pull this off (WITHOUT modifying the client, and ideally without any special hardware, i.e. implementable in the HostAP driver), post them here.

    • In theory, you could tell how far the signal travelled through air by examining the dispersion of the wave at the receiver. Different frequencies travel at slightly different speeds through a medium (but not through vacuum), causing the different frequencies to spread in time. In theory you can use this to tell how far the wave travelled.

      The effect may be far too small to use in practice, though.

  • What about this (Score:5, Interesting)

    by iamdrscience ( 541136 ) on Saturday October 19, 2002 @08:23PM (#4487254) Homepage
    Triangulation works great in two dimensions, but when you use a third you have to do quadrangulation (is that even a word? I'll bet it is) like say you work for a company in a five story office building, when you triangulate where a person is in relation to you distance wise and in which general direction, but you don't really know where he is, maybe he's 15 meters in front of you and maybe he's 5 meters in front of you, but three floors down. They could both register as the same with triangulation. I will start the quadrangulating WiFi revolution.
    • Actually that's not true at all. Triangulation does work in 3 dimensions. Both the standard direction based triangulation, as well as distance based triangulation.

      This deals with distance based triangulation, so I'll just touch on that.

      This works by calculating the distance you are from each point in the triangle. (based on signal strength). Imagine you're in an elevator, in the dead center of the triangle. You're now on the same floor as each point.

      Hypothetically, you are exactly 10meters away from each point. Now you hit down.. after a floor, you're exactly 20 meters away from each point. It is physically impossible for you to be on the same floor as the triangle and be exactly 20 meters away from each point, since 10 meters is dead center.

      Now.. there's only one instance where distance-based triangulation doesn't work. If you can go above as well as below the triangle. If you're 20 meters away from each point, you've got to be in the exact middle, and down one floor.. However you can also be up one floor. So that breaks it. The only way to fix it is to move the triangle so that you can only be either above it or below it.

      So put your APs on the ground floor and yes, indeed, triangulation works in 3 dimensions just fine.

      (Directional triangulation doesn't have the negative-z limitation)
    • The first station pinpoints your position on the surface of a sphere in 3D space. The second station pinpoints you on a different sphere. The intersection of these two spheres will be a circle in space. Now, a third station pinpoints you on yet another sphere. The intersection of this sphere with the circle will be a set of two points. In order to tell which point, you need a fourth station.

      Unless someone can point out a flaw in my logic.

      • You're right, you need four, but this isn't why, and the math is ugly. You can't tell how far away a signal is from a given point, unless it's broadcasting with known constant strength or sending a time signal or something like that. What you can tell (sometimes) is how far away the signal is from router A, compared to router B. You might have a ratio of distances, or a difference of distances, either of which pinpoints location on a hyperboloid. This surface is two-dimensional, and for every reference you add, you strip off one dimension, so you need two more references. After that, the solution will be unique with high probability, as long as your references are not coplanar. The math, requiring simultaneous quadratics, is not pretty.

        If you could tell the exact distance to the signal from each access point, you could probably place 3 of them cleverly to give you a good location. For example, if the access points were on the top floor, you take the solution below them, unless you believe the person accessing your network to be warskydriving [slashdot.org].
  • by Dr.Luke ( 611066 ) on Saturday October 19, 2002 @08:53PM (#4487388)
    Whiteboard capturing devices use a similar principle. Two microphones are at opposite ends of the whiteboard and an ulrasound emitter is attached to the pen. When you move the pen the CPU unit attached to the mikes triangulates the postion of the pen and renders the digital image of the whiteboard. I always thought it was a simple and elegant solution compared to the touch sensitive whiteboards that cost much more. Another company now has a mini version of this technology for iPaq which attaches to a normal writing pad and allows you save anything you write on your iPaq.
  • To buy more Wi-Fi repeaters! My wife is gonna kill me when the bills come due!
  • I claim dibs on "24 hours" in the betting pool, where we wager how long before someone writes anti-location tracking software for 802.11 sniffers.

    Clueless MCSE: Sir, we have a real problem.
    Clueless boss: What's that?
    Clueless MCSE: Well, we installed that neat location tracking software so that the executives could play multiplayer PDA video games, without those evil linux hackers stealing our secret files...
    Clueless boss: And?
    Clueless MCSE: Someone is trying to hack us, they're accessing a directory on our web server that they can't get to from the main page!
    Clueless boss: Well, call the cops. They're in for it now.
    Clueless MCSE: We can't though! The software says they're orbiting Jupiter!
  • using pda with just a wi-fi and a smart centralized server... fun.
  • I can see it now.. the BOFH getting out of a weekend at the helldesk because the Boss spent forty-five minutes in the bathroom the day before downloading pictures from nymphoasianlesbians.com. Bring on the blackmail and the lawsuits!
  • I wouldn't say this will be the end of warchalking, more like a cool toy with some very practical (and very scary) applications.
    Even the very term "triangulation" implies that you'll need 3 access points to do it.
    • With 1 access point, all you can tell is a VERY rough "how far away are they". A lot of other factors affect signal strength and timing (reflections make a big difference), so this is not at all reliable.
    • With 2 access points, you can get a bit more accurate about where they are, but not *that* much because of all of the other factors.
    • With 3 access points, you can generally locate a signal rather well, because they can see more points, and in particular if the 3 APs are located in a triangular fashion, with the user in the middle, youcan quite accurately track them.
    The accuracy of the system will be almost entirely dependent on the number of access points that a user can see at a given moment, the more APs, the more accurate. Just like GPS.
    • not really, triangulation means two detectors, one working on the x axis, saying left or right is stronger, one working on the y axis saying up or down is stronger. the third point in this trangulation is the transmitter you are hunting. your explanation is correct for 3d space. where you would need a z-axis detector.
  • Not the best option if you want security... Triangulation requires 3 WAPs in distinctly different spots. Most home users don't have a WAP in their kitchen, bedroom, and bathroom. It may be argued that universities have WAPs all over the campus. That may be so, but is a wardriver usually in the range of 3? I am no expert on campus WAP placement, but the only places I immagine could be triangulated would be roughly the center of the campus. So while multiple gradebooks are being accessed by a host with an unknown MAC address, the triangulation software will say "Not enough base stations to determine location".
  • by mtodd78 ( 618996 ) on Sunday October 20, 2002 @01:35AM (#4488536)
    The research group I work in used many of the same techquies that this software company uses to create Nibble which also can do positioning using Wifi; http://mmsl.cs.ucla.edu/nibble/. Free. GPL'd source is available too.

    Things to note, however, about any 802.11 tracking software it that its accuracy is poor > 5 meters, unless you are using 5 or 6 *simultaneously* accessible access points (it even states this in the Ekahau manual). Tracking software can be thrown off by even seemingly minor enviornmental changes like crowds of people etc. Also some calibration is also required.

    Don't worry about this shutting down free access points as it is way harder to do location tracking than it is to set up an encryption system (even really good VPN style encrytion) or a simple MAC address filter.

  • by kazad ( 619012 ) on Sunday October 20, 2002 @03:42AM (#4488844) Homepage
    Hi all, this is my first /. post. I did a research project [princeton.edu] last semester and implemented a system like this, and got about 1 meter accuracy on average.

    Rather than using signal strength for triangulation, you use it to record a "radio map", and compare your current position to the map. The basic steps are:

    1) Walk around a room, recording the signal strength to each AP (so you get a file such as "Access Point #1, Avg signal: 96 AP#2, Avg signal: 74 ..." ). Netstumbler [netstumbler.com] or other software can help you make this file.

    Create a "profile" like this for every location you wish to map (roughly, one every square foot or meter). The number of profiles determines the granularity of the system, but too many profiles can cause "collisions" in the sense that different locations have similar profiles, for some reason or another. There are ways to combat this, one of which is to make an educated guess on the new location based on the last one. (i.e., the user could not have walked over 10m in one interval)

    2) When a user connects, they can compare their current signal strength info ( such as AP#1, signal: 34 AP#2, signal: 74) to the map: the closest point is probably their location.

    I did a simple euclidean distance calculation (taking each profile as a vector in some large space [cool how the pythagorean thm. generalizes, eh?]. There are many better ways, which I am researching this semester, but euclidean distance is fine for now.

    I'm pretty sure this is why they must spend an hour per 10,000 square feet to "calibrate" the system. I had to do the same, but it was a *lot* slower; I need to make a tool to do this automagically.

    This semester I am also looking to get my system working with an ipaq robot running familiar [handhelds.org]. It's the combination of the palm pilot robot kit [cmu.edu] and this positioning system. Hopefully, the little robot should know (roughly) where it is, and be able to be controlled via the internet.

    Check out my webpage if you are interested in more details.

  • Odds are about 100% that if you are setting up multiple wifi base stations, you are placing them for optimal coverage of your own intended users. Wifi triangulation works best when the user is somewhere within the perimiter of the base stations, and works most poorly when the strongest received signal is a station on the perimiter.

    So to accurately determine if someone is outside the intended coverage area, wouldn't you really need to deploy additional base stations? For instance, if you have three stations at your business, one near the front, and two in the rear corners of your building, and someone is wifi'ing in from the bus stop bench outside, he's going to hit the front station and not do much for the two in back. It's very hard to tell this user apart from someone just inside the building and very near the front base station. To settle this, you'd need a base station like across the street or something.

    I don't see wifi triangulation as a practical way of identifying users outside the perimiter for this reason.

    It's also worth noting that it would be a poor choice to place the base station right at the front of the building, because you'd be wasting 50% of the station's coverage area. But to pull the stations in toward the building's center would further degrade your triangulation abilities because relative signal strength differences would lower your triangulation precision.

    Just tossing ideas out, I'd propose the best way to keep warchalkers out if that is your intention, is to deploy your base stations in such a way as to not provide (effective) coverage to areas outside your premisis. If your business is already too small to keep coverage just inside your building, then obviously buying several base stations to try for triangulation is patently absurd.

    Of course, my final suggestion would be to openly allow public access, and use it as a P.R. booster. Free advertisement is handy, and in most cases, this would almost be free.

    For the entrepeneur: I haven't seen anyone selling warchalking plaques yet. I bet there are some businesses out there (cafe's etc) that would buy a custom made brass or bronze wall plaque they could affix to the outside of their buildings to attract more customers.

Adding features does not necessarily increase functionality -- it just makes the manuals thicker.