Wednesday, December 29, 2010

mobile 802.11 - the parole bracelet for the man in the street

I recently installed the "Find my iPhone" app on my iPhone.

I happened to notice that the position fix it gave on my iPhone was more accurate when WiFi was enabled than when only 3G was enabled.

This intrigued me, because I had not realised that WiFi networks are routinely used for location fixing purposes.

So, I did some more digging. It appears Apple uses WiFi location services provided by This company has a database of the MAC addresses of WiFi access points and their approximate locations. Applications deployed on devices equipped with a 802.11 wireless radio can scan the local environment for WiFi access points, take a note of the MAC address and signal strengths thus found and then exchange this information with the skyhookwireless API for an estimate of the device's current location.

It didn't take long to discover, using a few Google searches, that the Skyhook API can be exercised by anyone with rudimentary programming skills. The information returned by this API is the latitude and longitude of the MAC address, as known to Skyhook Wireless.

It then dawned on me, that I could use the same technique that Skyhook Wireless uses to collect MAC addresses and discover all the MAC addresses in my local neighbourhood. I could then use this information with the Skyhook Wireless API, to derive the corresponding physical locations of each MAC address. I could then use this information, together with the Google Maps API, to make create a map showing the location of each WiFi access point in my neighbourhood.

And so this I did, and here is the result.

The interactive version of the map (not shown) shows the MAC address and human friendly network name of each WiFi network in the immediate neighbourhood of my home.

This was a cool hack for an afternoon and I wrote it up on Facebook. A friend then showed me a feature of current versions of Firefox that allows web applications to work out your current location and, with your permission, exchange that information with the application provider.

To see how this works for your self, point your Firefox browser at: and then click the link entitled "Give it a try!". You will need to respond in the affirmative to a security warning that will appear at the top of the page. If you do this, the a Google map will be displayed showing your approximate location. The results will be more accurate if you are connected to a WiFi network when you do this. Try zooming in to the maximum resolution - you might be surprised how close it gets to where you are.

Fortunately, this feature of Firefox is optional and they have taken some care to ensure that a Firefox user does not unwittingly disclose their location without their own consent. Furthermore, there is an option available to disable the feature completely.

It was while researching this option that I noticed that theURI used for resolving physical locations pointed at a Google server. Sure enough Google has its own location services API, apparently independent of the services provided by Skyhook Wireless.

With a little bit of playing, I worked out how to expose the Google API to a command line shell, and this allowed me to probe the location of arbitrary MAC addresses. expanded_mac="00-11-22-33-44-55" && \ ssid="YourNetworkSSID" && \ curl -s --header "Content-Type: text/plain;" --data "{\"version\":\"1.1.0\",\"request_address\":true,\"wifi_towers\":[{\"mac_address\":\"$expanded_mac\",\"ssid\":\"$ssid\",\"signal_strength\":-50}]}"

I discovered two interesting differences between the Google API and the Skyhook Wireless API. The first is that Google Wireless API was able to resolve the MAC address of my Vodafone Pocket WiFi device (more on the implications of that, below). The second is that if Google doesn't recognize the MAC address it will fall back to using the source IP address of the request to provide a less accurate estimate of client's location. In my case, this means that Google defaults the location to a location near the Sydney GPO.

I also tried using the MAC addresses of client devices, such as my iPhone and iPad to see whether Google could resolve these. At first, I got a fright when I thought it was resolving a location for these devices, but then realised it had actually fallen back to use the source IP address of my ADSL gateway and not the MAC address of my individual devices.

So, it is good news that neither Skyhook Wireless or Google appear to be tracking client MAC addresses at present. On the otherhand, the other thing I learnt today is that there is no technical reason why they aren't doing it - the information about client MAC addresses is just as exposed as information about access points, although, because client MAC addresses tend to move about more than access points it is perhaps not as valuable for location fixing purposes which is apparently the market that both Skyhook Wireless and Google are pursuing at this point in time.

However, it seems inevitable that someone, somewhere, will find the temptation of capturing client-level MAC address/location/time-of-day triples to be an opportunity too hard to resist. One can certainly imagine security services looking at such a gold mine of information with large eyes, wet lips and hungry stomachs.

And this is where the issue of pocket WiFi becomes interesting. The current infrastructure that Skyhook Wireless and Google have built is designed to track access points, not clients. However, the rise of the iPad has started to create a demand for a technology that Vodafone, for example, is selling as the Pocket Wifi. These nifty little devices package a 3G modem and 802.11 WiFi router in a unit that is smaller than a slim mobile phone (you know, the form factor that everyone coveted before before the iPhone created the demand for large touch surfaces). The chief advantage of such a device is that the consumer can purchase a single 3G modem and share its wireless connection between gadgets such as the iPad and other devices like netbooks or laptops and thereby avoid having to purchase a separate 3G plan for each device.

The end result of this consumer convenience, however, is that a lot of people are going to be walking around the streets carrying with portable wireless access points in their pockets. And their MAC addresses will end up in the access point databases of Skyhook Wireless and Google. Eventually, someone will work out how to make a buck from this information and the pressure will be on to keep it up to date. For example: Google's record of my Pocket WiFi device was at least a week out of date, perhaps more.

And once they have done that, the pressure to collect location information from normal WiFi clients will increase and then suddenly, everyone carrying a WiFi-enabled smartphone (e.g., almost everyone) will be locatable, with exquisite precision, 24x7.

Scary, huh?

Update:Just because I could, I decided to plot some MAC addresses I found by doing a google search for the phrase "Mode:Managed Frequency:2.437 GHz Access Point:". Here's what I found:


Anonymous Anonymous said...

This is a nifty set of linkages you've described and built. I have a couple of comments though.
1. Today, anyone with a cellphone is locatable, with or without WiFi or GPS capability being present on the device....except that the location of every phone has to be derived by signal strength from cellphone towers, and triangulated. Every wireless telco has the ability to do this now, and the police depts regularly use this capability. Not "publicly" available knowledge, but already available nonetheless.
2. Having a portable cell service provided WiFi device should help DEFEAT this ability of Google and other "public" services to Geolocate you, since the location of the hotspot device changes without Google being aware of where it is...since the device talks to the wireless network, not the public WiFi networks.

Do you see it differently?


29 December 2010 at 09:44  
Blogger Jon Seymour said...

G'day G,

I posted my response as a separate post because blogspot gave me the impression that my response was too long even though it did actually manage to post it.


29 December 2010 at 10:41  
Anonymous Craig Bailey said...

Fun times! :-)
This has been going on for a number of years now. What's also interesting is that in the last two years or so companies like Google have been attempting to 'triangulate' (if that's the word) height as well - so they not only know where you are (x and y) but what level of a building you are on (z) also.
The obvious driver is advertising. If I know exactly where you are and what level (in a shopping center for example) I can push you (and anyone connected to your MyFi if that's the case) the most relevant ads...
Telcos (naively) tried to measure and control location, but with so much money to be made from localised advertising, there's no way the Googles and Foursquares (et al) are going to miss out. The consequence of this is less privacy.
Advertising and Privacy are always at odds... there's no such thing as privacy anymore. Sadly, it is best to assume that everywhere you go is trackable...

29 December 2010 at 10:55  
Anonymous PaulG said...

I recently had a WiFi only iPad and didn't think twice about how accurate google maps was... until leaving the town limits into more rural unpopulated areas, it would not find its way anymore. The trick was the Wifi (non 3G) iPads DON"T have GPS hardware and obviously they use the above described WiFi geolocation mechanism. This caused a short WTF period of excitement... For this reason, for in car navigation usage, a 3G iPad is the only way to go (even if you don't use 3G, just for the inclusion of GPS hardware)

29 December 2010 at 22:54  

Post a Comment

<< Home