Beyond Wardriving: Tracking Human Beings with RF Technology

[Music] okay Tingler so hello my name is Gabriel Ryan I'm a security engineer at GDS and basically today I'm going to be talking about well not quite war driving I mean we're driving is kind of a beating to a dead horse at this point but I guess slightly and more I think a more interesting topic which is you know tracking client devices tracking wireless devices that people carry around and also you know with it implicitly tracking people that use them so I mean before we go into this into this topic I think it's it's only right that we we talked about war driving mainly because you know it's kind of precursor to a lot of the stuff

we're going to talk about today so you know we're do I think I mean as you probably know is the process of you know you pretty much map wireless networks and devices to a physical location so I mean it's partially a geospatial intelligence analysis problem and partially a wireless recon problem incorporates elements of both so but I guess like you know whereas it's typical were driving really focuses on just you know creating maps of wireless networks and so on and so forth you know we should ask ourselves you know why not track client devices as well and what can we get from this well you know where as mapping access points gives you information about

organizations attack services coverage you know signal early goods etc tracking client devices gives you information about people so you know whereas ApS and and and you know infrastructure that you're mapping I mean that's that's really just facilitating these devices that are used to communicate if you're actually you know taking a look at client devices these are the devices they're allowing you to communicate themselves so it's definitely more humanistic kind of approach there and then gives you you know a lot of insight about you know organizations and people working within them so another good reason is you know Pew Research Center 92% of Americans own a cell phone 90% of owners carry their cell phone with them

frequently and you know you can imagine if you if you're always carrying you know a device around that's a pretty good way to associate it with a person you can use that to to track people so I mean your cell phone alone uses Wi-Fi cellular you know it has bluetooth capabilities RFID capabilities possibly possibly infrared or ultrasound you know you can get that through mics and speakers GPS if it's not enabled and of course we also have RFID you know which is you know you wouldn't think about this you know all the top of your head but building access cards credit cards you know just stuff you carry around you that actually you know it does have some

kind of RFID you can put it to it you know this is a 50-minute talk so it's a pretty broad topic so I'm going to focus mainly on Wi-Fi but there's also a lot of applications with with the stuff that we talked about so the other interesting thing about tracking client devices is that it's more challenging you know unlike access points was typically don't grow a pair of legs and walk across the room too much you know your your typical cell phone moves around a lot because we carry by person they also have much lower transmit power and you know there are a lot of them in one place you know you typically don't have to worry about

you know hundred access points you know in one room at once unless you're at b-sides or Def Con or something and you know people are messing with a Wi-Fi but you know typically when you're when you're analyzing data coming from client devices there are a lot of them so there's a lot more data you have to sift through so I guess the fundamental technique using it goes into tracking wireless devices typically clients is probe sniffing very basic once again but you know in case to here is familiar about the network discovery process used by wireless devices show hands all right I see some people who didn't raise their hands so just for the sake of not you

know don't know I'll try to make this brief but you know it's not bored you guys but also I'll try to cover it so you know wireless devices they use Pro requests announce their presence to access point essentially your your laptops your cell phones whatever they all have a list of preferred networks on them that you've connected to before and as you know as you're walking around or just you know as long as the wireless is enabled there's a good chance that these active probing that probe frames will be issued at regular intervals for you to network so you know it'll send out these protests that have that essentially is seeing if one of these access points do

you have to do before is nearby and if it is you presume they will get some kind of response from the access point and that's how your device knows to connect to it there's also passive probing will go more about that later and and passive probing they actually just don't do that but there are ways and there's been a lot of research into you how to actually kind of force them to do that so I'm you know what's an approve requests well you know program West sent from a device contains I mean three real basic piece of information that are actually really powerful when combined together for one thing you know because it is a wireless packet it's going to

have a MAC address associated the device there's also can be the time at which the probe request is issued it will have a timestamp and finally and this is implicit this isn't actually in the packet but simply because your wireless sniffer is within range of the device to where you're sniffing packets from you you know something about the locations that device so you know if your device is uh if you've sent a packet and you have a MAC address you know that that device must be with somewhere within the single range of the sniffer that captured it so I mean we can use this for just to demonstrate how powerful this is we should talk about a technique

called ingress egress tracking so when you consider the following example this is kind of something that's it's hard to just kind of describe without using examples so I'm going to like kind do it this way but I think a really good really good way of thinking about the ingress egress tracking method is is by think about the New York City subway right so can you guys see my mouse can you not see one else okay cool yeah so this is like a really confusing map thingy so I'm going to just point at things with my mouse but you see here like this is the near City Subway right and you have a series of stations you

know you walk in the station you get on a subway and it's somewhere on the other side of the map you'll pop out so if you replace a packet sniffer at each and every signal subway station and that would give you essentially if you're just if a certain device going in and also see it come out a different location that would give you an entry point and exit point into the subway system so I mean what that actually gives us is a route travel you know so if you see someone come in over here and you seem to pop out over here that means they'd much know for certain that they travel this way so I mean there's a lot

of like there's a lot of like really good information that this actually gives you I mean for example you can actually use this to calculate the routes of travel for all passengers using the subway during a given day I mean that's really powerful stuff and all just because we're capturing three you know two items in data and using it to derive a third you know if you want to take that step further you know think about it if you were to sort these into categories and key with database of this stuff and you were to select all MAC addresses from trips where you know the entry time was between a certain between certain time let's say nine and ten and and then

you know going from one station to another then that would give you potentially commuting patterns you know if you could you know further sort this into categories you could you could you know if you've seen a person take this route the first time they might not be like live in a city whereas if you shouldn't take the route every morning they're probably commuter so already you know just just by drawing this very simple inferences from this from this very simple data we're able to actually have some really powerful analytical results you know for example distinguishing between tourism speeders or you know ruling out false positives in an investigation you know so imagine a world in which these devices are

literally everywhere you know not just like the subway example but I mean you could see like you know certain like you know retail stores or something like that or or just literally everywhere well the resulting data sets could be used to build profiles that include age gender socioeconomic status I mean you can tell a lot of you know just by where someone goes so I guess the real question then is uh I mean this is actually it's actually a technique that's used to you know by retails and marketing agencies quite commonly there are lot of products out there that they use in shopping malls and stuff like that to to keep track of uh you know

essentially calculate peak hours you know when you're entering a clothing store or something like that so but I mean the kind of the interesting thing about this is that by linking a location in time to a common MAC address you you can actually create a detailed identity you know you can pretty much know just about anything about someone using you know where they travel and the times I travel there and arguably that's that's a lot more powerful than just you know knowing their name or having knowing who they are so you know food for thought as anybody here read OPSEC for freedom fighters so by the grukk yeah it's actually like really cool but I mean one

of the points that he came out with that he you can wade out was that you know most cyber criminals actually get caught using old-fashioned police work that you know they essentially leak information using because app or OPSEC you know so they'll you know do something with one identity and it'll cross contaminate but another identity by bragging on IRC is all their friends and no sooner or later someone sees that and they're a little put two to two together and you know they essentially get done that way so I mean another common way that cyber criminals are identified is through stings behavioral profiles you know you can you can you know mask your identity you can you can use different alias but

your your online behavior for example it's going to fit a certain profile it's going to fit a certain pattern that is you know pretty much it's going to you know carry over from identity to identity so you know if you can imagine that this is a method with which you could tie users uh you know you could essentially build behavioral profiles if you were able to tie users a metadata to their identity that's that's pretty powerful stuff so I guess the conclusion to draw here is that you know anyone who claims to protect privacy by only looking at your metadata really I mean if that is misleading you pretty much are your metadata and your name is just

a label for it so I guess the challenge though its linking devices to people how do you bridge that gap between you know a MAC address and someone's you know actual you know who they are it'll go about that we'll go more into that in greater detail later so they're actually some really interesting applications of this stuff to physical security you know for example it's pretty trivial tease probe sniffing to detect unauthorized devices and a lot of companies actually do this to enforce their IT policies so you know you might actually bring you might have like a non bring your own device policy and they might be sniffing packets and matching against a white list of allowed

devices and then suddenly here you are with your with your you know playstation portable whatever the heck it is and they detect that and they flag it and they you know come hunt you down and confiscate it but I mean you know in a slightly more you know if you're going to apply this to I guess like a physical security context I mean that you can also place you know probe sniffers at building entrances and use that as part of a real-time IDs so essentially the casual code curbs are compared against the whitelist of unauthorized MAC addresses or socially authorized MAC addresses and if the authorized MAC address is captured and alarm goes off so I mean what this means is that if

you're trying to gain unauthorized access to a building turn your cell phone off if possible I mean you shouldn't just carry around a device that's you know throwing out packets everywhere if it's not necessary and if you do need to use a wireless device it probably will at some point make sure that you spewpa MAC addresses of an authorized device something that you've seen kind of in the area before the engagement begins because you don't want to be compromised because of your ear device essentially so another really a very commonly used technique to gain access to an authorized access to a building is tailgating you know so when you're out and a lot of people in the think of like

physical security assessments that picture guys in ninja suits you know climbing over walls sipping something barbed wire and doing all this crazy stuff but I mean reality you know doing that stuff in like an urban environment for example is is not that possible I mean if you know imagine like just being in the middle of Chicago you know buildings everywhere and you track like climb a building or something like that it's not going to work I'm much more common approaches to hide in plain sight and to just tailgate in you know I mean different variations of that of course you know it's proof badges and so on and so forth but it's just a bit

of you know way for someone who's actually allowed to enter to walk in the door and you just walk in behind them so I mean to do this the preferable method of course is to wait for a gaggle of people to walk in the door you just kind of catch up to them and go in with them because this place is more social pressure on the people who are supposed to be checking to make sure you're not entering unauthorized and additionally it's just hard to keep track of more people at once so you know that you know it often works if it's supportive way for a sizable crowd we just we just said that but yeah

I mean this picture here really just kind of like kind of exemplifies what we mean by this you know imagine like you're this guy over here and he's just trying to catch up to this oops trying to catch up to this this door and get in behind this person that's a lot more obvious and conspicuous than you know just you could be one of these you know people wearing a suit over on the left kind of blending in with all these other guys so you know the old-school way of doing this is to find a vantage point pretty much you can watch at the building entrance you know so you might just like camp out in from the entrance

and wait for your opportunity to go in you know if you see if you hear people moving toward the building you join an attempt entry it's kind of like the stakeouts that they that you see in like old it's a detective movies and stuff like that the problems with a sec nique although this is pretty much you know the industry standard it's really inefficient you waste resources by having an operator way outside of building for hours and hours and hours and you know not only that it's really risky I mean you know if you saw some guy just sitting in the van your parking lot for like four hours watching the front door I mean it's pretty sketchy

right so you know the longer you wait outside the building more problems you have you can reduce this risk by the best way is to look at this this little diagram here so if you see like there's this you know imagine that you're waiting in this little band right in the parking lot and you you know you see you see the like a group people moving toward the door so you're further away from the from the front door so I mean I guess like the risk of being detected during the preparation while you're waiting for your opportunity to go in is greatly reduced that way but if you move closer you move closer you know it's a well

it's greatly reduced you know when you're further away but at the same time you increase risk of detection during the execution because as you're trying to catch up with this crowd of people to go on the door you know now you have to sprint across the parking lot so you know let's say that you're one of those people moving towards the door right and you see some guy just get out of an it sprint toward you to catch up across the parking lot that's going to attract a lot of attention you might not just you know think it suspicious what you are going to think it's weird you're going to notice it so you know if you reduce

the path to travel you know you move yourself closer to the point of entry and are waiting for this opportunity now you increase the risk of detection during the preparation phase because you're much you're much more visible as you're just sitting there waiting for your opportunity to get in so you know you have a situation where you can park farther away and you know reduce your risk of detection during preparation and increase your risk of detection during execution or you can you know move closer but now you're you know increasing the risk that you get picked up you know by like a roving patrol or or just generally get seeing you know kind of camping out by the entrance so

you know of course it I think a much better solution to this issue is to use a people counter to make informed decisions about you know when to attempt entry because you know rather than just trying to put guesswork at the deserts way equal opportunity use data this is actually technique so people counters are wireless devices this is really pioneered by marketing agencies once again in retail situations it's a wireless device that sniffs packets and by doing this it is able to tell how many people have visited a certain location at a certain time so a very common application to this is in retail stores so like you know if you're in a shopping mall

you may go up to mannequin and this mannequin might actually have a package sniff right I mean this is a pretty common practice and will happen is this way you can tell which particular store displays are tracking attention and which ones aren't and they you this to essentially you know figure out what advertising techniques work and which ones don't so I mean similarly remember that people move in predictable patterns you know you have a rush people going into work in the morning you know you might have a lunch crowd you might have a you know a smoke break later and periodically throughout the day and people going in and out of the building is typically an

evening Russell oh that's not really as useful it's useful because people leaving a building rather than going back in but if you know you typically what you what people do when they when they attempt you to tailgate is that they'll be aware of these patterns and you know attempt to you know plan on making entry at a time when you can expect there to be a lot of traffic the problem is that these movement patterns are also there to have a dependent on company culture so you know it varies from place to place from day to day and you know you can't really predict it and you still even if you're you're aware of these these patterns you're wasting a

lot of time just sitting around so of course you know using data is that's not the better way to do this so as we said people counters are frightening applicable to the physical physical security assessments so I mean if you just say you're taking these people kind of things to have a small device and you just casually walk up to a door and you know have a smoke break and accidentally drop this thing the bushes or something like that and then sniff probe packets for you know a day or two you could actually have you know build analytics so like so you might have actually predicted the lunch crowd to kind of go out around noon but this company is just

really strange and everyone seems to use to be going in and out at 3:00 p.m. you wouldn't have known that if you hadn't actually gather data beforehand and the coolest thing about this is you don't need to be there as you're gathering this data so you can figure out the optimal points of entry without actually being close to location so another another interesting thing you can do is a location tracking this is the use of sniffing wireless traffic and using that to track the locations of base stations or client devices and access points I guess with two comments most common approach to this our GPS cross-referencing and trilateration so I mean GPS cross-referencing I mean

that's essentially the traditional wardriving techniques but we talked about before you basically take a GPS tracker and a wireless packet sniffer and you combine them together and that allows you to you know essentially combine data sets the wireless data set which is your MAC address time stamp and other metadata from the packet and you combine that with a GPS position and you're able to you know essentially plot the location of devices on a map so you can under really cool-looking things like this let's see all these networks and devices you know so once again is to try to test a technique there a lot of you know awesome tools available for this kismet net Stambler

insider wiggle etc it's pretty applicable to physical security for the same reasons that uh that wardriving are especially Red Team assessments because I mean it's useful for scope definition allows some map attacks surfaces and you know it's great for device discovery the other technique and this is something that's more like bleeding edges trilateration you know so essentially trilateration is the use of geometry and distance to figure out the location of a point on a plane so in other words what that means is if you have the best way to really explain this can you guys kind of see this little dot in the middle of the graph there anyone not to the dot so I can probably zoom in now again alright

well just as soon as a dot there so we have like these three these three circles right and and the I guess the layman's way to explain this is you can kind of see how how they're overlapping in this area and you know by calculating where that overlap is occurring you know you can figure out where something is located so the way that you'd apply this to trilateration is by using our SSI is a you know as a metric to judge distance so there's a really awesome researcher Jonathan physics who did some research on this and the first thing he wanted to identify was whether or not power levels actually is actually you know a valid

valid metric for which you can met through which you can measure things by the way in case you're in case you're wondering the received signal strength indication our SSI is the power level received by a wireless antenna so essentially you can you can think of it as you know how strong is a signal coming from this device from which we are snipping packets if you convert ours aside to DBM you can use it to measure distance the problem is that you know as stocks found there's actually no noticeable correlation between are sessile distance the reason for this is that there's a lot of interference and and other you know variables that cause fluctuations in the signal strength if

you've ever used air dump and you see like the TX powers they move around a lot they're not you know consistent they jump and sometimes it looks almost an explicit and the more environmental factors you factor into this the worse again so statistically is required for this to work you know I guess so one of the things that uh Sherlock came up with two techniques one is this naive approach to wireless try out trilateration essentially works by placing two three packet sniffers and ace in a triangle like this so you can see each of these dots up here represents a packet sniffer and you know the idea is that you try to find some device that's kind of in

between them using trilateration so you know I mean he figured out that if you can break the artists are values distance and then normalize you know use normalized power and essentially what normalize if I take a normalized approach what we mean is that well I mean the best way to explain this really is by example I mean let's say that we for the sake of argument there's device that we're sniffing packets from is in the center of the triangle so we're saying that that it's equidistant from all three points and the reason why we're going to say that is so we don't have to give this example with like different DVI measurements so if it isn't and we've captured three

three three packets with the dbi ratings negative 56 TBI so the strongest negative 61 of course the least strong signal strength reading would be negative 69 DVI so if we essentially create radii or radiuses of the circle you know calculate how long that would be using using distance or using the DPI to create a distance and you know you firstly see this radar but the circles still do not intersect then you know you just discard that value and you move on to the next one so now we try with a negative 61 dbi right and you know we're kind of getting there we're kind of getting there but at the same time we're not quite there yet because these you

see the circles are not intersecting so we discard that value as well finally we use the negative 60 DB out next seven notice negative 69 DB I to calculate the distance and you know you essentially use this to create the circles and you see there's there's actually some intersection happening here and this intersection because they do intersect now you use these values and you assume that the device is somewhere in this in this area here that's being covered by the the blue circle the yellow circle in the red circle so I mean this actually works well I mean it works but not very well right I mean what she locks down was that the margin of error of this is

actually up to 100 meters in some cases which you know is effectively useless right because if you're trying to figure out where something is that's hardly accurate so a better approach is to use a weighted average so I guess the easy way to think about this and this is probably coolest thing about this axis study was that if you take the N most powerful our societies or discard every RSSI value under a certain threshold this will actually reduce the average Erik's below 50 meters without any fine-tuning and with fine tuning and that's the key word there fine tuning you reduce the average error to below 10 meters which is actually start only accurate the problem is that you know as

you know we mentioned there is fine tuning required so you can imagine that's probably not going to work that well outside of a lab environment so it's definitely something that stillness at developmental stages so I guess the advantages if you wanted to you know track a wireless device using using trilateration well I mean the weighted average approach is pretty accurate when fine tuning is used but you know arsons high is still you know a very inconsistent power indicator and it's definitely sensitive to environmental obstruction or interference there's definitely like the possibility something that needs to be explored more is using more than three points to see if you can improve the accuracy that way but yeah it's you know as far as like

applications of physical security I mean it's it's arguably more trouble than it's worth hey Sean but it only works indoors with obstructions aren't present because and so it's really in this developmental stages so I guess you know we spoke about uh you know how you can build profiles essentially you know profiles of behavior just by like you know tracking wireless devices that people are carrying but I guess you know that kind of basic question can you actually link devices to people you know given given a vice can you actually figure out who's using it or vice versa and the answer is well I think before we go further we have to think about the ethical considerations associated with

this you know because you know the minute you start talking about bridging the gap between this identity of a person and its advice they're using and their metadata you know you I mean this is something where if you do this without consent I mean it's pretty much always considered unethical nothing Oh question though is it worth it is it worth doing and you know I think a lot of marketing agencies law enforcement agencies you know people have interests in this stuff would definitely say yes you know potential reasons you know arguments for doing it you know you you want to spy on somebody but you don't know what phone they're they're using or you need to target

someone very specific or you know if your marketing agency of course they just want to enhance your customer experience and sell you stuff so you know that that works that's a pretty good reason for doing it as far as legal justifications for doing it you know if you've consented to it either as part of a Terms of Service Agreement actually this is a pretty pretty interesting practice when you when you go into if you ever use like free Wi-Fi does anyone ever just accepted like a captive portal or something like that like a retail store no one he has okay so I mean really it's pretty funny because what they'll actually do is it'll vary something in

the Terms of Service that consents basically by agreeing to this your consent ease of having your movements tracked throughout the store so like you know like Nordstrom or Macy's or something like that they want to see where you're going in a store what kind of products you're interested you know and of course to sign up and get actually free Wi-Fi you have to give them your email so then they'll use that to send you targeted advertisements later you know of course you know you might your employer might you know say that yeah you have to agree to you know having your activity monitored in the workplace you know whether that actually you know entails you know physical

tracking as well it may or may not of course if there's a warrant or equally powerful legal justification then that you know works as well notice security consultants don't try the stuff without explicit authorization format so W because inline yourself and really hot water for doing this but yeah I mean pretty much as far as this conversation goes I think at least earn the promotion perspective really just taking a neutral stance on this regarding the ethics of doing this and instead I think it's better just explore whether or not it's possible to link devices and identities to one another and if it is possible how feasible is it you know and then you guys can basically

come up with your own conclusions about it and go from there so a few crunch a at the international symposium of research and great hat hacking I really stay a pretty awesome presentation called I know your MAC address it is actually a white paper that it's about this as well what he figured out was that well he came over this approach where if you visually identify target so you just say oh that guy and then you just follow them for a while both sniffing packets you know so you monitor the wireless communication for the students following around for n minutes while keeping the transmission range you know eventually you're going to see a MAC address that has been present with

you as you're following this person for you know all n minutes so then she'll see all the other MAC addresses you know fall away and they'll be that this one macular is left so I mean this is this is actually pretty cool because it demonstrates that using you know relatively simple technique you can have an accurate and highly targeted means of linking a visual identity to someone's MAC address you know the drawback to this is one thing it's creepy it's actually cub the Wi-Fi stalker tax buy from Shay himself and it requires considerable skill and training to do so without attracting attention or getting arrested I mean if you imagine just trying to like you know do this

technique you know you're following some guy with your yeah ghee and ten or whatever and just he's seen you on every street corner I mean if someone was doing that behind me I probably call the cops having just just saying so and also requires a close proximity to target you know and that's that's you know never preferable with that said I think you know this this technique actually can't be improved the original Wi-Fi soccer attack came out in 2013 it's now 2017 and literally everyone has drones now I mean literally everyone has four outs so I mean let's talk about you know like hypothetically if you wanted to how would you improve your Wi-Fi stalking

game well I mean you can use facial recognition and drones for one you know this alleviates the problem of having to follow somebody route that antenna you know so it's easier to be stealthy physical exertions not required which is an amazing thing I think and it's slightly less creepy well I mean it's still pretty creepy right if you see a little quadcopter palling around with a little less obviously creepy what he said hard it's also hard to use indoors right I mean I know if you've ever tried to fly like a like a drone but it's it's actually more challenging than you think and you know it's action Pro you know I'm actually run into the person with

the drone you know clobber somebody and you can only really monitor one target at a time still so I mean why stop here I though I mean what if we did the enhanced aerial Wi-Fi stalking advanced persistent threat style you know so drones equipped with facial recognition software lots of them split in aerial map into sectors and each face gets a unique ID you know actually I think if it's rate the better way of explaining this is not really by using I'm going to load something up here really fast I'm going to try to anyways okay I actually got to put the mic down because I decide

here with me

hope you guys are so serious I can't see this better now all right so like we have this grid here and I want you to imagine that each tile in its crib is a it's just a location on a map and you're kind of looking at this from a top-down view and each of these points here is a sector and in each of these Peck each of these points each of these sectors are two items a camera and a packet sniffer so you have a camera and Pakistan for an each point right and then you also have this guy here Bob so we're going to you know Bob we kind of had this as an

ordered pair here right where there's this thing see nine and we're assuming see nine maps and map MAC address I didn't actually put a MAC address because you know that would be kind of hard to get essentially take out the whole square be hard rendered on the screen so just pretend scene is a Mac dress you know Mac dusty nine and we have Bob so Bob is is you know represents the like essentially an identity tied to someone's face so for the purpose of this demonstration we can see that Bob is linked to MAC address c9 but the algorithm that we're going to use to actually link these two things is unaware of that but the so the

parentheses and there are really just just for a visual aid for us so Bob is you know moving around this map like this and each you know let's say this is like a one minute interval Bob moves from location to location and you know just kind of intuitively right if we look at if we look at where Bob is we only have one MAC address there and that's Mac for us tonight so we can you know just kind of like you know it's implied there that you know MAC address t9 belongs to Bob now let's look at let's look a different example which would be two people in the square if I can type correctly there you go so now

we have now we have four items in this sector at the top left these four items being you know MAC addresses see nine MAC address a one Bob and Mary so you know we you know we can once again we have these parentheses here to aid us but an actual tracking algorithm would not be able to see that you know these two things are tied to another so it would just look like there's two mattresses into a few visual identifiers in this sector you wouldn't be able to tell you know whether you know which one is linked to what just off the bat however notice that you know after after both of the move kind of like in any other direction so

so mary has now moved you know to the right by one sector and bob has moved down if we're trying to you know keep track of Bob and now we see that the only Mac dress left is you know at macro c---nine then we know that you know you can time accuracy 9 to Bob and those two are linked to one another you know similar similarly if we look with more people right so now we have now we have five people that were keeping track of as I said before the parentheses you know they're really just there for us but we can see that there's people with their MAC addresses but to an algorithm that's actually trying to track these

people you would not see these be able to tell if these people are linked together you just see five MAC addresses and five visual identifiers and it would take kind of longer so now that they've each moved and this movement is randomly calculated by the way you see that they've moved and now if we're still trying to figure out where Bob is now we see Bob and Mel are both in the same sector as well as their MAC addresses we still don't know which of those two mattresses belongs to Bob and you know now Bob's in a sector all by himself and you know the only the only thing left the only intersection between you know

the set of all items in this this final sector where Bob is and the sector in which bob started out is this is the set containing the MAC address C 9 and the visual identifiers Bob therefore you know that Bob must have max across C 9 so I mean if you actually implement this into you into a tracking algorithm right I'm just going to type this in one hand so I've been visual ID Bob so right now I might have to zoom out of all right can you guys still see what's going on pretty well anyone not able to see the text all right you can all see attacks great so yeah you know as we

said before we have these uh you know five visual identifiers and five MAC addresses so what the way that this algorithm is going to work is that it's going to first sweep this area and look for Bob you know Bob is now found right here in this sector so the attention of the algorithm is focused on on this sector you then fast-forward the camera by about the cameras by about one minute but the algorithm is still focusing on this sector now searches each of these neighboring areas on the graph up here which would actually is this sector here then it would it would look at this one then this one and just kind of keep

going until until Bob is found which Bob would be found here you know as this this particular case resolved itself very quickly as you see the target macros has already been identified as c9 if you're able to see that and I'll just zoom in a little bit so that you can plugin yeah the target no macros has already been identified as c9 but you know it doesn't always it doesn't always go that quickly right so if you if you do this so we'll try this again but you know if you see this algorithm it may take a few tries but each time you eventually it is deterministic you will arrive at the at the MAC address that

you know is associated with the visual identifier that you're looking for so you know we start out here and then you know the possible candidates is ruled out - these are all resolving fairly fast let me try to find example where it's not and this is totally the demo gods right now like you shall have a good luck when finding this yeah so here how about that it's actually literally just working on the first try every time but usually I mean it has to fall it around for a bit right and you know within each essentially if you do this long enough you can essentially take you know like a visual identifier and then you map it to the MAC address in that

way so I mean if you think about the ways that something like that actually be used well I guess first like the the limitations of this for example would be that that we presumably account for signal bleed between the two the different sectors on the map of course it's not really necessary because if you track this thing long enough I mean you're eventually going to lose that signal for the other places but it also doesn't work really a few individuals are always you know traveling together in one place however if you people are always taking the same path and it does tell you that there's probably some kind of link between these two individuals so

it doesn't really matter and of course it doesn't work with individuals to have more than one device although once again if you start seeing you know this is kind of try I'm moving around you can start to draw inferences from that so I mean if you think about like ways in which this could be used I mean so for example you know think about a city where there's like security cameras everywhere I mean like New York's really great example of that you know London is notorious for just having security cameras on every every block in fact speaking of London there was you know if you got to read the news a few years ago there is like actually they recently

decided to end a program in which they had wireless packet sniffers just sitting in sitting in trash cans so you can go to throw out your rubbish and they just kind of capture your capture your MAC address and stuff like that so I mean the infrastructure is really already there in order to do something like this so I mean it just just using existing infrastructure you could really do this so I guess conclusion from this is that tracking client device is actually like really easy depending on the methods that you're using and and you can use it you know using pretty pretty small simple data points and and by doing that actually gather some really really

insightful results and you know and this is pretty much evidence for the sheer number of products out there that do this you know both like in the marketing sectors and also in other places and you know often the simplest measures of the most reliable and effective it's for linking devices to people and actually like they going to figure out you know being able to link a behavioral profiler or it's almost identity ami there a couple ways of doing this you can take the the approaches as having to having someone agree to it you know and then essentially they could they can send and that's what we're talking about the Terms of Service stuff or I mean you can

do something more invasive which like that the algorithms where we were just talking about more recently so I think in terms of this stuff large organization fast resources definitely have the advantage but you can see there's still like a lot of like really simple methods that you can use so I mean that's pretty much it if we finished it out ten minutes early but any questions what's up yes the the first three octaves of the MAC address are the first three outfits are no UI so that maps to the manufacture yeah actually so you know if you wanted to and you were able to and want one really cool thing you could do I guess with

that is that if you wanted to just you know get a list of everyone here uses Android versus versus Apple or other I mean that's that's something you could definitely use use the o UI prefix for what's up

it varies and that's a really good question because it tells you how often you can actually gather this data point and depending on the device there are devices that don't probe actively so if you're I mean we haven't for some reason and I don't there's really no reason for this in my opinion but that's just opinion we still hadn't reached the point where we're all just using we're neglecting passes probing I guess for convenience or whatever but and there's some devices that use passive probing where they just wait for for beacons for an access point before we start the probing process and before they start something to tak to something on their on the preferred network list but yeah

it does vary from device to device there's there's some leeway in the implementation there you excellent question so so the thing is that I mean there was a really posh a link of this but there's a study that was recently released by it's called why met what so essentially there you when you wind it up when the on the programs go out although the in a lot of cases although the MAC address varies from from from back to packet there's still a sequence number that's associated with each packet so the MAC address changes but there's a sequence number that that that's still associated with each MAC address so because of that that kind of breaks it and also there's

and this is this is a little you know doesn't work quite as well but there's also you can use like hardware fingerprinting so you can kind of you know based on the actual signal coming from the device figure out that although the MAC address has changed there's still like a fingerprint of this device that kind of looks similar that's a really good question I don't believe so I think it would just construct a for overall profile from all this stuff so it does throw a wrench in it that way yes but unless unless you find a way of identifying the you know mapping these things to own things so if you're able to see that there's like a certain

sequence number that's falling from you know like and that doesn't change from compliant device to client device or should I say Mac person MAC address you can you kind of lump them together and just assign your own like UUID or something to it and tie them together that way yeah so that's that's exactly pretty much anything else any more questions come on all right well I guess I guess if not a little early but yeah that's pretty much it thanks guys [Applause]