Friday, 14 March 2014

Tracking users via wireless networking at BSides Vancouver

BSides Vancouver 2014 has come and gone and it went off really well. I gave a presentation on Canary and had a good time overall. One thing I did do this year was keep track of the users who were sitting in the presentation room using Wi-Fi and Bluetooth.

"Scroll of Sheep" was created based on the idea borrowed from DEFCON's very own Wall of Sheep, but instead of harvesting passwords and the like from Wi-Fi networks, it scanned for enabled Wi-Fi and Bluetooth devices within one section of the conference.

It would listen in on 100 packets via Wi-Fi and do a sweep via Bluetooth every three seconds and keep track of it via a SQL database. All that was stored was the device MAC, a time stamp, and an SSID if found.

Reception of it was well-received and now I have some statistics and other data to share!

Hardware and software

Some fairly off the shelf hardware was used:

  • Laptop computer

  • LCD monitior

  • Alfa-based USB Wi-Fi adapter

  • Yagi antenna mounted on camera tripod

In addition to the above, a standard point-of-sale receipt printer was added and connected via parallel cable. Inside of the printer it had about 70 metres of receipt paper. Each day, a new roll was added to allow for proper measuring of how much paper was used--more on this later.

Even Bobby Tables showed up

The software that powered it was mostly through the use of Airmon-ng with Scapy providing the interface. You may wish to check out the source code of the software I wrote as it also incorporated a web-based display for statistics in addition to printing the data on to a receipt printer.


Here are the requirements for how things were tracked:

  • New access points were added and then ignored for the rest of the day.

  • Probes from client devices were only counted as new if they had not shown up in the last five minutes.

  • Bluetooth devices fell into the same category.

It should be noted that not much in the way of Bluetooth data was acquired (we're talking less than a handful both days) so the data has since been discarded.

Most of the activity was really in the early part of the morning due to it being the start of the conference. As the days wore on, the number of new client devices continued to drop.

The above graph shows that while Apple devices were most popular, they were outnumbered overall. I was not keeping track of operating systems, but it was surprising to see Blackberry devices this high. With better OUI data, I am sure I could have gotten far better results.

Something that should be kept in mind is that while this antenna was aimed directly at the main conference hall, data from devices not belonging to conference goers was likely in the mix--attendance was no more than 200, but 330 devices were counted on average each day. Having said that, we did have command of the entirety of the hotel's conference space and it was likely that some people had more than one device. I'd wager that 80% of the data was likely the conference attendees.


As mentioned earlier, a receipt printer was used and each day it had available about 70 metres of paper. The idea behind the printer was borrowed from Chaos Computer Congress, where a receipt printer like the one I am using was used to print out tweets that discussed the conference.

While the "paper out" light was on, there was indeed paper inside. Nobody managed to get it to spit out control characters to make it cut the paper or go into a continuous spool--this was completely possible as I had not done any filtering via the interface. Bobby Tables made an appearance on here as well too.

My girlfriend was on hand on the second day and decided to figure out how much paper had been spat out. Her approach was to just outright measure it whereas mine was to figure it out by weighing what has been printed.

Her answer was that 25 metres had been printed on day 1, but did not measure for day 2 as it was still spooling.

However, weighing the paper proved to be problematic as while I do have a scale, it's meant to measure things in pounds and kilograms, and we're likely dealing with less than a pound here--a kitchen scale would work much better. But there was one way, determine how many lines were printed.

Here's what I figured out and what I already knew:

  • Day 1 had 143 access points, 6 Bluetooth devices, and 670 client entries.

  • Day 2 had 102 access points, 5 Bluetooth devices, and 711 client entries.

  • Two lines maximum for access points, three lines for clients and Bluetooth.

  • Five lines of space between each new entry.

What this means is that on day 1, 6,397 lines were spat out and on day 2, it was 6,442. At this point, I can measure the length of each line (4 mm) and then tell you that 25.59 metres of paper was used on the first day and then 25.77 on the second. Even if I had gone and kept a single roll, I would have not ran out. One interesting fact is that the fastest a garden snail has gone at is 0.0034 m/s, which means that the printer was spitting out paper at around a third faster than that.

I guess I should have ran with my girlfriend's answer all along as I had assumed more--something like 30 metres on each day.


Next year I plan to keep track of AP encryption and get the OUI data a bit more polished. It would be nice to know if those who are tethering at the conference are bothering to encrypt their links.

A little bit more about what else was found in the data set may be written later.

1 comment: