Electronic Fingerprinting: Mobiles Devices behind the Shadows
Passive tracking is pervasive in today’s world. Let’s talk more about that.
While we’ve all heard about web fingerprinting and had that moment where we wondered if our microphones were listening to us, most of that tracking revolves around the internet and being tracked by our patterns and the information we share via our social media and browsing habits.
However there is another form of electronic surveillance that we experience many times each day, and our experience is that most people don’t give that a second thought. Today, we’re going to talk about how you can be betrayed by something you use every single day and what you can do to mitigate this should you wish to do so.
You don’t get far as an Investigator without having a creative brain and finding ingenious ways to navigate problems while using technology to maintain an edge in the field. While this technology can be used in many situations sometimes legally speaking many tools are not suitable for the job, leading to assessing other ways of achieving the same goal. While a GPS tracker can be a useful tool to have during an inquiry, the scope of which these are able to be used are too narrow to be able to be relied upon. Thankfully technology has evolved to give us other options. It’s even evolved to the point that people will carry and charge these devices willingly. Yes, we are talking about the good old smartphone.
Smartphones are unique in their ability to give away information that is relevant to others. Source: Samsung
What Does it Mean?
While for many people the concept of tracking a smart phone probably gives visions of hackers, movie style phone tapping and listening in to private conversations, we’d like to break that illusion now by saying whilst these exploits are possible, they usually remain the domain of nation states, intelligence agencies and high end cyber criminals. Given that we are Law Abiding, Open Source Investigators that don’t fit that criteria we need to look for other ways to achieve this goal. Thankfully due to car kits, smart watches and other connected devices there are legal ways for us to achieve similar goals. However please note that should you wish to experiment with this, you should check the laws and regulations for your own region prior to doing so.
Firstly to understand what we have available to us we need to understand what our device does. For a smartphone, we have three avenues to pursue. One of these is not viable, the other two are.
GSM Network Emissions
GSM emissions are the communications between your smartphone and the tower. These emissions carry the information that gives your phone the ability to make calls, send text messages and obtain an internet connection. These emissions are encrypted, for both efficiency and privacy purposes and intercepting them cannot legally be done in most parts of the world. This means for our purposes this data source is not useful.
A wireless adapter that’s able to be put into monitor mode will tell you plenty about the devices around you.
WiFi Emissions
WiFi Emissions are used by smartphones to connect to local networks, both at home, in the work place and often in public areas. This allows smartphones to receive an internet connection separate from the one provided by the devices sim card. While the WiFi is on and not connected the internal WiFi Card will send out probe requests, looking for familiar networks to connect to automatically. Often for convenience’s sake people leave their devices WiFi switched on to connect to networks automatically when they move between locations, meaning that these probe frames are regularly broadcast. These emissions are able to be detected by using a wireless adapter that is able to be put in to monitor mode meaning they can be passively detected. While the regulations behind this will vary between countries it’s generally accepted that passively detecting data packets in the local environment usually does not breach privacy regulations. This means that WiFi emissions are a usable data source for our purposes.
Bluetooth for the older folk may bring back memories of these headsets. However Bluetooth evolved to be found in all manner of devices. Source: Canva
Bluetooth
Like WiFi, Bluetooth devices are extremely common in our connected world bringing convenience via a myriad of connected and smart devices. With personal devices like headphones and smart watches being used individually down to vehicles using Bluetooth for onboard sensors and driver information discovering these devices in your everyday environment has become a lot more common than it once was. Like WiFi, it’s reasonably common for people to use the devices in a convenient manner. This means that while the operating protocol is different to a WiFi connection many devices may be discovered due to being constantly left on. While these emissions are encrypted, we can still detect these passively using a Bluetooth scanner. This means they too are a usable data source for our purposes.
How It’s Used
While it’s easy to look at these things and think it’s all bad news, the truth is that there’s plenty of legitimate uses for this technology. However as general privacy fans we feel its important to have discussions around how this is used, and what information can be collected by doing so. So with that said it’s important to point it that this isn’t a faraway risk to privacy like a data breech or hack can be. This information is collected and used each day meaning that people need to make their own decisions on what level of information they are allowing to be collected according to what they are comfortable with.
While cyber researchers, investigators and general science nerds have the ability to collect this information it might come as no surprise to you to learn that it’s also collected by some everyday companies as well. The well known Google Street View cars for instance are instantly recognizable by their distinctive cameras however it’s a lessor known fact to many that they also collect WiFi information and map it according to the local environment, effectively War Driving to conduct a detailed electronic picture of the area. In built up areas this means that tracking can occur quite easily by tracking 3rd party SSID’s in the area nearby to a point or device of interest. Given that each specific device comes with an identifier this means that devices are able to be tracked within an area, even allowing things like loiter time within this area to be tracked. This also means that should you be ingenious enough a bash script or similar can be used to seek out familiar devices or devices of interest and provide a notification upon the detection of said device. We'll be writing more about this concept in future articles.
Google Street view vehicles carry a range of equipment as well as the distinctive camera. Source: Google
A good example of where this traffic movement analysis can be seen in action is along freeways and transit points of interest, giving authorities the ability to monitor traffic conditions and density in real time. This also has an application in the use of foot traffic analysis however, and is also starting to be tied into large scale emergency management systems, providing the ability for massed localized alerts with in an area to be implemented quickly and with minimal problems.
Another common use where you’ll see passive tracking is in shopping areas and within stores. While the technology is still being developed, the use of these emissions from a device allow retailers and advertisers to delivered targeted advertising and marketing specific content directly to users. This means advertising can be more targeted in location specific ways, even delivering personalized advertising to individual users. It’s expected that as time progresses that we will see this type of advertising usage to increase as the technology evolves.
Techniques for Prevention and Mitigation
Mitigation of this is extremely simple. By turning off your Bluetooth and WiFi when you aren’t requiring it to be in use is the easiest and most effective way of dealing with passive tracking techniques. However in doing so you may loose a slight level of convenience as it will often require you to manually switch on your WiFi and Bluetooth when you are doing so. However it’s important to point out that smart devices like watches and fit bits work just fine being synced once a day to ensure the stored data is being sent to your relevant account.
If you’re reading this article though and have decided that you’d like to regain control of your privacy on some level then we’d encourage you too look at your situation as a whole and then make choices that suit your situation and are are directly relevant to you. By looking at privacy as an entire concept as opposed to something that’s only relevant to a certain situation, you’ll be able to make choices that will empower your situation and allow you greater security in the event that your data is leaked by an outside source. By considering what we wish to achieve from our objectives and then acting accordingly prior to an incident occurring means that when we are forced to deal with the inevitable privacy breeches we are able to do so knowing that we’ve already taken useful steps to mitigate the damage that can be incurred in a situation such as this.
Because of the ever changing dynamics of Information Security, even those experienced with maintaining privacy in the digital domain can still benefit by conducting periodic privacy “reboots”. This can mean carrying out checks and assessing the protective steps you already have in place, ensuring that nothing needs to be changed or modified to ensure ongoing protection. While information breeches and hacks will continue to be part of the digital landscape for some time to come, proactively taking steps to mitigate your digital footprint and manage your exposure gives individuals the best change at managing these events with minimal stress and risk to their personal data.
Managing aspects of privacy can often feel like navigating a minefield. Source: Canva
Lastly while we originally were scheduled to cross post content to Reddit, allowing for easier access for those lacking a medium membership, we’re currently withholding these plans due to the Reddit API changes and issues with the Reddit management team. We’ll be evaluating other options over the next month, looking for the best way to continue to deliver to people whilst looking for companies that are serious about supporting creators through a supportive team and environment. With that said, we’d also like to give a specific acknowledgement to the Medium team and the support they provide to people within the partner program. They provided great support to us this week when dealing with an issue, providing trouble free resolution in a timely fashion.
If you’d like to stay updated with our latest content across all platforms you can do so via our telegram channel which you can find here.
If you aren’t a telegram user you can find us on either publish0x or medium.