#163 Wi-Fi Sniffer as Sensor for Humans

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

last week we built a connected radioactivity sensor this week we try to build a really cheap and small connected sensor for humans which is nearly invisible and also works in total darkness it is a sensor based on the newest psychological trend and in esp8266 theoretically it should be able to detect our attendance as well as the appearance of undesirable intruders let's start to find out if this is possible great youtubers here is the guy with the swiss accent with a new episode around sensors and microcontrollers so you might ask yourself what an engineer like me understands of psychological trends not a lot of course but i think enough to create a decent detector for humans the only psychology needed is to know that we sooner forget our child in a shopping mall than our smartphone at home so it is fair to assume that we can replace the word human by the word smartphone and build a smartphone sensor instead of a human sensor the measured results will be very similar in most cases and the funny thing is that the trespasser brings its own detector with him i like this idea so let's build a sensor which monitors its environment and detects all smartphones with enabled wi-fi functionality this is possible because all smartphones regularly send messages to detect networks around them uses the signal strength to detect how far away this smartphone is adds all newly detected smartphones to an internal database regularly connects to an mqtt server and sends the list of the detected devices to our home automation or alarm system because wifi waves travel through small obstacles the sensor can be completely hidden and it does not cost more than a few dollars i will use node red as a home automation system to do some initial testing this type of sensor of course will only work if wi-fi is enabled on all smartphones around it fortunately smartphone suppliers help us here if i switch wifi off my iphone immediately reminds me that i should not do it to avoid crippling of the location services as said before all wi-fi devices send out some signals to be detected from access points around them because wi-fi is energy hungry smartphones only do that from time to time and each device connected to the internet should have a unique mac address and this mac address is part of the messages sent out by the devices unfortunately we will see that this is not always true normal wi-fi modules only listen to messages which are addressed to them and ignore all others this is not exactly what we need for our sensor we need a wi-fi mode which is called promiscuous it listens to all wifi signals in the air so this mode could also be called indiscreet mode fortunately the esp8266 supports this mode and ray burnett wrote a sketch which uses ist i base my work on his knowledge the sketch is not simple and i still not understand every detail to use it it is only important to understand a few parts in setup we switch the promiscuous mode on it only works in station mode here we also define a function which is called every time our esp8266 detects a signal in the air this function is called promisc underscore cb in the loop the esp listens to all channels for new signals this has to be done channel after channel because the esp is not a multi-channel device if a packet is detected the function promisc underscore cb is called the wi-fi standard says that a beacon message has to be sent every 100 milliseconds this is why the esp stays on one channel for about 200 milliseconds to be sure not to miss such a beacon message because we have 15 channels to scan each such all channels scan takes about 3 seconds we could reduce this time by using more than one esp each esp then would only scan a few channels and therefore would detect new devices faster if a new device is discovered during the scan the esp changes to the normal mode connects to wi-fi and sends an mqtt message with all the mac addresses from its database to the broker here you can filter these addresses and transmit only the strongest signals to reduce the coverage of your sensor these mqtt messages then can be used to trigger flows in node rate i use the json format to create the mqtt messages json is a standardized way of formatting data and can be handled also by node red by the way the arduino json library works very well and i recommend to use it for data transfer across mqtt let's have a closer look at the promisc underscore cb function it distinguishes between beacon and device messages writes the mac address the channel the signal strength or rssi value as well as the last discovered time into its database these values are also printed to serial the last discovered time is used to purge devices if they are no more heard for a certain period of time like that you can detect when a device left the room you do not find this particular function in the ino file because array has created a file for all these very technical functions it is called functions.h if we boot now the esp8266 it immediately starts to scan all channels and quickly discovers all visible access points because the access points are connected to mains they can send beacon signals every 100 milliseconds as the wi-fi standard requests and we should be able to discover all of them in the first scan you see also that they all use different channels if two of them use the same channel i suggest you change the channel of your access point otherwise it might be disturbed by your neighbor's network during the next scans the esp discovers more and more other devices as mentioned before mobile devices have to preserve energy and do not send beacons messages all the time i do not exactly know how often ios or android devices send beacons and it might be that we do not catch all of their messages because we do not listen on all channels all the time so it takes a while till a new smartphone is detected and we also see that they use the same channel as the access point they are connected to as a result we have a list of discovered mac addresses we can do some cool things with this list first we can detect if you are at home and switch things on accordingly or switch them off if you are out other than pir or radar sensors these sensors can distinguish between persons or we build a database of known devices for the family members and as soon as an unknown device is detected we can trigger an alarm here the big advantage is that we can hide these devices completely and we do not need a sensor for each window or door one sensor is sufficient for at least one floor so i started to build these two scenarios in node rate the first scenario the presence detector worked very well if i come home it takes a few scans till my presence is detected and it takes the purge time to signal if i left the house so clearly pir or radar sensors react faster then i started to build the second scenario the intrusion detector i added all devices which are discovered in a database in node rate a function browses through this database and prints unknown mac addresses in the debug window to test this scenario i behaved like a stranger and disconnected my iphone from my network this would be the case if a stranger would come to my house when i did these tests my esp discovered lots of new mac addresses much more than devices available in my lab in the basement i had no idea where these mac addresses came from and searched for errors in the code but it was no coding error during my research i discovered an interesting story i am not the first guy using this technology of presence monitoring it is also used in shopping centers to track your movements and the shop owners can buy specialized gear to perform this task apple did not like that and from ios 8 on they introduced a simple counter measure they do not send the real mac address of the device they only send a random mac address if the device is not connected to an access point like that you cannot be tracked if you just walk through a shopping center because your phone frequently changes its mac address as soon as your iphone connects to a wi-fi network it has to use its genuine mac address and from then on you are trackable is this perhaps the reason for these free of charge wi-fi services in the shopping malls andriid offers a similar functionality but it is not widely implemented so you are still trackable with these devices i will leave a few links in the description if you are interested in the details so i discovered the root cause of these many newly created mac addresses they all came from my iphone laying on my bench but still it should be possible to build such a scenario because we will trigger an alarm if any unknown mac address is discovered just make sure that all of your devices are connected to a network when they are close to the sensor otherwise you will get false alarms there are two small tricks which can help you to verify such a list of mac addresses the first if you run advanced ipsconner on your windows pc it shows you all mac addresses of the devices connected to your network and two the first six places of a mac address shows the manufacturer of the chip or the device take any mac address and check it with an online service if no manufacturer is shown there is a big chance that you checked a randomized mac address a final remark if you only want to use the detector to detect your presence you can reduce the channels searched to only the channel of your access point then the discovery of your devices is much faster and i read about the possibility to send specialized packets to an unknown device to make it answer with a genuine mac address maybe a viewer can use my code and enhance it that our esp8266 is able to send out such packets summarized we were able to build a cheap sensor which can detect our own presence as well as the appearance of an intruder it is based on an esp8266 and the promiscuous wi-fi mode we also were able to restrict the range of the sensor by filtering the mac addresses according to the signal strength the sensor does not react as fast as pir or radar sensors but its reach is bigger and it can be completely hidden the sensor regularly sends the detected mac addresses to an mqtt server on our raspberry where we use it in our node red flow we learned also that our smartphones can be tracked by other people especially if we connect to their wifi networks and we saw that mainly apple tries to hide our identity using randomized mac addresses we were able to confirm the detected mac addresses by using advanced ip scanner or by searching for the manufacturer of the wi-fi chip and we found two different possibilities to speed up our sensors adding more than one esp8266 sensor and focus each of them to a subset of channels or restrict the scanned channels to the channel used by our access point this only works for presence detectors not for intrusion detectors here you see how small such a sensor can become if we use one of our old esp-01 modules you can even hide this in the housing of a usb charger i hope this video was useful or at least interesting for you if true then like bye you

Info

Channel: Andreas Spiess

Views: 120,362

Rating: undefined out of 5

Keywords: electronics, WiFi, Wifi sniffing, esp32, eevblog, sensor, Wi-Fi sniffing, lorawan, smart home, Wi-Fi, iot, sniffer, esp32 datasheet, arduino, esp8266, esp8266 datasheet

Id: fmhjtzmLrg8

Channel Id: undefined

Length: 14min 20sec (860 seconds)

Published: Sat Oct 14 2017