 Alright, well welcome. Can you guys hear me okay? Alright, my name's Rick Hill and I'm here today to talk about wireless geolocation of wireless access points and a little game I invented called wireless geocaching. A little bit about myself, I work for a company called Tenacity Solutions in Reston, Virginia. We do security consulting mainly for government customers. And around there I'm known as the wireless SME, which is a subject matter expert, local geek, car mechanic, and manager most likely to be thrown from the bus. Keeping the management thing in mind, I'd simply like you to focus on the technical, my technical skills during this presentation. I always like to keep an open mind so anybody out there, can have contact info for you, if any, for jobs or whatever. Or future contracts. Last year I presented war rocketing, which was somewhat unusual. This year we're changing things up a bit. Things are a little more laid back this year, I guess you can tell. Keeping with my penchant for discovering new and better war driving techniques, we have a new venue, it's the lake, and a new vehicle for DEF CON 15. It's called the War Boat. Boat weighs 4,800 pounds, carries a crew of 10, and small quantities of beer are allowed. If you behave you're not likely to be stopped by the cops, which is more than you can be said for regular war driving. Unfortunately I couldn't bring this as a prop this year. Agent X wouldn't let me bring it in the exhibit hall, so instead we have the actual unit that we did the radar antenna that you see here that we use for our war boating. So the focus this year is a little different from last time I just shot up the rocket and tried to, you know, basic net stumbling, let's see what's out there within 20 square miles. This year it's all about precise location. The military affectionately calls what we're doing here targeting. However, I'd like to focus on the positive side. Geolocation, as you know, can be used for many other things, good and bad, things such as, I'm sure you're aware of OnStar. Lost Kid location is another that I saw and I'll talk about a little bit further in my talk, and Down Ski or Rescue and so on. And looking at a little background on geolocation, I'm an amateur radio guide. Of course I do some of this on that side, but people at the Naval Research Lab and others have done, document at least four techniques for geolocation. As you guys know, net stumbling doesn't geolocate, it simply gives the driver's GPS position. And I started thinking about this and I was like, you know, I go around mapping access points all the time, but I really want to know where they are. I have a friend that's into geocaching, if you guys are familiar with that. And of course he locates his cash treasures all the time with his GPS. It's a little harder in the Wi-Fi world than just simply getting a GPS coordinate. But I started thinking and I said, what if we combine the two? We can have a new sport that's called wireless geocaching. Today there are well over 350,000 geocaches out there in 222 countries and are registered on the various websites that are devoted to the sport. At each one of these, you basically get a treasure when you find the proper GPS location. Some of them are actually quite difficult. You can find the location and your treasure may be hidden on a cliff near the location. So it can be challenging. Before we talk about the project goals today, let me just say I'm definitely more of a hardware engineer than software type. I'm not really a programming guru. So keep that in mind when you look at my basic code for this thing. A lot of the talk is about the design and construction of the unit you see up here. And at the end hopefully we'll do a short demo. We actually have one of the goons hide an access point in the room here. We're going to see if we can nail it. Next. All right. The four direction finding methods will go into a lot of detail about later. Of course our platform, you've just seen the picture, C-Ray boat. The equipment, pretty much a 15 dB antenna, something called a stepping motor, and net stumber, VB, and Windows XP. Next. So what are we going to talk about today? Why is wireless tracking in geolocation so hard? And the advantages of the four techniques. What I did when I first built this unit was I did a static test on land because I didn't want to put the sucker on a boat and go out in the ways and try to figure out what was going on with it. So we do that first. We do a number of known APs on the lake where we hide them, know where they're at. And then finally we play the wireless geocaching game. We've got some video of that. So why is it so hard? Geocaching is difficult because, I mean geolocation is difficult in the Wi-Fi region because it's spread spectrum for one thing. You can't just lock onto a signal. If you're an amateur radio guy, you're typically picking up narrow band, you know, one frequency transmission, and that's fairly easy to do. Also, we must wait on a beacon and probe frames, and of course you guys probably know about the multi-path and trying to, it's problematic to try to find access points and trees and large buildings and stuff. Therein, the lake location that we pick. The four techniques are radio direction finding, which means basically, let's just point the antenna and see where it goes, right? That's sort of a crude manual technique. The next one is receive signal strength indication plus angle of arrival plus triangulation. That means that I picked a couple, any two or more spots, and in our case we have an automated system that's going to pick out the max signal strength. Well, back from your geometry, if you get any three points out of a triangle then you can calculate all the other points. The third is Doppler direction finding. Most of you guys are familiar with police radar and some of the other equipment that the federal government uses. The last one is time of arrival and time difference of arrival. We'll go into these. Radio direction finding again. It's low cost. All you got to have is antenna. I mean everybody with a canton has done this. It's not rocket science. Here's the triangulation for those of you that don't remember your geometry. It's the law of science. I'm not going to go through a lot of the math that we did this, but I have some Google Earth pictures of what we captured as far as the, we could actually capture the error because when we planted the treasure or the access point we recorded GPS position. And what we would do is once we found it we'd do the error between where we found it, GPS position, and where it really was. So we've got a good idea, we're going to get a good idea at the end of how accurate we were. Doppler direction finding. Basically the reason I didn't do it, I would have liked to have done it, but it's very expensive. You can build equipment for about 3,000 bucks in the 2.4 gigahertz region. It is better for moving targets. The bad part about the rig you see right here is it pretty much has to be stationary. It takes about anywhere from a minute to 3 minutes to do a scan. So it's fine for using it on your car top or where you park, but you're not going to, you know, you're not going to find any interstate and do triangulation or location with this thing. It just doesn't work like that. It's pretty much a stationary unit, which is the reason we didn't go with Doppler. Time of arrival, time difference of arrival. You guys have probably seen this on the TV shows, CSI, whatever, about the cellular tower signal location. That's one way it's done. The other way it's done is there's a company I found called Aeroscott.com. What they do is kid tracking. It's either bush gardens or one of the big amusement parks wherein they give your kid a, it's actually a little Wi-Fi transmitter and they've got receivers planted at various areas, various areas of the park. You know, it's a great thing. It seems to be working out well. So you guys check that out at aeroscout.com. The disadvantages of this time difference, it's electronically calculated time difference with arrival is it's not as accurate as the antenna method. So I want to focus a little bit on how I constructed this thing. I got some pictures here for you guys. It basically consists of a stepper motor to do the 360 rotation, motor controller. I opted not to use the laser pointer. It didn't work out well on the lake. I really didn't want to try any more night raids. Dementor antenna and of course this little stand here has been adapted for my boat. It's just upside down. So basically this whole thing came in about $150. So here you see the hardware. As a guy of course I subscribed to the theory that bigger is better. Unfortunately the antenna you see here at the top, the big one that I first bought, just wouldn't cut it. The stepping motor would not crank it around. If you can see the unit right here, stepping motor is probably, I don't know, maybe a dollar size. It's not real huge. It really impacts the cost of your project. You can buy a big stepper motor. It's going to cost you a lot of bucks, particularly for the driver and the motor. So that particular antenna there that I decided the one you see in the lower part there is 2.9 ounces, so it's ideal. It's 15 dB. Of course if you build your tracker you've got to have some kind of surface to put it on. In my case it was a table. You could easily put it on a car type with these camper carrier kind of things if you wanted because those are transparent to microwaves. They work really well. You don't want to leave it flapping out in the wind. But what you see on the slide here is that's basically a Lexan piece I used to cut out for the top. And there's the little stepper motor that I bought beside it. It's a digikey motor. I think the stepper motor cost me $17.95. And you can also get these out. Interesting enough is if you've got a copier or a disk drive you can get them out of old copiers and disk drives. So you can easily trash them on a computer and get your own stepping motor if you don't want to pay for one. Second step in building the tracker you've got to mount the antenna. This is a very difficult step because sorry I didn't mean to zap you guys. If you can see the detail and the lower right there is actually all you've got to work with is about a quarter inch shaft there. So what I did I welded a little mounting piece onto it put a couple of set screws in it and actually the set screws clamped down real well on the shaft of the stepping motor. If you go into buying gears and all this stuff you're not going to have a very successful project because it's going to get real expensive fast. So that's simple and easy. Next. To run the stepper motor if you're electronically inclined you can build your own driver board. I didn't have time to do that I fired this thing. I first fired as a bad word in electronics but I first started building this thing about two months ago and I ordered this board it's called the Gadget Master believe it or not so if you want to Google that you can buy it. The driver is probably about $150 and you pay for the electronics. But I just went with it because it comes with the VB code to run it and it's easy to interface and run stepping motors of the size we need. Final thing before you launch into Visual Basic Visual C or whatever you want to program this thing in is testing it. The guy also sends out a nice stepper program that you can use for all kinds of robotics to test out your motor. And so basically what you see here is the first test of the motor that we did. The final step for the tracker I really needed not just the stepper motor controller which you see here but I needed a compass to get the fixes on. You can't do triangulation if you don't know where you are or what your angles are. It becomes very problematic to measure angles particularly on the water I found a nice little digital compass mounted on the back of this thing right here and as soon as the software locks onto the signal you just take a digital compass reading and it gives it to down to one degree accuracy. As I mentioned I skipped the laser pointer because it really didn't work out for me. So here's what it looks like on the back of my war boat. As you can see the table stand and that's looking out back of the boat at sunset and worked out pretty well as far as the mounting position. Next. There are a lot of ways of doing this as far as motors. If any of you guys have ever played with motors. Stepper motors achieve very precise control and the cool thing about them is I know you guys have probably seen the radio controlled helicopters and stuff like that. They use a motor called the servo which it needs a feedback loop in order to operate. The beauty of a stepping motor is it will go to the same position regardless. You tell it to go to 250 degrees it goes to 250 degrees repeatedly. So it greatly simplifies the construction of your electronics. You don't need any feedback or a lot of their circuitry. As I mentioned before old floppy drives are fine for this. Just a little background on stepper motors. They really don't rotate the way regular motors do. They have teeth they rotate one tooth at a time and they're very sturdy. You can hold on to the shaft in one and it'll just if you power it up it's there. I mean it'll basically just about rip the motor out of your hand. They're high torque and they're really easy to operate in terms of discrete degrees. A little bit about the antenna selection. Do I have any anybody that's into radio direction fighting in there? Any amateur radio guys? Sorry can't see. Okay it looks like we've got a couple so you guys can probably comment at the end but the antenna selection is very important because you have to have to get an antenna that's got a narrow enough beam width in order to zoom in and get an accurate compass fix. So this particular one you can see the pattern that's basically the pattern this way and this way. They're pretty much the same. This particular antenna has about a 30 degree pattern and it worked out real well for us as far as zooming in on the target. A little bit about the other stuff that I used. I used a Sienna PCMCIA card with a prism chipset on it. It's a pretty strong card. I think it's like a 200 mW card. The front end monitoring on this thing we used as was Net Stumbler. What I did is just get the signal from the Net Stumbler and output it to a file with a little scripting utility and that's how we got our front end signal. The screen you see there below you do have to have a target access point so either for the game or for geocaching or for the location we first roved around in the boat and found out possible targets that we wanted to define to locate. Then we entered in the program and go about your geolocation. As I said before, use Visual Basic Visual Basic code picks the max signal strength up out of a file gets a bunch for each for each movement of the separate motor and then averages I think we're doing like 5 signals per 3.5 degrees or something like that. This particular motor is 100 steps of revolution. Here's the programming sequence. The boat cruises first we went out into the lake and we looked for target access point where that was, that was either one my friends had planted that I knew where we were or ones that they had deliberately hidden from me that we went out and did our geocaching game with. The VB I had it programmed to come up big red letters target acquired and I got to that area of the lake. The area we used was about 5 miles on either side of a marina that I put in at Lake Anna Virginia and it was fairly easy. We had a 9 dB setup and we were pretty much all over top of the target so about 10 minutes any time we left the marina so this is real easy to do on a lake. It's not like driving around your neighborhood trying to avoid cars and trees and all that crap. Number 3 we switched the directional antenna which is the scanner here and that's really the sequence that we used for the scans. Saved GPS coordinates at that particular spot record the reading and angle and from those readings we can calculate exactly where the target was. Alright so what we did is I call them sorties we took a couple days off from work and me and my friends went down to the lake and we ran 8 sorties over 2 days on the boat. The first one as I said was a static test on land near my house so I'll show that to you. I've got some Google Earth shots that look pretty cool and then we did 4 against APs with known GPS positions just to get a feel for how the equipment worked and finally we ran a couple geocaching games. After I did the geocaching I decided to go after targets that I didn't know where they were and I didn't have visual line of sight to them I couldn't see them and here's the results. The static test with a land based AP if you look this is fix number 1 up top here this is fix number 2 the actual calculated looks like it's in the building there so we were off on this I've got the numbers but I think it was like 50 feet or something it's really not bad because those fixes were taken about a kilometer out so this is about a third of the mile out so worked out pretty good for starters and we decided to go ahead and try it out on the lake. Next we turned our attention to Lake Anna I don't know if you guys know Wiggle.net but it's a mapping site where people go around do war driving and log their stuff if you'll notice real close and looking at this map apparently nobody's ever done this from a boat or owns a boat that does war driving I mean it should become pretty obvious to you that that's numbers giving you the driver's position so we thought we'd improve that a little bit. Next this is a test on the lake we went to a place a little place on the lake called the islands up to the right here you see the visual basic program and it's doing a scan it's already done the scan actually and what I'd like you to look at is here 360 degrees starts about here and ends about here you can see you've got a clear bell curve it looks just like that antenna pattern that point right on the top there is the exact compass reading to your target furthermore what the program does for you if you want to use this just for you know it's pretty cool to throw up on your roof you can actually use this to zoom in on pretty much any Wi-Fi signal locking on max signal strength so it's doing a pretty repeatable job of tracking and locking in on targets here the math is far from easy I won't dwell on this but if you want to do triangulation you know how cool your GPS is it just goes hey you're at spot A hey you're at spot B well that's the luxury that geocachers have when they use a GPS they can simply use their software we did the old fashioned way these programs you see there are a couple that give you your distance between two points and also the forward was very important forward program from the national geodetic survey was very useful for giving the final distance and angle to my targets I was originally going to incorporate this in my VB programming it became very complex this stuff is like 20 pages of Fortran that's like 30 years old but it works really well so we just use standalone programs these two off the website for calculating our targets second sortie was done at anapoint arena and if you see right here this is where we put the boat in at and fix number one fix number two I had a real problem when I first started out this is my first try on the lake and one of the things you got to consider if you do do this on the lake is you either got to be on a beach spot or you've got to throw out a couple anchors because obviously when you're sitting there like this you don't want your boat going around or moving annually so unfortunately I threw out two anchors and I got some really good readings here we pretty much nailed this AP however I left I'm only used to using one anchor so when I took off after I done this fix I left the other anchor in the water I was cruising about 30 miles an hour and heard this big noise turned around and I'm like WTF there's this rope hanging out the back of I'm like what's that rope go to just about then it was actually the front anchor that wrapped around the rear anchor rope the anchor come flying up on my swim deck on the back of the boat thank god it didn't put anything but a small hole in the back of the boat so if you guys do this I caution you please be very careful for boating it can be dangerous alright so that's basically a couple of the initial searches what I like to do now is show you guys a little video of what we did as far as our geocaching game this is where we had two teams of two people first team drops off the bucket containing the AP and the geocache treasure on the shore the rules we set for the game are that we had to be within five miles of that marina that I just showed you and 100 foot shoreline otherwise anything was fair game so my buddy Mike who will see on the video here had fun with me on this and the second team of course after we go out and find it so go ahead sorry guys I just want to get to the audio now so it will really suck if I play it without any audio wow she's my mate on the finder team here so we're ready to start the expedition they're get ready to leave the dock right now and we'll catch them in about 20 minutes and we're going to find out where they hit all the bootay so we've disqualified captain Mike from driving since he was part of the plant team and now it's captain Kathy I'm here we're going to go that way first and that part is like the red boat try to stay in the middle of that channel yeah sorry about the wind what I'm saying is we actually had found the target I'll tell you how to do it just keep going keep going give me a do it I'm just going to park here to do my scan alright so we got our first position and now we're going to get the fix number two and we're going to see where it's at looks like it's on the point of that island or the one over there I can't quite tell but the numbers should figure that out for us so we're going to go on to spot number two here oh yeah that's a rocket signal from down there you can do the scan here I just want a location I mean you should be able to put it anywhere we should be able to find it I'm losing air ranks Kathy here's the booty thanks alright so actually this is a scan of that silver fox which is the actually the access point that one of the goons said earlier in the room here so it worked out real well that beach that you saw pretty much when I closed in on that I could tell where they landed on the beach it wasn't too difficult he hid it back in the trees about 20 feet so it didn't have to do too much searching on that the interesting thing about geolocation is it works real well about you know up to several miles out you get in the neighborhood so to speak once you get closer and closer you can get really good at this I mean this antenna will nail it down to like 10, 20, 30 feet once you close in on your target so the closer you get the better you are and in fact you know you almost don't need the quite frankly the automated scanner once you get really good at this and get close you can just go yeah that's it right there and just nail it so this is a signal again the bell curve right in the middle and and you know that was the beach point right there and we didn't we did require we didn't counter a couple challenges with finding this in one of the other games in particular this is a digital globe image here looking at the looking at the GPS positions the first one there you have on your left was a scan I did and swore that the access point was on the beach right here well guess what got up there got out of the boat and my signal disappeared as soon as I walked onto the beach and I'm like what's going on well I believe that one of my assistant Diana said well I think some trees are probably blocking your path here and so yeah there were a lot of trees that consisted of that point right there anyway once we got back out in the lake got around the point we actually had to do three scans on this we pretty much nailed the beach right there but it's problematic and these kind of problems are readily apparent on land because trees suck for Wi-Fi I mean you can't get through the foliage so this picture is actually finding an access point in an unknown location I just picked up an SSID of default when I was cruising around up here so we decided to go after this one the the yellow line shows the fix to target which is on this point here actually on the other side of it well on this side of it and that was approximately 1.2 kilometers away so we'll show you how we zoomed in on that after about after two fixes it became apparent was on this point so we got in closer there are three possible houses it could have been and keep in mind we were you know about half a mile out or about 1.2 clicks out there's a house like right here there's one here and there's one here so pretty much our first scan got us in a neighborhood and let me show you what we came up with that's the house right there as soon as we closed in on it we just zoomed right in on that location and we couldn't see this when you originally started scanning so pretty cool that you can google earth with a GPS position having geolocated a house I mean you can basically come down right down on the roof and find out where your target is alright this is pretty much a summary of all the tests we did at Lake Anna in the land test at an average distance of like at well three quarters of a kilometer the error is pretty great it's about a hundred meters which is about a hundred yards that's not good but it is good when you consider that your compass is like plus or minus three degrees plus you're sitting on water you got waves every for every degree at that distance you're about a hundred feet off for every degree error and you can figure how small a degree is okay that's 360 stopping points on your program right there we actually didn't go to that resolution we did plus or minus three degrees we did a hundred points in our scan so plus or minus three degrees it's about as good a resolution as you're going to get with a mechanical system so what I want when I first started this thing I wanted to see how accurate is this compared to geocaching obviously it's pretty pathetic compared to GPS however if you really want to find somebody you can do it with triangulation there's no question about it I mean law enforcement does it all the time the FCC does it all the time it's not hard to do and of course much better than that I haven't had a chance to post on wiggle but I'm going to post my targets that I picked up on wiggle.net before I get back next week and we'll have those out there so that's pretty much how good the technique is you can make it a little better but it probably cost you a lot more money again the geocaching game was almost under ideal conditions we had a clear line of sight no traffic other than one or two to boats and virtually no interference other than a couple islands we encountered it gave us hard time clearly in a city or urban environment wouldn't cut it as I mentioned before sorry go ahead one more the amateur radio guys will tell you this is a radio direction finding is really more of an art than a science and historically one of the things that was largely responsible the defeat of the German U-boats during World War II if you go out into Google in fact I think there's a display on RDF at the Chicago Museum it's called Huff Duff which stands for high frequency direction finding the other thing to note is that it's very dependent on the triangulation on how big your triangles are if you get a big flat acute triangle which means you've got all your angles under 90 degrees it's sort of your standard triangle like this then that's going to work real well for you if you get a flat triangle well guess what I mean if you've got a real flat and out long triangle your error every one degree error is going to account for a lot of error in finding your target so pretty much that stuff is just up to chance with the experience you can get really good at this like I said we had a lot of fun not doing the calculations and just quite frankly finding targets once we got the equipment going I'd recommend you first find it if you can't see it by triangulation and then simply scan closer and closer to it so anyway one more comment if you do decide to build this unit please don't sit around the kitchen table like I did initially and like fire it up with a 200 milliwatt card it puts out four watts which are strictly not illegal but I don't think you went that's about five times stronger in a cell phone probably not a good idea to sit right in front of it while you're firing it up and building it like I say and of course the standard warning for lasers you shouldn't point them at people or use them in populated areas we're going to try to hook it up here and run it we'll see if the laptops will switch off alright but I'll tell you what I'll go ahead and open it up to questions and then we'll try a little device demo if we can't get it in here well I think we got 10 minutes we'll be able to fire it up here for you and we'll be in the next room for questions and continue the demo so that's about it hope you guys enjoyed it and do you guys have any questions for me at this point okay go ahead the compass is plus or minus one degree so it's a really it's a really kick butt compass there's a parts list in the back of my presentation so if you're interested I think it was called the Nomad and you know it's a hiking compass and very accurate I mean as far as they go for a manual compass no I didn't I'll be honest with you I didn't have time to interface it with the computer I just punched the reading once it locked in the stepper motor locks that gear you know locks the antenna so it won't move it was it was pretty good technique absolutely that's a very good it's a very good point what he said was that in amateur radio this is known as fox hunting so guys do this all the time and have great fun with it not known so much in the Wi-Fi world but his question was as you get close to your signal it gets very strong and makes that that bell shaped peak that we saw earlier get very broad and very strong it's much harder to get a degree signal position and actually what I did is turn down the power on the AP I did cheat a little bit I turned it down to 30 mW so we were able to deal with it in that fashion yeah I take it you've done it yeah more questions yeah yeah I did I mean a lot of a lot of the amateur guys use the reverse null in other words instead of pointing the antenna directly at the target 180 degrees in target works very well because the null basically is the dead signal on the back of the antenna with a lot of antenna designs you can really nail them with that however I was limited by my 2.9 ounce antenna here it's all I could get the stepper motor to run so it actually worked better I tried the null technique didn't work did not work on the setup okay we're going to try to hook it up here and see if we can get it to spin what we're going to do is we've planted the axis point in here we'll see what we'll see how it works lovely not a problem ah we've got some interesting stuff here alright so here's the basic technique you fired up and get the axis point of interest on the graph here this is the beauty of using the net stumble versus the windows machine interface if you're a good programmer you can actually get these signals directly from the WMI but I chose just to use the front end because it gave me pretty graphs hang on we'll fire up the program here and we'll start doing the scan alright so I don't know what it will do in this room here we'll see what it picks up but this is going to go around real fast and we'll see where it thinks the signal is any other questions while we wait? nah it's turned down Reeve says he's got some pings in his head so anyway like I said not the fastest thing in the world but it actually it pins down the signal pretty well and here it looks like it's almost equal everywhere so unfortunately you can't geolocate in the room too well it doesn't look like but works very well outdoors actually I didn't look heavily at the signal well actually I did yeah there's definitely a correlation there's a high signal noise ratio with other objects in the path obviously was that your question? okay so it looks like it's finished the scan but it should be asking me to go back to the okay so it picked up the max signal strength here now it should go back to where it thinks the access point is we'll see what it picked I have no idea what it will pick because it's pretty not a real clear peak on that graph so that's where it says it is back there near the AV thing I don't know is the goon here that hit it is the guy here that hit the access point do we know where it's at? okay we think it's back that way if any of you guys see my access point I would like it back please it's all the links about this big anyway thank y'all for coming if you got any questions I'll be in the room next door