WIFI tracker (aka avoid electronic ticketing for unpaid parking fees)


> Introduction

This document describes how to use a WIFI card in monitoring mode to track given WIFI clients (fixed or modular patterns) and take action when they are in range (ie: getting a text message).
This article focuses on getting an alert when police(wo)men equiped with electronic ticketing devices are around, but it can of course be adapted to other use cases.

> Setup

Pre-requisites: follow the Headless RPi to use on the go and Headless RPi and wardriving instructions first.
A better dbi antenna than the default one is recommended.

> Case study

Context: there are, in France (and probably in other countries/regions over the world), more and more police(wo)me equiped with devices to deliver electronic parking fines. More recently, the French government allowed cities to decide for the price of the fines (which were globalized before that). What's interesting here is that we have a growing lucrative but regulated business. Regulated meaning two things. Firstly, any reseller for this kind of electronic device has to be registered and the devices homologated by a government agency. Secondly, public market regulations force the cities to pick a reseller and stick with it for a certain duration, given the initial investment. So no exotic set of devices for the same city.

Investigations

Having a look at the website of the national agency (ANTAI) in charge of homologating the devices gave me some information.
There is a limited set of providers and also very limited set of devices (info here).
Having a closer look, I noticed that the devices are standard smartphones or maybe tablets, meaning probably equiped with WIFI cards.

Digging further, I also noticed that the electronic ticketing webpage also integrates a map listing every solution in every city using this system.

Having a look at the city where I live gave me this information :
There are 30 devices in the hands of the local police, and Indestat is the electronic ticketing provider.

Verification

Let's go check this. I went to the local police building equiped with the WIFI sniffing equipment (see setup above) and ran airodump-ng during about 3 minutes.
airodump-ng is tool which, among other functionalities, allows you to scan for WIFI packets and can tell you which access points and clients are around.
Useful information as MAC addresses, access point names, connected clients, ... can be retrieved.

No big surprise, after filtering and removing uneeded info from the generated csv file, I got this info:

Access Points

cat scan-01.csv  | cut -d, -f 1,6,7,8,14 | grep -i indestat | grep WPA
BC:67:1C:41:77:71, WPA2, CCMP,PSK, indestat-cisco, 
BC:67:1C:41:76:C9, WPA2, CCMP,PSK, indestat-cisco, ]
So, 2 access points from the same manufacturer (Cisco) with the name of the electronic ticketing company (Indestat). Interesting.

As airodump-ng also tells which clients are connected to which access point (when it is the case), another filter gave me this information.

Clients

cat scan-01.csv | cut -d, -f 1,6,7 | grep -i BC:67:1C:41 | grep -v WPA
1C:23:2C:E1:D1:5D, BC:67:1C:41:77:71,indestat-cisco
1C:23:2C:E1:D1:33, BC:67:1C:41:77:71,
1C:23:2C:E1:D2:53, BC:67:1C:41:77:71,
1C:23:2C:E1:D1:13, BC:67:1C:41:76:C9,
1C:23:2C:E1:D1:0F, BC:67:1C:41:76:C9,
1C:23:2C:E1:D1:E7, BC:67:1C:41:76:C9,indestat-cisco
1C:23:2C:E1:D1:37, BC:67:1C:41:76:C9,
1C:23:2C:E1:D1:43, BC:67:1C:41:77:71,
1C:23:2C:E1:D2:65, BC:67:1C:41:76:C9,
1C:23:2C:E1:D0:FF, BC:67:1C:41:77:71,indestat-cisco
1C:23:2C:E1:D1:51, BC:67:1C:41:76:C9,
So, 11 clients connected to the Indestat access point.
No to mention that they all have the same MAC address prefix (1C:23:2C).

Having a look at the OUI database for 1C:23:2C, I got the info that those are Samsung Electronics Co.,Ltd devices.
Looking back at the Indestat devices on the ANTAI website, I got confirmation that they have Samsung based solutions.

Can we detect those devices in the streets?

Well, the idea was now to get alerted when a police(wo)man is around when you didn't pay for your car's parking, right?

The remaining question was: are those devices's WIFI enabled when police(wo)men walk the city?

It took me a while to figure out. It's not so easy to spot be it 1 device out of 30 in 15km2.
So, for a while, every time I was going out for some reason, I took my WIFI sniffing device with me, in a backpack, analysing the results on the go or once back home.

First I got false positive results. Indeed, searching for 1C:23:2C wasn't enough, since there are other equipments with this prefix.
So I had another look at the scan results from the local police station and noticed (should have noticed the first time), that the client's MAC addresses have a bit more in common.

I then set my filter to 1C:23:2C:E1:D and more than 2 weeks later (without even noticing a police(wo)man), I got 2 matches of non associated clients.
Bingo!!!

Well, like every human, they don't switch off the WIFI on their device when they don't need it.

So, what now?

We've got all the elements to build a tracking device based on the MAC addresses we want to track.
There are different ways to achieve that.

One could be a 3G USB stick connected to the RPi, sending you a text to warn you.

The easiest (and probably not really more expensive) would be to use a spare Android phone with the Termux app installed to connect to the WIFI scanning RPi.
Termux includes some useful tools, allowing you to access Android phone's capabilities, like sending text messages from the command line.

The steps are the following:

Configure the RPi to connect to the Android hotspot via WIFI (see the setup instructions above).
Note: USB tethering is another option, instead of a WIFI hotspot.

Create a bash script which will check if a given MAC address pattern is around and send a text message alert to the phone of your choice.
Copy paste the code below in a file within Termux (ie: name it track_mac.sh and make it executable by running chmod +x track_mac.sh)

#!/data/data/com.termux/files/usr/bin/bash
counter=0

# Configuration
# Change to the RPi IP address and set a phone number which will receive the alerts
rpi_ip=192.168.xxx.xxx
mobile="+33600000000"

# Check parameter
if [[ ! $# == 1 ]]
then
    echo "Missing or invalid parameter: string to search"
    exit 1
else
    search=$1
fi

# Close screen session and release wake lock up before exiting this script
trap clean_up SIGINT

clean_up() {
    # Kill screen session before exitng script
    ssh pi@$rpi_ip "screen -X -S 'Airodump' quit"
    #Release wake lock
    termux-wake-unlock
    # Exit
    exit
}


# Acquire wake lock
termux-wake-lock

# Start monitoring within a screen session named "Airodump"
ssh pi@$rpi_ip "screen -S 'Airodump' -d -m 'start_scan.sh'"

# Wait a bit
sleep 5 

# Show info
echo "Ready, scan in progress"
echo "Press Ctrl+C to exit"

# Keep running
while true
do
    found=`ssh pi@$rpi_ip "grep -i '$search' scan-01.csv | wc -l"` 
    if [[ $found > $counter ]]
    then 
    termux-sms-send -n $mobile "Alert, $1 found ($found times)"
    echo "`date` found $found" 
    # Keep track of the counter so we don't send messages every 10s
    # Only when new matches are found
    counter=$found
    fi
    sleep 10
done
To use it, just open Termux on the Android, and run this command (changing the parameter to whatever you want to track).

./track_mac.sh 1C:23:2C:E1:D
You can leave the phone in your car (hidden preferably) with the RPi running on battery pack.

> What's next?

These instructions are not necessarily limited to spot eletronic ticketing devices.
As long as you know which kind or which exact MAC address you want to track, it can be used for anything from being alerted when your boss is around to getting the info when the UPS delivery man is about to drop a box in the middle of your garden, ...