Bluetooth Tracking – Part 1.

Bluetooth is supposed to be a short-range wireless technology. 10 metres for class 2 devices & 100m for class 1.

Phones and hands free devices are normally class 2 devices with a range of just 10 metres.

Each device with a Bluetooth chip has a unique identifier number burned into it. This number is called the OUI, and is in the format 00:11:22:33:44:55 (it’s basically the same as a MAC address on a PC’s network card). The first three pairs of hexadecimal digits identify the manufacturer of the device, and the last 3 pairs are unique to your device. So for instance, if you have a TomTom One SatNav with Bluetooth enabled it will have a unique OUI that looks something like this: 00:13:6C:00:11:22. The first three pairs are one of TomTom’s two unique identifiers (00:13:6C or the rarer 00:13:3E), the last three digit pairs are unique to your TomTom alone. These rules apply to all Bluetooth devices. Here’s a full list of Bluetooth OUI identifiers by manufacturer – bt17oui.txt (an exception I’ve spotted are Land Rover & Ford Audio Bluetooth – they use the OUI format 00:10:xx:E8:xx:xx , where xx is the unique identifier)

Now, at first glance you may think having a unique number pre-programmed into your satnav is nothing to worry about if it can be tracked at a range of just 10 metres, and you’d most likely be right. However, with a modified USB Bluetooth dongle attached to my PC, and a dish antenna connected to that Bluetooth dongle, I can detect Bluetooth devices passing up and down the A-road near my home at 700+ metres away. If you use that road regularly then you’ve become a quantifiable statistic in my database!

Most devices that have Bluetooth built-in allow you to turn it on or off, some also have a visible/non-visible mode. If your Bluetooth device is set to visible mode, whether it be a Mobile Phone, a TomTom satnav or Laptop PC, it will answer an identification request from another Bluetooth Device. When your Bluetooth device answers this request it will initially volunteer its unique OUI number, Class of Device & Mode. If it answers a second request it will normally give up the ‘Tag Name’ entered by the factory (or changed by yourself). So for instance a TomTom might identify itself as 00:13:6C:12:34:56 and then might go on to show its ‘Tag Name’ as ‘TomTom OneV3’ or ‘TomTom XL’.

Some other GPS manufacturers common Bluetooth OUI prefixes are:
Nuvi / Streetpilot: 00:05:4F:xx:xx:xx
Navman : 00:1B:4E:xx:xx:xx
Magellan GPS : 00:40:D0:xx:xx:xx
BT GPS : 00:02:5B:xx:xx:xx / 00:0A:3A:xx:xx:xx / 00:08:1A:xx:xx:xx
(if you’re aware of any others please let us know)

Obviously, the fact that your Bluetooth device can be made to spew out an OUI, which is as individual as the number plate on a car, makes you trackable – so long as you have that device in your pocket or stuck on your windscreen. It takes 10 seconds to run each Bluetooth inquiry scan, and each scan can spot up to 10 devices. You can increase your hit rate by using more than one dongle with an antenna pointing in a slightly different direction, but I didn’t need it: even at the busiest times i’d only spot 8 devices per scan. So the maximum number of devices you can spot in an hour with one dongle is 3600, which makes the daily limit 86,400.

In my initial experiment I used a modified USB Bluetooth dongle, a large dish antenna and a laptop running Network Chemistry’s Bluescanner to look for devices using the main road near my home. See the screengrab below: (which shows my ‘3’ Skypephone S2 being interrogated, we can see it’s manufactured by Amoi from the 00:12:40 OUI prefix)

Screenshot of Network Chemistry Bluescanner

Bluescanner creates a log file called BlueScanner.dat in the folder C:ProgramFilesNetworkChemistryBlueScanner.
Each day I would go to this folder and change the filename of BlueScanner.dat to something like 240708.dat – thus giving me a log file for each day. In June 2008 I thought this way the best way to go about things, although I’ve since learned that a small Linux shell script is much more effective at logging – more on this later.

Eventually I ended up with several months worth of data log files from Bluescanner. By opening them with Notepad I was able to strip out the most interesting data from the end of each file, and load these up to a MySQL server I’d setup on my webserver. I could use MyPHPAdmin to see how many records I had, how many TomToms i’d spotted etc. All very exciting.

By looking through my BlueScanner logs I was able to see that I would spot an average of 3500 Bluetooth devices each weekday, on a busy A-road that is reckoned to carry 50,000 cars a day.

I was happy to be getting some data, but I was still eager to make the process more automatic. I saw in New Scientist that a Greek researcher was running an experiment in Bath UK, logging Bluetooth device movements around the town. I emailed him my data, and received in return some words of encouragement and the advice that I should use the Linux shell command hcitool inq –flush to generate my requests.

It took me another three months to brush up my Linux shell programming skills so I could make a basic loop that parsed out all the data from each inquiry scan. Once my Linux script was up & running I suddenly started spotting many more Bluetooth devices, now up to 14,000 devices a day out of 50,000 cars. Some are duplicates when the traffic starts running slow, but these can be easily parsed out later. Also, my logs are now much neater: my programmed loop automatically starts a new log file at midnight, and records only the OUI, Time & Date – nicely separated with commas, and easy to import into a MySQL database or spreadsheet. I’ve learnt a lot about Linux and processing text files in batches while playing with this idea – Linux is much more versatile for whittling down text files to just the bits you really want (Google: Grep, Sed, Awk)

I still had seven months data from my efforts running Network Chemistry’s BlueScanner under Windows, which had yielded over half a million Bluetooth detections. I’d already got some of these data into a database but I knew I had extra text that needlessly doubled the size of the database table. My next little project was to write other shell scripts to strip out only the important information, and put it in the same order as my new shell script. Once you’ve built one of these scripts from scratch it’s pretty easy to modify it to do another job. If you have a big datafile you want to parse, then it’s easiest to save a small portion of it and run your script over it, add in a few extra echo commands so you can see what it’s doing on-screen too.

Part 2 Coming Soon. Sample Scripts. Sample Data. More Useful Information.

Here’s an article from last July’s Guardian newspaper on Bluetooth Tracking. If you don’t like the sound of any of this you should simply turn off your Bluetooth.

Written by admin in: |

No Comments »

RSS feed for comments on this post.

Leave a comment

You must be logged in to post a comment.

Theme: TheBuckmaker.com Premium WordPress Themes | InMotion, Gesundheit