Some thoughts on the Seattle police's surveillance mesh network.

Nov 12, 2013

In the past day or two an interesting piece of news has been making the rounds. Earlier this year the police department of the city of Seattle, Washington set up its own wireless mesh network for what many people are saying is for the purpose of keeping people under surveillance. The hardware was purchased from Aruba Networks; it is unknown whether or not the company set up the gear, or if another outfit was contracted for installation and maintenance. Each of the nodes is apparently broadcasting frames containing ESSIDs that reflect its location (such as 4th Avenue and Union Street), which is probably why some people noticed in the first place. The nodes are undoubtedly handling more traffic but without packet captures there's no way of knowing (hint hint, cough cough). The Seattle PD isn't saying much so all we have to go on is a handful of facts, knowledge of how wireless networks work, and I'm sorry to say a lot of ill-informed rumors. Let's try to sort things out as best we can.

The first logical question to ask is, why use wi-fi? The best hypothesis I can come up with is that police may not be able to gain access to cellular records in what they consider a timely fashion. It is well known and understood that cellular providers track the IMEI of every cellphone that pings every tower on the cellular network at what time, and that information can be handed over to law enforcement (and other) agencies without warning. Cell companies maintain detailed inventories of their gear, maps of where every cellular tower is, and what cellular nodes are positioned where on them. Log a certain IMEI on a certain transceiver on a certain tower and you know roughly where that device is. Log the same IMEI on several transceivers on several towers and you can figure out where the device is in a lot more detail. Analyze the pattern that IMEI makes and you can plot the device's trajectory on a map. However, that often means hitting up several cellular providers at the same time and hoping that they all respond fast enough for police to find someone. That probably isn't the case. Wi-fi gear is much less expensive than cellular equipment (even if it was technically paid for by DHS and not the city of Seattle per se) and requires less bureaucratic overhead (such as FCC licensing) to deploy.

In case you're curious, here are a few ways you can find out the IMEI on your mobile device.

It seems plausible to state that this network could be used, in part at least to track people based upon the locations of their mobile devices. Smartphones, tablets, and MP3 players which are wireless enabled will, if they are not powered down or if wireless is not disabled, periodically probe for the presence of wireless networks they've been a part of in the past by sending association frames in the hope that the access point is still out there and will respond. Those association frames contain, among other things, the MAC address of the wireless chipset in the device, the ESSID of the access point, the supported data rates of the chipset, and any additional capabilities of the device (which may be sufficiently unique to help fingerprint a device, and later the device's owner). While this leaks some potentially identifiable data (like the name of your network at home), it could also just as easily broadcast the network name of any of the bazillion Starbucks franchises undoubtedly squatting on corners in Seattle like mushrooms after a summer rain ('attwifi', if you care). It is possible that apps installed on or semipermanently baked into the firmware of your device may broadcast additional identifying data, but without a packet capture there really isn't any way of knowing.

As an aside, MAC addresses are not globally unique. You can bet your goldfish that at least ten other people on the planet have wireless devices that have the same MAC address. However, there are 2^48 possible MAC addresses, which is a big but finite number, and it is statistically unlikely that two mobile users will have the same MAC in Seattle. That seems sufficient to follow the movements of a single mobile device. Taking into account the set of ESSIDs the mobile device may try to associate with provides additional information with which to uniquely identify the owner of a device. Additionally, the wireless MACs of mobile devices are notoriously difficult to change, even if the device has been rooted. The wireless chips may not support soft MAC changes (but pretend that they do). The chips may power cycle themselves to get back to a known-good state and ask to be reconfigured without the user knowing after they've been frobbed, too. If the sensors also sniff other forms of traffic emitted by mobile devices that traffic can be characterized and used to identify the device (and then its owner) more precisely.

The countermeasures for this are remarkably simple: Turn wi-fi off on your mobile device before you leave. Not only will you save the battery, but you won't be trackable via wi-fi emissions. The more paranoid are advised to pull the batteries on their mobiles entirely, if feasible.

It would not surprise me one bit to discover that this network had several other uses. Radio communications in cities, especially densely packed ones are unreliable. Line of sight is key for radio, and if you don't have it (and you usually don't in big cities) there's a good chance that your signal might not get through at all. Sometimes buildings are so large that they prevent any signal at all from propagating very far. Sometimes buildings refract RF in such a way that the signal goes in the wrong direction or scatters so much that you can't make anything out. Repeaters aren't found everywhere, just in a few strategic locations, and being able to hit one with a radio isn't a sure bet. Mesh networks are, in fact, a good way of setting up reliable comms in such areas because they can work around many of those environmental obstacles. Additionally digital radios are becoming more and more popular with law enforcement agencies, and digital modes readily lend themselves to working in mesh topologies. So, I would be unsurprised to find that these units in Seattle were set up with mesh repeaters to make police radio communications more reliable. Were I solving such a problem, that's what I would do.

I will concede the possibility that the wi-fi ESSIDs broadcast from the nodes could be for the purpose of remote maintenance. So much kit these days plugs into the Net so it can be managed remotely, and industrial grade wireless access devices are no exception (I've worked with too many of them over the years). Naming the device after its location is good practice in that it's self documenting; to put it another way, you don't need a Captain Midnight Secret Decoder Ring to figure out that the AP air5Pohk is at Sixth Avenue and Union, it would logically call itself 6th&Union. On the other hand, for a municipal project this is really, really bad practice. If you announce what something is and where it is, chances are somebody's going to get curious and go poking around. Like the people who wrote these news articles and then you have to contend not only with the press but with people who take it upon themselves to cause trouble for you. This possibility doesn't seem to jive with official statements to the effect of, "Yes, this is a mesh network," not without more data from the field.

The mailing lists of a couple of projects that I monitor (as well the ones I'm part of) have also had some discussions about these news articles. Mainly, they're concerned that the reputation of community wireless networks will be adversely impacted. The big concern is that, due to the fact that a municipal mesh project in Seattle is in a position to put an entire city under surveillance, our own projects might be thought of in the same way. Some might think that we're setting up our own surveillance network, when in fact we're not. This could hurt the adoption of community wireless networks across the country (moreso than state and local laws already have). It's also too much to tell people to look at our code and see for themselves. Let's face it, there are a lot more non-coders than there are coders, and that's just going to make people more mistrustful. The best, and really the only thing we can do is be personally active in our communities. We can't just set up a bunch of equipment and hope people are going to use it, we have to tell people about it. We have to tell people what it is, what it's for, and more importantly who it's for. They're going to come to us with their fears, especially due to news articles like that. And we're going to have to lay those fears to rest however we can.

It means stepping away from the keyboard and being people and not hackers for a time.