Improbinator – My first ESPduino project

I committed my first ESPduino project to Github the other day, ESPduino – Improbinator.

ESPduino – Improbinator – Flood of faked 802.11 Probe Request Frames

Background: Living in a town with about 20 wifi-probes mounted on walls in the city center, which collects 802.11 Probe Request frames to measure and map visitor flows through the city kicked off the idea that I could dilute and skew the measurements by flooding the devices with a controlled stream of nearly-real looking but obviously faked probe request frames.

OUI Data: Collected by war-walking sessions around town and other cities and countries – both for client and router OUI’s.

It’s an open project, you could send pull requests or fork the project.


Yup, got myself an ESPduino which is a combination of an Arduino-compatible with an ESP8266 on-board.

This will be the platform for my little project, where I aim to run interference to disrupt the WiFi-based visitor-counting system the local town has installed.

As preparation I’ve been walking around town, trying to identify and photograph the installed devices and I have found 6 or 7 this far, rumor says they have 15-20 devices installed around busy walking streets and squares. I have also done some research and happened to find that a friend has been involved in a similar project previously, through my research I got a bit better picture of what they are doing and how their measurement of visitors/people are moving through town.

With my ESPduino and some clever coding, I can spray the air with faked frames, to make it appear as many people are walking by, through lists of popular OUI prefixes I can generate millions of what looks like genuine phones with WiFi from popular brands, with some focus of a particular fruit brand. This will probably screw up and skew the measurements so much that the data they collect will become pretty much useless.

I’m guessing the setup will be simple, after deploying the code to the ESPduino, the hard work is pretty much done, now the fun starts. With a powerbank of reasonable capacity, you could run the ESPduino for hours. As broadcasting the same MAC-addresses over and over would not be very useful, the program would change a few of them every minute, if you got 50 faked MACs and 5 of them got changed every minute, it would look like a busy street, people coming and going. This is going to be parameters you can tweak in the program.

Why am I doing this? Well, there is the privacy angle, I do not like to be monitored, I think I should be able to walk through the city without becoming a number or a hash in a database somewhere unless I participate with consent. All smartphones today has WiFi and unless you turn it off when leaving your home, you can and will be tracked and some point or another, most people aren’t even aware of this fact and won’t even give it a thought. I want to protect them as well as myself by throwing grit into the machinery, to make the tracking data less valuable as they can not trust it completely.

Furthermore, I aim to release the full source code along with a list of OUI-prefix, so everyone interested and able, can roll their own configuration in their copy of the source code, to minimize the risk of duplicate entries at the same time. Source code with instructions on how-to setup, configure and run the ESPduino.

Idea dump: Arduino ESP8266 – WIFI Beacon Attacker

Update 2016-11-12: I wrote a piece about ESPduino – Improbinator where much of the ideas were implemented, there is also a Github repo at Improbinator where you find the code.

I accidentally bought an Arduino ONE R3 for cheaps and had no project to use it in, so I toyed around with different ideas and this hit me while taking my son for a walk.

This assumes a few things:

  • ESP8266 has ways to generate (custom) beacon frames
  • 1+N ESP8266 is possible to connecto to Arduino ONE

Use an Arduino + ESP8266 + SDCard shield, to emit lots of beacon frames and keep iterating them for a set period of time, to imitate or mimic real phones moving around in an area. MAC addresses randomized from a table of 24bit OUI prefixes of popular makes/brands and the remaining 24 bits random.

As my brain seems to work a bit different, I tend to strive for edge-cases, to over optimize and extend beyond limits – I don’t even know if it’s possible with the hardware combination to attach a second or even a third ESP8266 board to an Arduino ONE R3, or if it’s possible to drive two or three shields through software/electronics.

With one, two or three ESP8266, I imagine having as many buffers with lists of pre-generated MAC addresses to run through and broadcast beacons, depth of lists TBD. OUI prefixes would be stored on SDCard and I already have the data, both from OUI prefix list and collected data from the last 5+ years of War-walking.

If outfits like Libelium are making devices for identifying customers in stores/gallerias/malls and can even identify the type of smartphone – we could throw some dirt into their machinery, as we could generate beacons with MAC addresses for devices based on statistics from collected data. No harm would be done as they are generated and only “visible” in a small physical “bubble” for a limited time, even with the possibility that a generated MAC address would clash with a real MAC address in the same area, it would not be any long term effects.

The build would be cased in acrylic, either a stock box with modification for sheild(s) or complete custom. Powerbanks of 10000mAh (or more) @ 5V to run it off-grid/backpack.

Pry-fi by Chainfire on XDA-Developers.