Issue 41

Indoor Positioning System Using Wi-Fi Signal

Teofil Cojocariu
Development Security Testing & Assurance Analysts @ Betfair

Iacob Nasca
Principal Developer @ Betfair


We have all seen the cool movies like 'Enemy of the state' in which the NSA is able to pin-point your location, without you noticing, by using your phone. The movie was released in 1998, and at the time those ideas might have looked like science fiction, but nowadays this might actually be plausible. With our upcoming fedex day, this was a good opportunity to try it out. Surely we don't have the capabilities or the time that the intelligence agency has, but we should give it a shot.

The problem: Can we track various colleagues / devices through the office?

The solution(s): There are quite a few solutions out there. Some commercial, some free but it wouldn't been nowhere near as fun to just install one, so we had 24 hours to build one from scratch.

We wanted to pinpoint the location using Wi-Fi, since everyone has a Wi-Fi connected phone/laptop/watch. Our office is equipped with multiple access points (antennas), in order to ensure that we have sufficient signal throughout the building. All these access points are connected to a single wireless controller, which manages them independently.

The first step was to interrogate the Wireless Lan Controller (WLC) via SNMP protocol and find out the list of Access Points (AP) MAC addresses by doing a SNMP walk on cLApIfMacAddress. For each AP in the list, we then went and read a list of all devices that AP sees (bsnMobileStationMacAddr + Decimal representation of AP MAC) and their Received Signal Strength Indicator (RSSI) (bsnMobileStationRssiData + Decimal representation of device MAC + Decimal representation of AP MAC). There were plenty of other informations available for each device (IP, VLAN, Encryption used etc) but were not relevant for the purpose.

The RSSI data is given in dBm so the second step was to convert these values in meters. To do that we need the signal strength (which we have) and the frequency of the signal (which we know). The formula is a transformed form of Free Space Path Loss (FSPL)


For distance in meters and frequency in MHz, constant K is -27.55, transmitter power (Ptx) up to 20dBm (100mW) and a frequency of 2412MHz (2.4GHz) we get a simple function for the transformation.

For example, for a signalLevel of -57dBm, the result would be 7.000397427391188 meters

Having all the available informations, we now need a scaled map of the place and the locations of the AP and transform everything into pixels. For our map, we scaled it so that 1m = 16px

To pinpoint the location on the map with the available informations we used multilateration. The multilateration problem can be written as follow:

n is the number of AP that “see” the device and we can read RSSI value, D = (X,Y) is the position of the device, APi = (Xi, Yi) are the positions of AP i, and Ri is the distance measured from AP i to device. The system is not linear but it is possible to linearize it by subtracting the i-th equation from all other n-1.


We expected that all circles to intersect at a single point, but in the real case the measures are affected by error and the circles intersect at more than one point. These points identify an area and the precision of this solution is given by the residual

Dm = (Xm, Ym) is the resulting estimated device position.

The final step was to add some HTML5 smoke and mirrors to display all that information we acquired from the network equipment and see some real time movement on the map. Unfortunately, because of the rate at which the AP were updating their information, realtime actually meant every 3 seconds but having a very big office, you can’t cover much ground in 3 seconds and you’re still in the error range until the next measurements can be made.

The final solution looked something like this:




  • Accenture
  • BT Code Crafters
  • Accesa
  • Bosch
  • Betfair
  • MHP
  • BoatyardX
  • .msg systems
  • Yardi
  • P3 group
  • Ing Hubs
  • Colors in projects