In modern warfare, Wi-Fi has turned into a major technical unmasking factor. Most users perceive it as an “invisible” and safe interface for connecting to the internet, which is almost always available “under the hood” in many communication devices—from a smartphone or a drone control panel to a satellite terminal (Starlink, OneWeb, SatCube, and others) and most other data transfer systems.

But the current reality is simple: both the Wi-Fi network and devices with Wi-Fi “light up” hundreds of times more intensely than any satellite dish. Moreover, not only are they easily detected and localized by electronic warfare (EW) means, but they also leave a Wi-Fi Footprint that is read by specialized data analysis systems.

For security forces, military units, and even civilian users in frontline areas, this means one thing: Wi-Fi doesn’t provide the connection, Wi-Fi gives you away to the enemy. It is what becomes the most convenient marker for detecting positions, determining routes, and gathering intelligence information.

Let’s understand what a “Wi-Fi Footprint” is, why it poses a danger, what tools collect and use this data, and what practical measures of radio and cyber hygiene will help minimize the risks. We will do this in a fairly simple language but with precise technical details, so that non-specialists understand the essence of the problem, and specialists have sufficient depth.

An important remark from the author: in this article, I limit myself exclusively to publicly available data. That is, the material does not contain any secret sensitive data or examples that used in closed training of specialists or in non-public speeches and materials.

What is the Wi-Fi Footprint?

Every Wi-Fi network and every device with a Wi-Fi module constantly create a set of signals that are visible far beyond the confines of the premises or base. These signals form the so-called Wi-Fi Footprint (Wi-Fi fingerprint or trail) – a kind of “digital scent” that can be detected, recorded, tracked, and analyzed.

How does Wi-Fi “light up”?

Any Wi-Fi devices, from access points and routers to smartphones, watches, surveillance cameras, and all kinds of “smart devices,” are always transmitting certain data in the form of service packets. These packets are transmitted in the open (unencrypted) form; they can be intercepted by any receiver within range, from a simple scanner on a smartphone to specialized EW means.

• Beacon (lighthouse): Every access point periodically broadcasts service packets with network information – SSID (name), BSSID (AP MAC-address), standard, supported speeds, etc.

• Probe-requests: Client devices (smartphones, laptops, tablets, drones) send requests over the air, looking for familiar networks. These requests often contain a list of “favorite” SSIDs, which allows for reconstructing the travel route or identifying the owner.

• Other service frames: Association, authorization, management packets, which also contain metadata.

So, even if no devices are connected to your network, that absolutely does not mean they are “invisible.” Both the network itself and most of the devices around you will still be “lighting up in the air.”

Thus, the first component of the Wi-Fi Footprint is service data packets read by some device. For example, by your own smartphone, without any participation or desire on your part.

Vendor telemetry and “smart devices”

The Wi-Fi Footprint is created not only at the moment of connecting to a network. Modern smartphones and IoT devices regularly perform background scans and send the collected data to the manufacturer or third-party SDKs (Software Development Kits).

This data records:

• BSSID (unique MAC address of the access point),

• SSID (symbolic network name),

• signal level (RSSI),

• time and coordinates (if geolocation is enabled),

• device or application identifiers.

This is how a global “Wi-Fi map” is formed, which is accumulated by vendors (Google, Apple, advertising platforms, etc.). Having the coordinates and signal levels, using trilateration to accurately determine the position of the target device is not a complicated task at all.

Various gadgets are always around us: smartphones and tablets, on-board systems in cars and video recorders, smart speakers and SmartTVs, smart watches and smart home controllers, smart power banks, and PCs—and this is by no means an exhaustive list. Most of these devices have a Wi-Fi/Bluetooth module and corresponding software that collects certain data. Some of these devices are constantly turned on as an Access Point (AP) and essentially scatter their own Wi-Fi Footprint. But the main thing is that most of them collect and transmit telemetry and data from their Wi-Fi and Bluetooth/BLE modules to various databases.

Essentially, we have millions of gadgets and devices around us that constantly perform the function of Wi-Fi and Bluetooth/BLE scanners.

If we were to briefly describe the specifics and scanning capabilities of each type of device mentioned, it would take up quite a lot of space and time. Therefore, for now, I will emphasize only one example of gadgets that are literally everywhere around us: smartphones and tablets. Because each of them can scan Wi-Fi and Bluetooth in its environment even when we do not want it to.

Background scans and “Airplane mode”

Many are under the illusion that it is enough to simply tap the Wi-Fi and Bluetooth off button, or even “just turn on Airplane Mode,” and that’s it—no data is collected or transmitted. But in reality, this is not true... or, more precisely, not entirely true...

A separate risk for many modern gadgets is background scanning, which can operate even when the user believes Wi-Fi is off or Airplane Mode is enabled.

In smartphone settings, there are options like “Wi-Fi scanning“ or “Bluetooth scanning for improved geolocation.” If these are not disabled, the device can continue collecting data even when Wi-Fi is turned off. But in a wide range of gadgets, these settings are simply not available for disabling.

Some studies and practices have shown the possibility of a “fake airplane mode,” where the modules appear to be disabled on the screen, but the device actually continues communication. Unfortunately, it is only possible to determine exactly how “Airplane Mode” is implemented in a specific smartphone model from a specific manufacturer through painstaking research. There is no public universal proof that all smartphones around always do this. But there are already public publications about detected incidents, and this risk cannot be ruled out: it depends on the model, firmware, settings, and available SDKs.

This means: even in a mode that seems “silent,” the device can leave a Wi-Fi Footprint and also act as a kind of EW scanner. For the military, this is a critical factor that requires discipline and verification at the level of specific devices.

Where does the data flow?

The collected data is sent to various databases, including databases of large vendors, as well as various commercial, advertising, and even open projects.

Of course, all this had some “good intentions”... But in fact, we now live in a world where it is possible to track and localize anyone. Large databases (Big Data) of Wi-Fi geolocation are formed based on the collected data. Public examples: WiGLE.net, Google Location Services, Mozilla MLS (archive), Skyhook. But there are also commercial or closed databases, accessible only to specialists. In these databases, every BSSID can have a “link” to coordinates and time, creating a picture of the movement or presence of devices. This is exactly what will be discussed in more detail next.

This creates an additional risk: even a Wi-Fi device that is “turned off” or “disconnected from the network” can leave a trace in databases accessible for CYBERINT or OSINT analysis.

Where can all the Wi-Fi Footprints of the planet be found?

The Wi-Fi Footprint does not disappear into thin air. The data that devices and networks transmit over the radio waves is accumulated and stored in vast arrays. Part of this data is publicly available; the other part is collected by vendors and third-party services. As a result, a global Wi-Fi map is created, which makes it possible to determine the location and movement of users and networks.

OSINT-services

Open or semi-open platforms allow anyone to access data about Wi-Fi networks:

• WiGLE.net - a volunteer database formed from user wardriving records. By BSSID, you can find the coordinates of the access point and the time of the last detection in it.

• Google Location Services - a service used by Android smartphones and applications for positioning. It is based on a huge array of BSSID-coordinates collected from billions of devices.

• Skyhook - a commercial geolocation system that also relies on Wi-Fi databases.

• Mozilla MLS (now an archive) - an example of an attempt to create an open alternative.

This is not an exhaustive list, but even it is enough to realize that even without complex tools, it is enough to know the BSSID to find the network’s geolocation through such services. Therefore, we can consider them good sources for OSINT analysis, available to everyone—us and our allies, but also to the enemy...

CYBERINT-arrays

The second level is vendor telemetries and third-party SDKs.

• OS and device vendors (Google, Apple, smartphone manufacturers) regularly receive data from gadgets about surrounding networks: BSSID, SSID, signal level, timestamp, sometimes coordinates.

• Third-party SDKs in applications (advertising, analytical, anti-fraud services) also collect Wi-Fi data and send it to their own backends. The user often doesn’t even realize that the application “under the hood” is transmitting information about all access points nearby.

These data arrays are significantly larger and richer than any open database. Anyone with access to such data can:

• track the routes of specific devices;

• link Wi-Fi points to specific individuals or organizations;

• correlate Wi-Fi records with other identifiers (GPS, mobile network, IDFA/AAID).

This is the CYBERINT level—where analysis based on telemetry arrays makes it possible to build detailed pictures of activity and even determine geolocation with enough accuracy for targeting. And if EW means are combined with CYBERINT capabilities, which the enemy is currently trying very hard to do, the cumulative result yields very powerful capabilities. The underestimation of these capabilities can be mortally dangerous.

Practical risks

The Wi-Fi Footprint is not an abstract threat, but a set of concrete risks that are realized in practice and can have serious consequences for the safety of the unit, personnel, equipment, and infrastructure. Below is a list of key risk scenarios:

• Localization of positions and equipment

• Tracking of movement and routes (pattern-of-life, tracing)

• Identification of roles/units through naming and metadata

• Cumulative analytics (CYBERINT)

• Compromise of channels and systems through targeted cyberattacks on networks or devices identified via the Wi-Fi Footprint

• Targeted operations (actual TTPs of the enemy)

It is important to understand that the presence of Wi-Fi and Bluetooth/BLE in many devices is simply non-obvious:

• Many modern charging stations (large power banks) have Wi-Fi/Bluetooth/BLE modules inside, which are sometimes impossible to reliably turn off with a button.

• A great many models of electronic cigarettes contain BLE modules. This is not Wi-Fi, but their trace can also be detected and transmitted to databases under certain conditions. These devices can also be localized by EW means on low-altitude UAVs.

• All the noted risks of smartphones and tablets are also relevant for smart watches.

• A significant number of surveillance cameras, weather stations, and other devices have an active Wi-Fi module on board that also cannot be turned off with a button.

• The overwhelming majority of car video surveillance systems, car multimedia systems with the function of wireless smartphone connection, etc., not only have Wi-Fi/Bluetooth/BLE modules but also operate in Access Point mode. That is, in fact, these systems are a kind of voluntarily attached Wi-Fi beacon to the transport.

Important points

• The greatest danger is the combination: the fusion of radio direction-finding with accumulated telemetry and OSINT databases gives significantly greater accuracy than any of the methods separately.

• The risk increases over time: the longer an access point or client “lights up,” the more data accumulates, and the probability of correlation increases. The more Wi-Fi Footprints are accumulated, the more accurate the geolocation.

• Uncontrolled third-party elements (personnel smartphones, IoT, third-party SDKs) are the weakest link.

• Countermeasures have an effect, but do not guarantee 100% protection. A combination of technical, procedural, and organizational measures significantly reduces the risk, although it requires discipline and regular control. 100% protection does not exist, but every percent = lives saved.

Thus, we have a simple conclusion: it is enough for the enemy to know only the BSSID of the Wi-Fi network in a command post or drone control center to determine its precise location for further reconnaissance and combat engagement.

Reducing the Wi-Fi Footprint – Radio and Cyber Hygiene

The greatest danger of Wi-Fi is that it creates a trace always, even when the user is not connecting to the network. Therefore, the task of hygiene is not “complete protection” (it does not exist) but minimizing the footprint. This is a combination of technical settings and user discipline.

Basic Rules

• Wire Priority: In combat conditions, it is better to completely abandon Wi-Fi and use wired connections.

• Minimization of Wi-Fi operating time: If Wi-Fi is unavoidable, it should rather be enabled only for short periods of time (time-boxing).

• Minimization of coverage area: Reducing the transmitter power and shielding (hidden access points underground, in a dugout/shelter, etc.).

• Disabling unnecessary radio modules: Smartphones, laptops, IoT devices should have Wi-Fi and Bluetooth disabled outside of actual use moments.

• Monitoring of Wi-Fi/Bluetooth/BLE radio hygiene: If the unit does not have the ability to use corresponding EW or monitoring means, then tracking the unit’s environment with at least simple and publicly available Wi-Fi/Bluetooth scanner applications for smartphones is already a very effective step.

Recommended Technical Measures

• Strong cryptography: Use WPA3-SAE and PME (802.11w) must be enabled. If not available, at least WPA2. No open networks.

• Neutral SSIDs: Avoid names that indicate affiliation (”HQ,” “Starlink,” “Army”). It is recommended to use random or neutral names.

• Regular reset and BSSID change: Different devices have different capabilities, paths, and tools for changing the BSSID. For example, in the case of Starlink - it’s a Factory reset. Specialists usually know where to look for descriptions and means of such a change. Regular BSSID change, and even better with randomization, reduces the risk of data accumulation in databases.

• MAC-randomization: Enable on all clients, but remember that it is not absolute (especially when associating with an AP).

• Power optimization: Using lower transmitter power reduces the range and visibility of the signal. Directional antennas can also bring some benefit.

Of course, there is also a certain set of organizational measures. However, this issue is already quite well regulated by existing service regulations and policies, so we will not detail it in a public format.

Wi-Fi cannot be made “invisible,” but it can be made short-term, weak, and safer. This is achieved by a combination of technical settings and organizational discipline.

The support of paid subscribers of SkyLinker.io will allow us to share even better and even more independent analytics, interesting reviews, and produce training and educational materials. From an inexpensive subscription costing a few cups of coffee per month to a more significant “Patron” level — all of this is clearly and qualitatively converted into information and knowledge, primarily for the defenders of Ukraine.

All the most interesting things from the world of communication and space technologies are also available in the form of educational audio podcasts and video lectures both on the website and on the SkyLinker Youtube channel.