National Cyber Warfare Foundation (NCWF)

Welcome back, aspiring cyberwarriors! In our line of work, situational awareness is everything. Whether you’re conducting a sensitive penetration test, meeting with a whistleblower, or simply need to know if that black sedan has been behind you for the last three stops – having the ability to detect physical surveillance could be the difference between […]

The post Counter-Surveillance: How to Know Whether You Are Being Followed first appeared on Hackers Arise.

Welcome back, aspiring cyberwarriors!

In our line of work, situational awareness is everything. Whether you’re conducting a sensitive penetration test, meeting with a whistleblower, or simply need to know if that black sedan has been behind you for the last three stops – having the ability to detect physical surveillance could be the difference between mission success and complete compromise.

Traditional counter-surveillance requires extensive training and constant vigilance. But nowadays, a simple Raspberry Pi setup could be your digital eyes and ears, automatically detecting if the same digital signatures are following you from location to location.

As you know, every device around us is constantly broadcasting its digital fingerprints through Wi-Fi probe requests, Bluetooth advertisements, and other wireless signals. A skilled operative or private investigator following you will likely have multiple devices – phones, tablets, surveillance equipment – all creating a unique digital signature that can be tracked.

Matt Edmondson, a digital forensics expert, presented this great technique at Black Hat USA 2022. The concept is elegantly simple: if you see the same devices at Starbucks, then at the gas station, then at the bookstore – somebody might be following you. Let’s learn how to build and deploy this powerful surveillance detection system!

What is “Chasing Your Tail”?

“Chasing Your Tail” is a comprehensive Wi-Fi and Bluetooth surveillance detection system that passively monitors wireless devices in your vicinity. By analyzing probe requests and device persistence across multiple locations and time windows, it can identify potential surveillance with remarkable accuracy.

The system works by:

Passively capturing Wi-Fi probe requests and Bluetooth advertisements

Creating time-based persistence profiles of nearby devices

Correlating device appearances across multiple locations

Generating alerts when suspicious patterns emerge

Providing GPS-correlated tracking and professional visualizations

Hardware Arsenal

For this operation, you’ll need some basic hardware. The beauty of this system is that it uses common, inexpensive components that won’t raise suspicion:

Essential Gear:

Raspberry Pi

Wi-Fi adapter with monitor mode support

Portable battery pack – For extended operations

Small display screen – For real-time monitoring (optional but recommended)

32GB+ SD card – For data storage and logging

Professional Setup:

Multiple Wi-Fi adapters – For enhanced coverage

External GPS module – For precise location correlation

Pelican case or similar – For protecting your gear

Software Arsenal

We’ll be deploying several key components:

Kismet – Our primary packet capture engine. This open-source tool captures Wi-Fi, Bluetooth, and other wireless protocols, storing everything in SQLite databases for analysis.

Chasing Your Tail NG – The enhanced, security-hardened version of the original tool with GPS integration, advanced analytics, and professional reporting.

WiGLE API Integration – For correlating captured SSIDs with global geolocation data (optional).

Step #1: Base System Setup

First, we need to prepare our Linux environment. I’m using a Raspberry Pi 4, but technically any version should be suitable.

Install the essential packages:

raspberrypi> sudo apt install build-essential git libwebsockets-dev pkg-config \ zlib1g-dev libnl-3-dev libnl-genl-3-dev libcap-dev libpcap-dev \ libnm-dev libdw-dev libsqlite3-dev libprotobuf-dev libprotobuf-c-dev \ protobuf-compiler protobuf-c-compiler libsensors-dev libusb-1.0-0-dev \ python3 python3-setuptools python3-protobuf python3-requests \ python3-numpy python3-serial python3-usb python3-dev python3-websockets \ libubertooth-dev libbtbb-dev libmosquitto-dev librtlsdr-dev

Step #2: Install Kismet

Firstly download the source code:

raspberrypi> git clone https://www.kismetwireless.net/git/kismet.git

raspberrypi> cd kismet

Run the configure script to prepare the source code for your system by checking dependencies and generating a custom build configuration.

raspberrypi> ./configure

Next, compile the source code into binaries using make. To learn more about the make command in Linux, check out this article.

raspberrypi> make

It’s important to keep in mind that on a Raspberry Pi, even with swap enabled, compiling a large project like Kismet will be slow. Depending on the CPU speed and RAM size, it may take hours.

By the way, if you encounter an error similar to the one below:

Consider increasing the swap size, especially if you decide to run not just make but make -j$(nproc). The -jN option tells make to run N jobs in parallel, and $(nproc) expands to the number of CPU cores (on a Raspberry Pi 4 → 4). However, using this command can be risky because you might encounter an OOM (Out of Memory) error.

Finally, we can install Kismet. In general, you should install Kismet as suid-root; it will automatically create a group and install the capture binaries accordingly. When installed as suid-root, Kismet launches the binaries that control channels and interfaces with the required privileges, while keeping packet decoding and the web interface running without root privileges.

raspberrypi> sudo make suidinstall

make suidinstall will automatically create a kismet group. To run Kismet, your user needs to be part of this group. So let’s add our user to this group.

raspberrypi> sudo usermod -aG kismet

Groups are not updated automatically; you will need to reload the groups for your user.

Either log back out and log in, or in some cases, reboot.

Check that you are in the Kismet group with:

raspberrypi> groups

If you are not in the kismet group, you should log out and log back in, or reboot – some session and desktop managers don’t reload the groups on logout, either.

Step #3: Install Chasing Your Tail NG

raspberrypi>git clone https://github.com/ArgeliusLabs/Chasing-Your-Tail-NG.git

raspberrypi> cd Chasing-Your-Tail-NG

After downloading we need to install the required packages.

raspberrypi> pip3 install -r requirements.txt –break-system-packages

In the command below, I’ve used –break-system-packages flag to forces the install even if it might conflict with system packages.

Step #5: Security Hardening

The current version of “Chasing Your Tail” includes security hardening to prevent SQL injection attacks and secure credential management. Run the migration script:

raspberrypi> python3 migrate_credentials.py

This script eliminates critical vulnerabilities and sets up encrypted credential storage. Verify the security implementation:

raspberrypi> python3 chasing_your_tail.py

Here we can see different warnings and errors, but those aren’t important for us right now. What matters is the INFO message confirming that the configuration loaded with secure credential management.

Step #6: Configuration

Now we need to configure our system for optimal surveillance detection. Edit the main configuration:

raspberrypi> nano config.json

Example of the configurations:

{
  "paths": {
    "base_dir": ".",
    "log_dir": "logs",
    "kismet_logs": "/home/pi/Chasing-Your-Tail-NG/*.kismet",
    "ignore_lists": {
      "mac": "mac_list.py",
      "ssid": "ssid_list.py"
    }
  },
  "timing": {
    "check_interval": 60,
    "list_update_interval": 5,
    "time_windows": {
      "recent": 5,
      "medium": 10,
      "old": 15,
      "oldest": 20
    }
  },
  "search": {
    "lat_min": 31.3,
    "lat_max": 37.0,
    "lon_min": -114.8,
    "lon_max": -109.0
  }
}

Key settings:

timing: Overlapping surveillance detection windows

kismet_logs: Path to the log directory

Step #7: Wireless Interface Configuration

Your Wi-Fi adapter MUST support monitor mode. Test your setup:

raspberrypi> sudo airmon-ng start wlan0

Replace wlan1 with your actual interface. This should create a monitor interface (usually wlan1mon). If this fails, your adapter doesn’t support monitor mode — you’ll need different hardware.

In my case, I’m using a TP-Link Wi-Fi adapter with the RTL8xxxu chipset, which requires additional setup to work. If you’re using, for example, an Alfa AWUS036ACS adapter, you likely won’t encounter any issues with enabling monitor mode. But for the sake of clarity, I’ll briefly show you how I set it up:

List physical wireless devices:

raspberrypi> iw phy

Look for the one corresponding to wlan1 (in my case, it’s phy1).

Add a new monitor-mode virtual interface (e.g., mon0):

raspberrypi> sudo iw phy phy1 interface add mon0 type monitor

Bring up the new monitor interface:

raspberrypi> sudo ip link set mon0 up

Stop NetworkManager only on the specific interface you want to monitor, not the entire service:

raspberrypi> sudo nmcli dev set wlan1 managed no

Step #7: Deploying

Terminal 1 – Start Kismet:

raspberrypi> ./start_kismet_clean.sh

You might see the following error due to a hardcoded path. Edit it to the correct one using your favorite text editor. In my case, the correct directory is /home/pi/Chasing-Your-Tail-NG:

Also, check that the starting command for Kismet uses the correct interface. After these changes, the Kismet script should not print any errors.

Terminal 2 – Launch Core Monitoring:

raspberrypi> python3 chasing_your_tail.py

You’ll see an output like below.

Terminal 3 – Real-time Analysis:

raspberrypi> python3 surveillance_analyzer.py

After running the script, we’ll receive professional intelligence reports in both MD and HTML formats.

Example of the report:

Understanding the Intelligence

Time Window Analysis

The system maintains four overlapping surveillance detection windows:

Recent: Past 5 minutes – immediate threats

Medium: 5-10 minutes ago – establishing patterns

Old: 10-15 minutes ago – confirming persistence

Oldest: 15-20 minutes ago – long-term tracking

Threat Assessment Algorithms

The system uses advanced algorithms to analyze:

Temporal Persistence: How consistently devices appear over time

Location Correlation: Devices following you across multiple locations

Probe Pattern Analysis: Suspicious network search behaviors

GPS Correlation: Physical movement patterns matching your own

Persistence Scoring

Each device receives a threat score (0-1.0):

0.0-0.3: Background noise, likely benign

0.4-0.6: Possible coincidence, worth monitoring

0.7-0.8: High probability of surveillance

0.9-1.0: Active surveillance confirmed

Summary

In this tutorial, we covered the complete deployment of “Chasing Your Tail” – from hardware selection and security-hardened installation to operational deployment and professional intelligence analysis for detecting physical surveillance.

“Chasing Your Tail” is a big step forward in personal counter-surveillance. It uses common hardware and open-source software to give people powerful tools that used to require lots of training and expensive gear.

With features like real-time monitoring, GPS tracking, smart analysis, and clear visual displays, it helps users stay aware in risky situations.