Packet Sniffing in the Subway

What I learned from a week of sniffing packets and lurking around Wi-Fi access points in New York subway stations.

Photo by @taraadiseshan

While I was waiting on the Fulton C subway platform one afternoon, I was surprised to get a text. Underground. Surrounded by metal and concrete — materials through which texts do not usually travel. I checked my phone’s Wi-Fi settings and saw that I could connect to the internet too, via an open network called TransitWirelessWiFi. I clicked it once and, since then, my phone automatically connects to that network every time it’s available.

Turns out that New York City has been installing Wi-Fi and cell service in its subway stations since 2013.

I wanted to know why. For many people, the answer is a given: “Wi-Fi access everywhere” needs no explanation or justification. But that doesn’t let us ask some of the most interesting questions about subway Wi-Fi: What material infrastructure supports this network? Why does it make financial sense for anyone to build? And how does it shapes the lives of humans who come into contact with it?

Starting with the network name, I learned that Transit Wireless (TW) is a subsidiary of an Australian company that also installed subway Wi-Fi infrastructure in Hong Kong and Toronto. In 2010, they won a 25-year contract with New York’s MTA to install 7,000 Wi-Fi hot spots across every subway station in all five boroughs. Financially and materially, this means that Transit Wireless put up $220 million to install 350 RF nodes and 120 miles of fiber optic cable. All those cables carry data back to huge carrier hotels, which TW shares with mobile carriers like AT&T, Verizon, and Sprint. A 2015 audit goes into greater detail:

“TW installs equipment and antennas at each underground station to provide cellular and Wi-Fi coverage throughout public areas. The in-station equipment and antennas are linked by fiber optic cables to TW trunk fiber optic cables, which run through the streets and connect back to a base station hotel (hub) that houses the head-end equipment for TW, the cellular carriers, Wi-Fi providers, and New York City Transit (“NYCT”).”

They plan to make back their investment over 10 years, at which point they’ll split revenues with the MTA. Revenues from what? Wireless carriers like Verizon and “other sub-licensees of the network” pay rent for using the network to provide their customers with service in the subway. TW’s wireless service also offers advertisers “a means for rich content delivery.”

Screen shot from

“Content” is a marketing word for humans; what we know as digital content is actually made up of bits of data. And data is “delivered” in packets, by machines. Every website we visit, video we stream, and game we play on our phones involves the exchange of tens of thousands of data packets between our device and the web servers we access. With wired internet, packets travel along physical cables. With Wi-Fi, packets travel through the air, and it’s possible to learn about them by “sniffing” or logging them.

So every day for a week, I’d hop off the C at the Fulton Street station, run a packet sniffing application called NSHeyyy, and log metadata about the packets traveling through the air around me.

Anatomy of a Packet

Each line of text in the log represents information about a specific packet. It tells us about the device that sent the packet and the networks involved.

I sorted the MAC addresses in the logs to find the most frequently occurring manufacturer. Then, I ran that MAC address through Wireshark’s OUI Lookup Tool and came up with Zebra Technologies. Zebra is a logistics company. They make products like trackable wristbands for hospitals, “personnel visibility solutions,” and the wireless access points installed throughout New York’s subway stations.

From a Zebra Technologies marketing video

Zebra provides two pieces of equipment — Wi-Fi access points and a central controller — that bridge the gap between physical infrastructure and “digital intelligence.” From a case study of their partnership with Transit Wireless:

“The AP 7161 access points are installed in the subway system where they provide riders with high-speed Wi-Fi access. The access points are remotely controlled by the NX 9500 controller that is located in a Transit Wireless data center, which controls a grouping of stations. Since the AP 7161 supports cellular data offloading, in the future, the Zebra Wi-Fi network can be utilized to provide passengers with a seamless connection to their cellular services, even if they are deep in subway tunnels”

If You Were an Access Point, Where Would You Go?

I found the answer one morning in the voices of five burly, yellow-vested technicians who work for a company called VComm. They were rolling their equipment to different points of the Franklin C station as I lurked nearby.

Eventually, one of them volunteered: “Testing RF signal strength. Sometimes the lights and all the metal around here interfere with the service.”

Above their testing area, an orange dot was sprayed on the ceiling. I started looking for orange dots in other stations and always found them (or bad paint jobs meant to conceal them) above access points.

A picture was filling out: Transit Wireless won a contract with the MTA based on their parent company’s experience with other large subway Wi-Fi projects. TW financed the infrastructure and put together a team of technical vendors like Zebra Technologies and VComm to install and test network hardware. They make money through advertising and charging network rent to wireless carriers.

These relationships—which represent hundreds of millions of dollars, data bits, and human labor-hours—are just the tip of an immense infrastructural iceberg that also includes other public-private partnerships, “neutral hosts”, and interconnect agreements; that take place within a context of conversations about big data, surveillance, privacy, and Smart Cities.

I haven’t even touched on carrier hotels (check out Peter Garritano’s photos) or Ingrid Burrington’s internet infrastructure field guide.

And there was that one guy who filed a patent for converting New York’s old pneumatic tubes into fiber optic cable casing. What ever happened to him?

Subway stations with (green) and without (red) Wi-Fi, as of February 2016

Thanks to Surya Mattu and Kyle McDonald for guidance on this project.