Tracking and recovering a stolen iphone

A few months ago, a friend of mine lost his iPhone in a movie theater.  He noticed it was missing when he got home. At least he thought it was lost, until he noticed that someone was reading and deleting his emails.  It seemed that the iPhone was found by someone, and that someone was using the iPhone.

He contacted AT&T for assistance. It should have been a pretty easy recovery. The iPhone, when turned on, must register on to the AT&T cellular network with its unique Electronic Serial Number (ESN) and Mobile Identification Number (MIN).  AT&T should easily be able to find the cell tower covering the cell phone, right?

Well, technically AT&T can do that, but as a matter of policy, they don’t release this information without a subpoena. And that would need to come from the police.

Were there other options? Well, AT&T offered to turn off the service to the stolen iPhone and (for a fee) send him a new one. An offer that he took since he wanted to get into the mobile world.

Then, as luck would have it, the thief tried a test application on the iPhone call AirGraffiti. This app logs the GPS coordinates of the cell phone.

Here is a map showing some of the GPS coordinates reported for the cell phone.

  Keep in mind that iPhones are both 3G and WiFi capable. So, when AT&T had turned off the stolen phone’s service, the thief just started using the WiFi service.

GPS map view

There were a couple of challenges in this case. Since the phone was stolen, the thief had no expectation of privacy. However, everyone else in the neighborhood still did! So, we needed to be able to search for the stolen phone only. Next, we wanted to make sure that we were passively listening, we did not want to generate traffic and try to cause the iPhone to respond. And we did not want to listen to content. We only wanted to look for the MAC address of the cell phone.  The MAC addresses should be unique for each iPhone, and it is difficult to spoof the MAC address can be of an iPhone. These restrictions ruled out tools such as wireshark, netstumbler and kismet.

My company builds AP-Finder, software that can track the location of WiFi devices. Since the owner had the MAC address for the iPhone, all I needed to do was run AP-Finder. I searched for the iPhone’s MAC address and drove through the area reported by the GPS coordinates. Sure enough, I got a hit!

Using the results of this search, I contact the State Police and told them about the case and what I had. They came out to do the search using AP-Finder, and sure enough they also got a hit. Using the signal strength feature of AP-Finder, we were able to locate the house containing the cell phone. (Below is a sample of the AP-Finder’s search by MAC feature.

This technique has promise, but there is still more to do…



  The end result. The cell phone was recovered and the thief was charged with fourth degree theft, and third degree computer crime violations. All of this was done without issuing a subpoena to the cell phone carrier or ISP for information.


12 thoughts on “Tracking and recovering a stolen iphone

  1. hello, my neighbor stole my iphone, and is logging in with my phone into my home wireless connection. my wireless router is on auto learn so i know when my phone comes on, can you please help me?

    1. Hello,
      If you can, please look at your wireless router and see if you can find your phone’s MAC address. That MAC address is a usually a number that looks like this: 0d:00:00:aa:bb:13.
      That MAC address is the unique identifer for your phone’s wireless card. If you can get that, you can track your phone.

  2. Steven, this is great information. Thank you.

    My iPhone was stolen recently but I never made note of the MAC. Neither my carrier nor Apple want to give me that info (I only have the serial number). The carrier may not have the info but I would assume Apple definitely does. Any suggestions on how to get it? I’ve filed a police report, and my next step would be to try to get a subpoena if at all possible. It’s the principle now more than the financial cost of the phone.

    1. if you have the original packaging then there should be all of the information printed with barcode…including the mac address.

  3. hi. my iphone was recently stolen at school library. I was wondering if you could help me by running the mac address through your software. thanks!

  4. Hi,
    My iphone 6s was stolen last week 7 days after I bought it! I was looking online if it is there any chance of tracking it since “find my iphone” just says “the device is offline”.
    I do have the MAC number! How can I try to trace it?
    Thanks a lot!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s