Is looking for Wi-Fi access points purely passive?

No, looking for 802.11 APs is primarily active. When you bring up a list of visible APs in the area, your 802.11 client most likely does what's known as an "active scan", where it tunes its radio to each supported channel in turn, transmits a Probe Request frame, and waits perhaps 20-40ms to gather Probe Response frames from any APs on that channel before moving on to the next channel. This allows it to scan all the channels much faster than a "passive scan".

A "passive scan" is possible, but isn't used very often because it takes longer. To do a passive scan, the client tunes to each channel in turn, and waits a typical Beacon Interval (usually about 100ms, but could be more) to gather Beacons.

Some channels in 5GHz in some regulatory regions require that you scan passively first, until you know that the channel is not in use by nearby radar installations. But most clients, as soon as they see a Beacon on a passive-scan channel, will switch to an active scan to speed up the process.

If your client device is on, and hasn't given up looking for your recently-joined/preferred/remembered networks, it will almost certainly be broadcasting Probe Requests which give away not only your wireless MAC address and some of the capabilities of your card, but often also the name the network it's looking for. This is necessary in case the network is a "hidden" (a.k.a. "non-broadcast SSID", a.k.a. "closed") network.

It's pretty trivial to learn people's wireless client MAC addresses and also the names of their home and work networks just by hanging out at the office or a coffee shop or airport terminal with an 802.11 monitor mode packet sniffer, recording Probe Requests.

There is a system called Jasager that detects WiFi probes that most clients shout out ("Hello, is linksys there", etc), pretends to be it, lets them automatically connect as if they are 'at home', with that lovely 'public' networking option Windows now has.

Lo and behold, all their public fileshares, web traffic (and there are extensions for it that let you MITM attack SSL sessions) and anything else you can think of.

Enjoy and don't get caught.

This recent paper presented at the Internet Measurement Conference 2013 might be interesting to you:

Signals from the Crowd: Uncovering Social Relationships through Smartphone Probes


The ever increasing ubiquitousness of WiFi access points, coupled with the diffusion of smartphones, suggest that Internet every time and everywhere will soon (if not already has) become a reality. Even in presence of 3G connectivity, our devices are built to switch automatically to WiFi networks so to improve user ex-perience. Most of the times, this is achieved by recurrently broadcasting automatic connectivity requests (known as Probe Requests) to known access points (APs), like, e.g., “Home WiFi”, “Campus WiFi”, and so on. In a large gathering of people, the number of these probes can be very high. This scenario rises a natural question: “Can significant information on the social structure of a large crowd and on its socioeconomic status be inferred by looking at smartphone probes?”.

In this work we give a positive answer to this question. We organized a 3-months long campaign, through which we collected around 11M probes sent by more than 160K different devices. During the campaign we targeted national and international events that attracted large crowds as well as other gatherings of people. Then, we present a simple and automatic methodology to build the underlying social graph of the smartphone users, starting from their probes. We do so for each of our target events, and find that they all feature social-network properties. In addition, we show that, by looking at the probes in an event, we can learn important sociological aspects of its participants language, vendor adoption, and so on