Mathy Vanhoef
ABSTRACT
We present several novel techniques to track (unassociated) mobile devices by abusing features of the Wi-Fi standard. This shows that using random MAC addresses, on its own, does not guarantee privacy. First, we show that information elements in probe requests can be used to fingerprint devices. We then combine these fingerprints with incremental sequence numbers, to create a tracking algorithm that does not rely on unique identifiers such as MAC addresses. Based on real-world datasets, we demonstrate that our algorithm can correctly track as much as 50% of devices for at least 20 minutes. We also show that commodity Wi-Fi devices use predictable scrambler seeds. These can be used to improve the performance of our tracking algorithm. Finally, we present two attacks that reveal the real MAC address of a device, even if MAC address randomization is used. In the first one, we create fake hotspots to induce clients to connect using their real MAC address. The second technique relies on the new 802.11u standard, commonly referred to as Hotspot 2.0, where we show that Linux and Windows send Access Network Query Protocol (ANQP) requests using their real MAC address.
- Tails - privacy for anyone anywhere. Retrieved from https://tails.boum.org.Google Scholar
- Android 6.0 changes. Retrieved from https://developer.android.com/about/versions/marshmallow/android-6.0-changes.html, 2015.Google Scholar
- O. Abukmail. Wifi Mac Changer. Retrieved from https://play.google.com/store/apps/details?id=com.wireless.macchanger.Google Scholar
- M. V. Barbera, A. Epasto, A. Mei, S. Kosta, V. C. Perta, and J. Stefa. CRAWDAD dataset sapienza/probe-requests (v. 2013-09--10). Retrieved 10 November, 2015, from, http://crawdad.org/sapienza/probe-requests/20130910, Sept. 2013.Google Scholar
- B. Bloessl, M. Segata, C. Sommer, and F. Dressler. An IEEE 802.11 a/g/p OFDM receiver for GNU radio. In SRIF Workshop, 2013. Google ScholarDigital Library
- B. Bloessl, C. Sommer, F. Dressler, and D. Eckhoff. The scrambler attack: A robust physical layer attack on location privacy in vehicular networks. In ICNC, 2015.Google ScholarCross Ref
- V. Brik, S. Banerjee, M. Gruteser, and S. Oh. Wireless device identification with radiometric signatures. In MobiCom, 2008. Google ScholarDigital Library
- P. O. Carlos J. Bernardos, Juan Carlos Zúniga. Wi-Fi internet connectivity and privacy: hiding your tracks on the wireless internet. In IEEE CSCN, 2015.Google ScholarCross Ref
- Chainfire. Pry-Fi. Retrieved from https://play.google.com/store/apps/details?id=eu.chainfire.pryfi.Google Scholar
- M. Cristea and B. Groza. Fingerprinting smartphones remotely via ICMP timestamps. Communications Letters, IEEE, 17(6):1081--1083, 2013.Google Scholar
- D. A. Dai Zovi, S. Macaulay, et al. Attacking automatic wireless network selection. In Proc. of the Sixth Annual SMC Inf. Assurance Workshop, 2005.Google ScholarCross Ref
- B. Danev, D. Zanetti, and S. Capkun. On physical-layer identification of wireless devices. ACM Computing Surveys (CSUR), 45(1):6, 2012. Google ScholarDigital Library
- C. Daniel and W. Glenn. Snoopy: Distributed tracking and profiling framework. In 44Con 2012, 2012.Google Scholar
- L. Demir, M. Cunche, and C. Lauradoux. Analysing the privacy policies of Wi-Fi trackers. In Proc. of the 2014 workshop on physical analytics, 2014. Google ScholarDigital Library
- L. C. C. Desmond, C. C. Yuan, T. C. Pheng, and R. S. Lee. Identifying unique devices through wireless fingerprinting. In WiSec, 2008. Google ScholarDigital Library
- P. Eckersley. How unique is your web browser? In Privacy Enhancing Technologies, 2010. Google ScholarDigital Library
- J. Franklin, D. McCoy, P. Tabriz, V. Neagoe, J. V. Randwyk, and D. Sicker. Passive data link layer 802.11 wireless device driver fingerprinting. In USENIX Security, 2006. Google ScholarDigital Library
- J. Freudiger. How talkative is your mobile device? An experimental study of Wi-Fi probe requests. In WiSec, 2015. Google ScholarDigital Library
- B. Gellman and A. Soltani. NSA tracking cellphone locations worldwide, Snowden documents show. The Washington Post, 2013.Google Scholar
- M. X. Gong, B. Hart, L. Xia, and R. Want. Channel bounding and MAC protection mechanisms for 802.11ac. In GLOBECOM, 2011.Google ScholarCross Ref
- F. Gont. A method for generating semantically opaque interface identifiers with ipv6 stateless address autoconfiguration (slaac). RFC 7217, 2014.Google Scholar
- D. Goodin. No, this isn't a scene from minority report. This trash can is stalking you. Ars Technica, 2013.Google Scholar
- B. Greenstein, R. Gummadi, J. Pang, M. Y. Chen, T. Kohno, S. Seshan, and D. Wetherall. Can Ferris Bueller still have his day off? protecting privacy in the wireless era. In USENIX HotOS, 2007. Google ScholarDigital Library
- E. Grumbach. iwlwifi: mvm: support random MAC address for scanning. Linux committexttteffd05ac479b.Google Scholar
- M. Gruteser and D. Grunwald. Enhancing location privacy in wireless LAN through disposable interface identifiers: A quantitative analysis. Mobile Networks and Applications, 10(3):315--325, 2005. Google ScholarDigital Library
- F. Guo and T. Chiueh. Sequence number-based MAC address spoof detection. In RAID, 2006. Google ScholarDigital Library
- C. Huitema. Experience with MAC address randomization in Windows 10. In 93th Internet Engineering Task Force Meeting (IETF), July 2015.Google Scholar
- C. Huitema. Personal communication, Nov. 2015.Google Scholar
- M. Humbert, M. H. Manshaei, J. Freudiger, and J.-P. Hubaux. Tracking games in mobile networks. In Conf. on Decision and Game Theory for Security, 2010. Google ScholarDigital Library
- N. Husted and S. Myers. Mobile location tracking in metro areas: Malnets and others. In CCS, 2010. Google ScholarDigital Library
- IEEE Std 802.11--2012. Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications, 2012.Google Scholar
- IEEE Std 802.11u. Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications: Amendment 9: Interworking with External Networks, 2011.Google Scholar
- S. Jana and S. K. Kasera. On fast and accurate detection of unauthorized wireless access points using clock skews. In MobiCom, 2008. Google ScholarDigital Library
- P. Leach, M. Mealling, and R. Salz. A universally unique identifier (UUID) URN namespace. RFC 4122 (Proposed Standard), July 2005.Google Scholar
- J. Lindqvist, T. Aura, G. Danezis, T. Koponen, A. Myllyniemi, J. Maki, and M. Roe. Privacy-preserving 802.11 access-point discovery. In WiSec, 2009. Google ScholarDigital Library
- B. Misra. iOS 8 MAC randomization -- analyzed! http://blog.airtightnetworks.com/ios8-mac-randomization-analyzed/.Google Scholar
- A. B. M. Musa and J. Eriksson. Tracking unmodified smartphones using Wi-Fi monitors. In SenSys, 2012. Google ScholarDigital Library
- B. O'Connor. CreepyDOL: Cheap, distributed stalking. In BlackHat, 2013.Google Scholar
- J. Pang, B. Greenstein, R. Gummadi, S. Seshan, and D. Wetherall. 802.11 user fingerprinting. In MobiCom, 2007. Google ScholarDigital Library
- J. Pang, B. Greenstein, S. Seshan, and D. Wetherall. Tryst: The case for confidential service discovery. In HotNets, 2007.Google Scholar
- J. Scahill and G. Greenwald. The NSA's secret role in the U.S. assassination program. The Intercept, 2014.Google Scholar
- K. Skinner and J. Novak. Privacy and your app. In Apple Worldwide Dev. Conf. (WWDC), June 2015.Google Scholar
- T. Stöber, M. Frank, J. Schmitt, and I. Martinovic. Who do you sync you are?: smartphone fingerprinting via application behaviour. In WiSec, 2013.Google ScholarDigital Library
- L. Wang and C. Tellambura. An overview of peak-to-average power ratio reduction techniques for OFDM systems. In IEEE ISSPIT, 2006.Google ScholarCross Ref
- W. Wang. Wireless networking in Windows 10. In Windows Hardware Engineering Community conference (WinHEC), Mar. 2015.Google Scholar
- Wi-Fi Alliance. Hotspot 2.0 (Release 2) Technical Specification v1.1.0, 2010.Google Scholar
- Wi-Fi Alliance. Wi-Fi Simple Configuration Protocol and Usability Best Practices for the Wi-Fi Protected Setup Program, v2.0.1, April 2011.Google Scholar
Index Terms
- Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms
Recommendations
Defeating MAC Address Randomization Through Timing Attacks
WiSec '16: Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile NetworksMAC address randomization is a common privacy protection measure deployed in major operating systems today. It is used to prevent user-tracking with probe requests that are transmitted during IEEE 802.11 network scans. We present an attack to defeat MAC ...
RoMA: rotating MAC address for privacy protection
SIGCOMM '22: Proceedings of the SIGCOMM '22 Poster and Demo SessionsMAC addresses can be collected by passive observers to track Wi-Fi users. While address randomization neutralizes this threat for devices not yet associated, the problem remains for devices being associated with a WLAN. In this paper, we introduce RoMA, ...
Defending wi-fi network discovery from time correlation tracking
MobiSys '22: Proceedings of the 20th Annual International Conference on Mobile Systems, Applications and ServicesTo prevent tracking a Wi-Fi device based on its MAC address, several operating systems have adopted MAC address randomization to conceal its factory-assigned address. This feature benefits users when their devices scan for networks, but a flaw arises ...
Comments