WiFi probing exposes smartphone users to tracking, info leaks
"Researchers at the University of Hamburg in Germany have conducted a field experiment capturing hundreds of thousands of passersby's WiFi connection probe requests to determine the type of data transmitted without the device owners realizing it.
WiFi probing is a standard process, part of the bilateral communication required between a smartphone and an access point (modem/router) to establish a connection.
By default, and for reasons of usability, most smartphones search for available WiFi networks all the time, and connect to them if trusted.
> NOTE: Many stores already use WiFi probing to track their customers' position and movement. Because this tracking only uses anonymized MAC addresses in the probe, it is considered GDPR compliant.
The researchers decided to analyze those probes to see what else they might contain, and in 23.2% of the cases, they found that the requests broadcast SSIDs of networks those devices connected to in the past.
Experiment findings
The experiment occurred in November 2021 in a busy pedestrian zone in the center of a German city. The team used six antennae to capture probes in various channels and spectrums.
They recorded all broadcasted WiFi connection problems for three hours, capturing a total of 252,242 probe requests, 46.4% in the 2.4GHz spectrum and 53.6% in 5GHz.
In just three hours, the researchers had 58,489 SSIDs from random passersby, which, in many cases, contained numeric strings with 16 or more digits that were likely "initial passwords" of popular German home routers from FritzBox or Telekom.
"Leaking passwords in SSIDs is especially critical if, along with the password, the device also broadcasts the true SSID either correctly or with a mistype that can be used to infer the true SSID," explain the researchers in the technical paper.
"The assumption that the sniffed passwords correspond to SSIDs that were also transmitted could additionally be verified by setting up fake access points on the fly using the potential credentials we observed."
In other subsets of the captured SSIDs, the researchers found strings corresponding to store WiFi networks, 106 distinct names, three email addresses, and 92 holiday homes or accommodations previously added as trusty networks.
Some of these sensitive strings were broadcasted tens, hundreds, and in some cases, even thousands of times during the three hours of recording through repeated bursts of probing.
Tracking implications
Leaving aside the data exposure and the scenario of setting up malicious hotspots and accepting connections from nearby devices, the main implication here is persistent tracking.
The critical aspect on that front is MAC addresses randomization, which can act as a defense against tracking attempts. While it has come a long way in both Android and iOS to make device tracking harder, although not impossible.
Newer OS versions feature more randomization and less information in the probe requests, but when combined with dataset parameters like signal strength, sequence number, network capabilities, etc., fingerprinting individual devices might still be possible.
An overview of the privacy features of each OS version is given below.
NOTE that market share percentages reflect November 2021 figures.
Clearly, the more recent the OS version, the stronger the privacy-protection features, but the availability of newer versions doesn't mean instant adoption.
At the time of the field experiment, Android 8 and older versions accounted for roughly one out of four Android smartphones. In iOS, the situation is better due to Apple's tighter software update policies and long-term support, but many still use older iPhone models.
Previous studies have also reflected the improvement from gradual upgrades to more secure operating systems. For example, in a 2014 study, 46.7% of recorded probe requests contained SSIDs, and in two others conducted in 2016, the percentage ranged between 29.9% and 36.4%.
How to bolster your privacy
1 The first and simplest thing a smartphone user can do is upgrade their OS and use a more recent and safer version that features more privacy protections.
2 Secondly, removing SSIDs you no longer use or need and which are unnecessarily broadcasted wherever you go would be a good idea.
3 Thirdly, Android and iOS offer a quick way to disable auto-join networks, rendering hotspot attacks impossible.
4 Finally, users can completely silence probe requests, which can be done via advanced network settings. This approach, however, has several practical drawbacks, such as slower connection establishment, inability to discover hidden networks, and higher battery consumption."
Related Articles:
Real-time voice concealment algorithm blocks microphone spying
'Mute' button in conferencing apps may not actually mute your mic
Android June 2022 updates bring fix for critical RCE vulnerability
Ransomware gangs now give victims time to save their reputation
Apple blocked 1.6 millions apps from defrauding users in 2021
RELATED CONTENT
[Ok, taking a step back, you might be wondering what you can do to protect yourself. The solution is not without flaws; turn your Wi-Fi off when you aren’t connected to a known network. Doing so will prevent your device from leaking your network names and device fingerprint to the open world. The solution is awkward, easy to forget, and sub-par. But its what we’ve got.]
========================================================================
YOU MIGHT ENJOY THIS
ProbeKit and Beyond
Back in 2015, I worked with Branger_Briz to create ProbeKit, a critical software art project that addressed the probe request problem through a metaphor of butterfly collection. We developed an application that captured probing devices as unique, one-of-a-kind, butterflies. The software allowed the user to collect MAC addresses and network information from nearby devices as they wandered around the city on a “network data safari.” Once captured, you could inspect each butterfly’s “migration patterns” inferring information about where the device owner works, lives, and plays.
========================================================================
"All of the Wi-Fi devices you own are constantly broadcasting the name of every networks they’ve ever connected to. Turn them off.
You know how your phone automagically connects to any Wi-Fi network its seen before? Ever wondered how that works? It’s blatantly stupid. Whenever your phone’s Wi-Fi is turned on, but not connected to a network, it openly broadcasts the SSIDs (network names) of all previously-associated networks in an attempt to connect to one of them. These small packets, called probe requests, are publicly viewable by anyone in the area running trivially simple sniffing software, and you’d be surprised how unique your list of networks are.
What's worse, probe requests include a unique device fingerprint called a MAC address that can be used to specifically identify each device. So we’ve got a situation where:
- Each device openly broadcasts incredibly identifiable network name history (names like “Jenny’s iPhone”, “UChicago”, “my favorite coffee shop”, etc…).
- Included in those messages is a unique fingerprint that can be collected and used to track you in public.
- Collecting these probe requests is easy from a consumer laptop . . .
Has your phone ever prompted you to “Turn on Wi-Fi for better location accuracy?” This feature uses your phone’s wireless card to scan and upload nearby access points to leverage these proprietary datasets, collected en masse (without payment), to offer highly-accurate geolocation information that can be derived from these network fingerprints.
No comments:
Post a Comment