Privacy Leaks from Wi-Fi Probing

In a modern era where smartphone use has exponentially increased, we investigate the amount of private information an adversary can extract by looking at the active service discover in Wifi where a wireless station broadcasts the list of its preferred wireless networks, without user’s consent or knowledge. This report describes a range of different techniques which violate users’ privacy by using Wi-Fi fingerprints emitted from devices. One of the main points of the report include the relationship discovery that was first implemented by Cunche, et al and explains how to infer relationships between users through their SSIDs sets. Other attacks can be mounted that will reveal not only a social link between users but the actual path that a device follows in real time.

Wi-Fi Probing Diagram

Figure 1.0 – Wireshark was used to capture the probing requests that include MAC addresses and SSIDs in plain text.

During the last decade the number of portable Wi-Fi devices such as smartphones, tablets, and notebooks have increased dramatically. Nowadays, the majority of users constantly carry their mobile devices with them not only at workplace but also at home. For this reasons, it has become the most preferable way to provide internet access for medium range connectivity.In this regard many recent scientific papers have investigated how much information can be obtained from user interaction with a Wi-Fi network. Particularly observing the fields that are transmitted in plaintext such as probe requests In order to connect to the network a mobile phone is sending the probes requests that contain the SSID name of previously associated networks. This mode is called Active Discovery Mode (ADM). Wi-Fi supports encryption and authentication standards (e.g. WPA2) to ensure that the transmitted data between a client and an Access Point are safe from eavesdroppers.

However, before we reach the phase of credentials exchanging there is the phase of Network Discovery where a Wi-Fi enabled client discovers and contacts the AP for the first time. In this phase there are several messages exchanged between the two parties (e.g. network discovery probe requests) that are transmitted necessarily in plaintext. These packets (also called frames) include in their headers, among others, the Media Access Control (MAC) address of the Wi-Fi enabled device. This address serves as a unique identifier for the said device. Based on this two features: unique identifier MAC and probes it seems feasible to identify users with a high probability.This fact enables the identification of a user by its device’s MAC address. Practically, the device serves as an interface to reach the user behind and the MAC address of the device becomes as a nickname of the user.

As a result, the user becomes vulnerable to what we would call fingerprinting attacks. Fingerprinting is called “the process by which a device, it’s driver or the OS a machine is running can be uniquely identified by its externally observable characteristics”. Therefore an adversary can extract information about someone previous history location or even track him down in small proximity.

The reports outlines the most important attacks including the following :

  1. Infer Social Link
    1. Location proximity
    2. Spatio-temporal co-occurrence probability
  2. Wi-Fi Tracking 
    1. Stalker Attack
    2. Beacon Replay Attack
  3. Estimating Smartphone Trajectories

* If you would like to read the full report please click here : Privacy Leaks from Wi-Fi Probing

For this project the following information security students contributed :

  • Pejman Najafi
  • Andreas Georgiou
  • Dina Shachneva
  • Ioannis Vlavianos