Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms

@article{Vanhoef2016WhyMA,
  title={Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms},
  author={M. Vanhoef and C{\'e}lestin Matte and Mathieu Cunche and Leonardo Sampaio Cardoso and Frank Piessens},
  journal={Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security},
  year={2016}
}
We present several novel techniques to track (unassociated) mobile devices by abusing features of the Wi-Fi standard. [] Key Method We then combine these fingerprints with incremental sequence numbers, to create a tracking algorithm that does not rely on unique identifiers such as MAC addresses. Based on real-world datasets, we demonstrate that our algorithm can correctly track as much as 50% of devices for at least 20 minutes. We also show that commodity Wi-Fi devices use predictable scrambler seeds.

Figures and Tables from this paper

Defeating MAC Address Randomization Through Timing Attacks

An attack to defeat MAC address randomization through observation of the timings of the network scans with an off-the-shelf Wi-Fi interface based on a signature based on inter-frame arrival times of probe requests, which is used to group together frames coming from the same device although they use distinct MAC addresses.

A Study of MAC Address Randomization in Mobile Devices and When it Fails

This paper presents the first wide-scale study of MAC address randomization in the wild, including a detailed breakdown of different randomization techniques by operating system, manufacturer, and model of device.

Valkyrie: a generic framework for verifying privacy provisions in wireless networks

Valkyrie (Verification of Addresses LinKabilitY in address Randomization ImplemEntations), a software tool that verifies that a given sequence of frames generated by a device does not compromise the address randomization scheme.

Wi-Fi Tracking: Fingerprinting Attacks and Counter-Measures. (Traçage Wi-Fi: Attaques par Prise d'Empreinte et Contre-Mesures)

It is shown that this mitigation, in its current state, is insufficient to prevent tracking, and presents two tools: an experimental Wi-Fi tracking system for testing and public awareness raising purpose, and a tool estimating the uniqueness of a device based on the content of its emitted signals even if the identifier is randomized.

Preventing Wi-Fi Privacy Leakage: A User Behavioral Similarity Approach

A novel privacy protection method is proposed, in which users' PNLs are "blurred" by adding faked SSIDs generated using a collaborative filtering algorithm, such that nearby users'PNLs are similar to each other.

Tracking Anonymized Bluetooth Devices

It is shown that it is possible to extract identifying tokens from the pay-load of advertising messages for tracking purposes and an address-carryover algorithm is presented which exploits the asynchronous nature of payload and address changes to achieve tracking beyond the address randomization of a device.

Privacy issues in wireless networks, Every frame you send, they'll be watching you

A study of privacy features of the two major wireless network standards: Wi-Fi and Bluetooth-Low-Energy and focuses on address randomization mechanisms, a recently adopted anti-tracking measure, and identifies several issues related to implementation as well as standard specifications.

Quantifying the Information Leak in IEEE 802.11 Network Discovery

This paper quantifies the information leak that is present in the current network discovery protocol, and introduces a way to measure the uniqueness of an entity, which is based on the set of leaked SSIDs, to show how unique SSID names backfire against attempts to obfuscate user devices.

Five Years Later: How Effective Is the MAC Randomization in Practice? The No-at-All Attack

It is shown that the effectiveness of this solution, five years after it was introduced for the first time, is insufficient to prevent Wi-Fi users from tracking, and the solution itself is not even widely used.

Know Thy Quality: Assessment of Device Detection by WiFi Signals

This paper assesses the challenges with probe request frames using a new data quality framework for device detection and presents alternative detection methods that do not rely on probes, including a recently publicized WiFi device detection technique and a new way of detecting devices associated with a third-party network using a feature of the 802.11 protocol.
...

References

SHOWING 1-10 OF 56 REFERENCES

802.11 user fingerprinting

It is shown that even a single implicit identifier is sufficient to distinguish many users, and it is argued that design considerations beyond eliminating explicit identifiers, must be addressed in order to prevent user tracking in wireless networks.

How talkative is your mobile device?: an experimental study of Wi-Fi probe requests

This work quantify Wi-Fi probe requests' threat to privacy by conducting an experimental study of the most popular smartphones in different settings, and evaluates a commercially deployed MAC address randomization mechanism and demonstrates a simple method to re-identify anonymized probes.

Wi-Fi internet connectivity and privacy: Hiding your tracks on the wireless Internet

It is concluded that address randomization is a feasible solution to the Layer-2 privacy problem, but there needs to be other mechanisms used at higher layers to make the most benefit from it and minimize the service disruptions it may cause.

On Fast and Accurate Detection of Unauthorized Wireless Access Points Using Clock Skews

The main goal behind using clock skews is to overcome one of the major limitations of existing solutions - the inability to effectively detect Medium Access Control (MAC) address spoofing.

Analysing the privacy policies of Wi-Fi trackers

It is demonstrated that the hash-based anonymization of MAC address used in many Wi-Fi tracking systems can be easily defeated using of-the-shelf software and hardware.

Sequence Number-Based MAC Address Spoof Detection

An algorithm to detect spoofing by leveraging the sequence number field in the link-layer header of IEEE 802.11 frames is proposed, and it is demonstrated how it can detect various spoofing without modifying the APs or wireless stations.

Who do you sync you are?: smartphone fingerprinting via application behaviour

By computing fingerprints from approx,6,hours of background traffic, it is shown that 15 minutes of monitored traffic suffice to reliably identify a smartphone based on its behavioural fingerprint with a success probability of 90%.

Fingerprinting Smartphones Remotely via ICMP Timestamps

This work is able to distinguish between smartphones within minutes, whenever their clock drifts apart with around one part-per-million, by using innocuous ICMP timestamps, and compute the clock skew of the device with linear programming techniques, a previously known methodology.

The scrambler attack: A robust physical layer attack on location privacy in vehicular networks

This paper shows how the scrambler attack bypasses the privacy protection mechanism of state-of-the-art approaches and quantifies the degradation of drivers' location privacy with an extensive simulation study.

Can Ferris Bueller Still Have His Day Off? Protecting Privacy in the Wireless Era

It is argued that it is in the best interest of providers as well as users to design systems that maintain user privacy, and identifies several research challenges to doing so and offers some direction towards a solution.
...