Set Up Wifi to Track Mac Addresses

This work is about wireless communications technologies embedded in portable devices, namely Wi-Fi, Bluetooth and GSM. Focusing on Wi-Fi, we study the privacy issues and potential missuses that can affect the owners of wireless-enabled portable devices. Wi-Fi enable-devices periodically broadcast in plain-text their unique identifier along with other sensitive information. As a consequence, their owners are vulnerable to a range of privacy breaches such as the tracking of their movement and inference of private information (Cunche et al. in Pervasive Mobile Comput, 2013; Greenstein in Proceedings of the 11th USENIX workshop on hot topics in operating systems, pp 10:1–10:6. USENIX Association, Berkeley, 2007). As serious as those information leakage can be, linking a device with an individual and its real world identity is not a straightforward task. Focusing on this problem, we present a set of attacks that allow an attacker to link a Wi-Fi device to its owner identity. We present two methods that, given an individual of interest, allow identifying the MAC address of its Wi-Fi enabled portable device. Those methods do not require a physical access to the device and can be performed remotely, reducing the risks of being noticed. Finally we present scenarios in which the knowledge of an individual MAC address could be used for mischief.

To read the full-text of this research,
you can request a copy directly from the author.

... For example, Yen et al. showed how several digital identities, such as IP, cookies and usernames, can be combined to track users' devices reliably on the web [64]. Cunche et al. demonstrated that the MAC addresses of Wi-Fi enabled devices can be abused to track device owners' locations [17]. ...

... However, few studies discuss the risk of information leakage from a compound channel. Intuitively, given a hidden camera contributing user's facial biometrics, the device IDs (e.g., phone MAC addresses [17]) captured by a co-located WiFi sniffer can be utilized as side information to complete its eavesdropping view. Similarly, a co-located hidden camera is also a side channel to the WiFi sniffer and can be maliciously used to augment its knowledge base. ...

... When sufficient information is collected, the attacker can use our presented approach for bilateral ID association. As visually or acoustically identifying a co-worker is easy for the adversary, such association builds a bridge for the attacker to figure out who owns which device and enables further attacks (e.g., online or physical tracking [13,17,31]). Outsider Threat. ...

Along with the benefits of Internet of Things (IoT) come potential privacy risks, since billions of the connected devices are granted permission to track information about their users and communicate it to other parties over the Internet. Of particular interest to the adversary is the user identity which constantly plays an important role in launching attacks. While the exposure of a certain type of physical biometrics or device identity is extensively studied, the compound effect of leakage from both sides remains unknown in multi-modal sensing environments. In this work, we explore the feasibility of the compound identity leakage across cyber-physical spaces and unveil that co-located smart device IDs (e.g., smartphone MAC addresses) and physical biometrics (e.g., facial/vocal samples) are side channels to each other. It is demonstrated that our method is robust to various observation noise in the wild and an attacker can comprehensively profile victims in multi-dimension with nearly zero analysis effort. Two real-world experiments on different biometrics and device IDs show that the presented approach can compromise more than 70\% of device IDs and harvests multiple biometric clusters with ~94% purity at the same time.

... Passive tracking methods usually use monitoring or capturing devices to capture Wi-Fi traffic. In [18], a method is proposed to associate an individual with his mobile device's MAC address. This method is implemented by changing locations, so the tracer is required to move with the target. ...

... The difficulty in establish this association is that a Wi-Fi may be connected to multiple mobile devices at the same time, which makes it difficult to obtain a one-to-one correspondence between the individual and the equipment directly. In order to solve this problem, we adopt the idea of the method proposed in [18], which identifies the holder of a mobile device by changing the monitoring locations. In this paper, we made a minor adjustment. ...

... Table 2 shows that we have successfully obtained the SSID of some Wi-Fi that the target mobile devices connected previously. The statistical result shows that the 'chan****' repeats most often in the connection history, and it indicates that the mobile devices whose number are 3, 4,7,9,10,12,15,16,18,19,20 have been to the location of the Wi-Fi called 'chan****'. Statistical results also show that the number of repetitions is obviously large in some places. ...

Fan Zhao
Wenqi Shi
Yong Gan
Xiangyang Luo

The modeling and analysis of target gangs' usual haunts plays a very important role in law enforcement and supervision. Existing localization and tracking schemes usually need to deploy a large number of monitoring devices or continue to move with the target, which lead to high cost. In this paper, a localization and tracking scheme based on big data of Wi-Fi locations is proposed. Firstly, the characteristic of the smart mobile device that continuously broadcasts probe request frames is used to obtain its MAC address and Wi-Fi connection history. Secondly, the service set identifier (SSID) in the Wi-Fi connection history of smart mobile devices held by the target gangs are queried from the Wi-Fi location database, and the target gangs' usual haunts are gained by statistical analysis. Lastly, monitoring devices are deployed in these places, and most of the target gangs' activity pattern are known with only a small number of monitoring devices. The results of the related experimental tests demonstrate the feasibility of the proposed scheme.

... If O would respond to every query and the match opportunity would span during the entire attack time uninterrupted, our work would be much simpler, as we would only have to manage the problem of building a good quality SSID dictionary and test every SSID from that list one by one. A similar approach has already been covered by many papers describing dictionary or brute force attempts on password cracking [19,26]. Since in our model the attacker does not actually know when that match opportunity period occurs (we assume the worst case scenario in our model with passive scan, as measured for iOS 10) and is subject to channel quality, it is necessary to create a model/algorithm that will allow the attacker to test every SSID at least once with as high probability as possible, within the match opportunity window. ...

... Linking a MAC address gathered from a Wi-Fi packet to an actual person (MAC de-anonymization) appears to be challenging. Reference [26] uses beacon reply attack and fakes user's known SSIDs to trigger his phone to connect, thus doing a MAC address matching. Beam me up, Scotty [37] has an interesting approach to Wi-Fi assisted geo location where they fake an AP from another location causing services like Twitter to display the fake location as the origin of a tweet. ...

... The attempt at actively faking an AP and thus revealing user's PNL has not been researched in detail, to the best of our knowledge. Active attacks on user's PNL have been mentioned in some previous work [19,26] where the authors are mounting fake APs containing user's known SSID in order Our work however was focused on optimizing the active attack, where we have shown that depending on scanning and idle periods of the Wi-Fi enabled device and the size of the opportunity window, it is possible to test dictionaries more than 10 times bigger in size. ...

User's location privacy concerns have been further raised by today's Wi-Fi technology omnipresence. Preferred Network Lists (PNLs) are a particularly interesting source of private location information, as devices are storing a list of previously used hotspots. Privacy implications of a disclosed PNL have been covered by numerous papers, mostly focusing on passive monitoring attacks. Nowadays, however, more and more devices no longer transmit their PNL in clear, thus mitigating passive attacks. Hidden PNLs are still vulnerable against active attacks whereby an attacker mounts a fake SSID hotspot set to one likely contained within targeted PNL. If the targeted device has this SSID in the corresponding PNL, it will automatically initiate a connection with the fake hotspot thus disclosing this information to the attacker. By iterating through different SSIDs (from a predefined dictionary) the attacker can eventually reveal a big part of the hidden PNL. Considering user mobility, executing active attacks usually has to be done within a short opportunity window, while targeting nontrivial SSIDs from user's PNL. The existing work on active attacks against hidden PNLs often neglects both of these challenges. In this paper we propose a simple mathematical model for analyzing active SSID dictionary attacks, allowing us to optimize the effectiveness of the attack under the above constraints (limited window of opportunity and targeting nontrivial SSIDs). Additionally, we showcase an example method for building an effective SSID dictionary using top-N recommender algorithm and validate our model through simulations and extensive real-life tests.

... We found that the KoalaSafe and Blocksi network devices append the child device's MAC address, firmware version number, and serial number into outgoing DNS requests. This can allow on-path attackers to track the child's web activities [18]. The HomeHalo device suffers from a similar problem: whenever a domain is requested by a user device inside its network, HomeHalo sends an HTTP request, including the child device's MAC address, to its backend server to identify the requested domain's category. ...

... 4.16 FamiSafe Android app gets full access to the child's YouTube account including rights to view, edit, delete the child's YouTube videos and playlists, and rate videos, post, edit/delete comments and captions.17 MobileFence initially setup by default to monitor both the child and parent devices.18 SecureTeen Android app uses a keylogger to record all social media activities on the child device.Figure 3: Tracking SDKs present in Android apps found through static analysis, see Sec. 5.7. ...

For parents of young children and adolescents, the digital age has introduced many new challenges, including excessive screen time, inappropriate online content, cyber predators, and cyberbullying. To address these challenges, many parents rely on numerous parental control solutions on different platforms, including parental control network devices (e.g., WiFi routers) and software applications on mobile devices and laptops. While these parental control solutions may help digital parenting, they may also introduce serious security and privacy risks to children and parents, due to their elevated privileges and having access to a significant amount of privacy-sensitive data. In this paper, we present an experimental framework for systematically evaluating security and privacy issues in parental control software and hardware solutions. Using the developed framework, we provide the first comprehensive study of parental control tools on multiple platforms including network devices, Windows applications, Chrome extensions and Android apps. Our analysis uncovers pervasive security and privacy issues that can lead to leakage of private information, and/or allow an adversary to fully control the parental control solution, and thereby may directly aid cyberbullying and cyber predators. CCS CONCEPTS • Security and privacy → Systems security.

... The admin of the Wi-Fi provider can easily detect essential data such as Media Access Control (MAC) frames [6]; this issue has been elaborated on [7][8]. Even though it has been proven in [7] [8], we still want to ensure and explore again that smartphones emit not only the MAC frames but also other relevant information. ...

... Based on the result, as captured in Fig. 2, we can conclude that the smartphone eventually broadcasts the packet request data. This result confirms the study which is conducted by [7][8]. The data contain some information in MAC frame data (MAC address) and Time stamp. ...

In this short paper, we prove that smartphones connected to Wi-Fi can be detected (scanned) easily with a Raspberry Pi help. According to the observation, the smartphone eventually broadcasts some packets of data containing MAC layers data. The period of broadcasting data depends on the smartphone's state (active scanning/sleep). Besides MAC layers data, we also detect/capture other parameters, i.e., wireless signature data transmitted by smartphone (RSSI) and Time-stamp. The RSSI value measured in this test has a range from –30 dBm to –80 dBm. The result proves that different smartphones give different RSSI values (each smartphone emits different power strength). The RSSI value has more significant changes in a short-range (in this test result, 1 to 10 meters) and less significant change in a long-distance (above 20 meters). MAC address, time-stamp, and RSSI scanned/captured successfully through Raspberry Pi from the smartphones can be used as a reference for various purposes/applications in future work, such as Wi-Fi scanning/tracking system.

... 1. wlan.sa fait référence à l'adresse source. 2. wlan.da ...

... De plus, les récentes mise à jour du Bluetooth ont aussi corrigé les problèmes sur les connexions sans autorisation et sur les mécanismes d'appariements dont les failles sont décrites dans [119-121].Ainsi, les attaques sur la découverte d'adresses MAC en mode découvrable, non découvrables et sur les services SDP ne sont désormais que d'une efficacité très limitée. Les performances présentées dans la section Tracking (sec.2.2.2) ne sont plus valides et leBluetooth ne peut plus être utilisé pour faire du suivi.La méthode basée sur les dérives d'horloges ne permet pas de discriminer parmi un grand nombre de périphériques et ne peut donc pas être utilisée pour faire du PT à large échelle.Le développement et l'utilisation d'une méthode de PT basée sur les informations qui peuvent être obtenues lorsque deux périphériques sont connectés a donc un intérêt tout particulier. ...

Taher Issoufaly

La récente émergence des smartphones et des objets connectés a révolutionné le mode de vie des utilisateurs. Ces dispositifs ubiquitaires et équipés de plusieurs interfaces sans fil de communication, sont rapidement devenus indispensables dans la vie quotidienne des utilisateurs avec une utilisation intensive. Les interfaces sans fil de ces objets connectés émettent périodiquement des informations, certaines sont spécifiques aux utilisateurs et permettent par effet de bord d'identifier et de suivre leur déplacements. Le suivi des utilisateurs via les informations fortuitement émises par leurs périphériques sans fil se nomme le Wireless Physical Tracking. Les possibilités offertes par le Wireless Physical Tracking ont suscité un fort intérêt. Plusieurs applications se sont développés et ont permis d'apporter de l'innovation dans plusieurs domaines. Des sociétés de marketing l'utilisent afin de proposer à leurs clients de la publicité ciblée en fonction de leurs parcours dans leur zone d'activité. À une échelle plus grande, les villes intelligentes, ou smart-cities analysent le mouvement des utilisateurs afin d'apporter des services pour le confort des habitants. Enfin, dans le domaine de la recherche, les réseaux Ad-Hoc mobiles et autres DTN nécessitent de s'intéresser à cette pratique car l'étude de la mobilité des utilisateurs représentent un élément clé pour améliorer les performances de ce type de réseau. Cependant, la collecte de ces informations sans le consentement des utilisateurs ou sans qu'elles soient correctement protégées représentent un risque réel pour leur vie privée. C'est autour de ce contexte que s'articule cette thèse divisée en deux parties. La première présente les technologies PAN et WAN, l'état de l'art des méthodes de Wireless Physical Tracking et les contre mesures adoptés. La deuxième partie présentent les contributions de la thèse qui visent à proposer de nouvelles méthodes de suivi, analyser les performances de celles-ci face aux méthodes existantes et dans le cas particulier de l'application de crowd-localisation, à proposer des méthodes de suivi respectueuse de la vie privée.

... Numerous companies, institutions, universities, and education centers utilize WPA2-Enterprise networks, where wireless devices establish a secure connection to a Wi-Fi network following the IEEE 802.1X standard based on portisolation functionality. In the era of smartphone devices, user privacy has become increasingly important, and many papers discuss this problem within the context of Wi-Fi-enabled devices [1][2][3][4]. With the spread of recent COVID-19, it is especially essential to minimize any privacy and security risks for individuals, protecting their civil liberties [5,6]. ...

... e problem of user privacy is not limited to stealing user's login credentials and can be divided into categories [7]: identity privacy, location privacy, financial privacy, social privacy, and personal privacy. Device deanonymization, in which an adversary recognizes the device and simultaneously links it to the owner, can have some serious privacy implications [1]. In this paper, an attack is presented, where the adversary exploits the vulnerability of the most widely used WPA2-Enterprise network today, Eduroam, to compromise the user's personal, location, and identity privacy. ...

A plethora of organizations, companies, and foremost universities and educational institutions are using WPA2-Enterprise protocol to allow their end-users to connect to provided Wi-Fi networks. When both the provider's and the end-user's devices are configured properly, it is considered one of the safest Wi-Fi connection protocols with the added benefits of having a unique password for every Wi-Fi user. However, a known evil twin attack can be performed to steal users' Wi-Fi login credentials, if the devices are not configured correctly. Considering the widespread use of Wi-Fi-enabled smartphones and rising concerns regarding users' privacy, we focus on the privacy aspects of WPA2-Enterprise vulnerabilities mainly on the widespread Eduroam network. We show that device deanonymization is a concerning liability of many Eduroam networks. More than 87% of 1650 devices collected during a two-month test on our university are vulnerable to MAC address deanonymization attack. Furthermore, by analyzing the Eduroam Configuration Assistant Tool of 1066 different institutions around the world, 67% of exported Eduroam profiles having the Wi-Fi device reveal the user's identity in the clear, thus linking the users with the device's MAC address. Indeed, the analysis of the configuration profiles has been confirmed by performing the deanonymization attack on a large-scale international music festival in our country, where 70% of the devices have been vulnerable. Additionally, we showcase the psychological aspects of secure Eduroam users, where some are willing to modify secure configuration profiles to gain aspects to certain blocked features. As a result, the attacker is granted with user credentials and IMSI number and provided with access to all Eduroam-related services.

... Contained in each frame is the client's source MAC address; this 48-bit value uniquely identifies the client seeking network service to access points that provide it. Unfortunately, this also provides adversaries a unique identifier to track users [20,24,30,48,50]. To address the privacy concerns inherent in the use of the MAC address assigned by the device manufacturer (a globally unique MAC address), manufacturers have shifted to broadcasting ephemeral, random MAC addresses while the device is in an unassociated state; unfortunately, MAC address randomization in 802.11 can often be defeated [47,64]. ...

... Significant previous work exists related to tracking mobile devices via 802.11 Wi-Fi MAC addresses [24,30,39,50,53,55,58], tracking via cellular identifiers [40, 45, 49, 53-55, 61, 63] and attempting to correlate randomized 802.11 MAC addresses to the same physical device [47,55,64]. ...

Jeremy Martin
Douglas Alpuche
Kristina Bodeman
Sam Teplov

We investigate Apple's Bluetooth Low Energy (BLE) Continuity protocol, designed to support interoperability and communication between iOS and macOS devices, and show that the price for this seamless experience is leakage of identifying information and behavioral data to passive adversaries. First, we reverse engineer numerous Continuity protocol message types and identify data fields that are transmitted unencrypted. We show that Continuity messages are broadcast over BLE in response to actions such as locking and unlocking a device's screen, copying and pasting information, making and accepting phone calls, and tapping the screen while it is unlocked. Laboratory experiments reveal a significant flaw in the most recent versions of macOS that defeats BLE Media Access Control (MAC) address randomization entirely by causing the public MAC address to be broadcast. We demonstrate that the format and content of Continuity messages can be used to fingerprint the type and Operating System (OS) version of a device, as well as behaviorally profile users. Finally, we show that predictable sequence numbers in these frames can allow an adversary to track Apple devices across space and time, defeating existing anti-tracking techniques such as MAC address randomization.

... For example, WiFi devices will broadcast their MAC addresses periodically when looking for a device to connect to [61]. Bluetooth devices will also beacon their MAC address in order to find devices to connect to [58]. ...

... • Relay Attack (Car Key Signal [42]) • Replay attack (e.g., unlock car using recorded signal) • Wireless protocols leak identity information about owner [61] • Facilitates tracking of person and vehicle [58] ...

Connected autonomous vehicles (CAVs) will be deployed over the next decade with autonomous functionalities supported by new sensing and communication capabilities. Such functionality exposes CAVs to new attacks that current vehicles will not face. To ensure the safety and security of CAVs, it is important to be able to identify the ways in which the system could be attacked and to build defences against these attacks. One possible approach is to use reference architectures to perform an attack surface analysis. Existing research has developed a variety of reference architectures but none for the specific purpose of attack surface analysis. Existing approaches are either too simple for sufficiently detailed modelling or require too many details to be specified to easily analyse a CAV's attack surface. Therefore, we propose a reference architecture using a hybrid Functional-Communication viewpoint for attack surface analysis of CAVs, including the Devices, Edge and Cloud systems CAVs interact with. Using two case studies, we demonstrate how attack trees can be used to understand the attack surface of CAV systems.

... Such data can also be used in transportation planning and management to estimate travel time (Musa and Eriksson 2011) and real-time traffic monitoring (Abbott-Jard et al. 2013). Using techniques demonstrated by Franklin et al. (2006) and Pang et al. (2007), along with information present in the probe requests, one can even model interactions between the users (Cheng et al. 2012, Barbera et al. 2013, Cunche 2014 such as predicting which of them are most likely to meet again (Cunche et al. 2012). Using the semantic information present in these probe requests it even is possible to understand the nature of the population at a large scale (Di Luzio et al. 2016). ...

BalaMurugan Soundararaj

Measuring the distribution and dynamics of the population at granular level both spatially and temporally is crucial for understanding the structure and function of the built environment. In this era of big data, there have been numerous attempts to undertake this using the preponderance of unstructured, passive and incidental digital data which are generated from day-to-day human activities. In attempts to collect, analyse and link these widely available datasets at a massive scale, it is easy to put the privacy of the study subjects at risk. This research looks at one such data source - Wi-Fi probe requests generated by mobile devices - in detail, and processes it into granular, long-term information on number of people on the retail high streets of the United Kingdom (UK). Though this is not the first study to use this data source, the thesis specifically targets and tackles the uncertainties introduced in recent years by the implementation of features designed to protect the privacy of the users of Wi-Fi enabled mobile devices. This research starts with the design and implementation of multiple experiments to examine Wi-Fi probe requests in detail, then later describes the development of a data collection methodology to collect multiple sets of probe requests at locations across London. The thesis also details the uses of these datasets, along with the massive dataset generated by the 'Smart Street Sensor' project, to devise novel data cleaning and processing methodologies which result in the generation of a high quality dataset which describes the volume of people on UK retail high streets with a granularity of 5 minute intervals since August 2015 across 1000 locations (approx.) in 115 towns. This thesis also describes the compilation of a bespoke 'Medium data toolkit' for processing Wi-Fi probe requests (or indeed any other data with a similar size and complexity). Finally, the thesis demonstrates the value and possible applications of such footfall information through a series of case studies. By successfully avoiding the use of any personally identifiable information, the research undertaken for this thesis also demonstrates that it is feasible to prioritise the privacy of users while still deriving detailed and meaningful insights from the data generated by the users.

... Further, these data are also of interest for academic research from a more fundamental perspective of advancing knowledge about the applications and limits of tracking data in a variety of domains. This includes research into privacy protection [17,18] and obfuscation [19,20], data cleaning and interpolation [1,21], pattern detection and prediction, contact tracing [22], and the integration of tracking-data with social media sentiments [23] or with student or staff performance [24]. The use of the Wi-Fi tracking data for research purposes may not be covered in Wi-Fi user agreements, and may require additional informed consent. ...

While tracking-data analytics can be a goldmine for institutions and companies, the inherent privacy concerns also form a legal, ethical and social minefield. We present a study that seeks to understand the extent and circumstances under which tracking-data analytics is undertaken with social licence-that is, with broad community acceptance beyond formal compliance with legal requirements. Taking a University campus environment as a case, we enquire about the social licence for Wi-Fi-based tracking-data analytics. Staff and student participants answered a questionnaire presenting hypothetical scenarios involving Wi-Fi tracking for university research and services. Our results present a Bayesian logistic mixed-effects regression of acceptability judgements as a function of participant ratings on 11 privacy dimensions. Results show widespread acceptance of tracking-data analytics on campus and suggest that trust, individual benefit, data sensitivity, risk of harm and institutional respect for privacy are the most predictive factors determining this acceptance judgement.

... However, multiple techniques have been proposed to uniquely identify an 802.11 device. Cunche [7] showed that specific bits or information elements, and carrier characteristics were sufficient to uniquely identify 802.11 transmitters. Chapre et al. [6] also showed that an analysis of the physical characteristics of the transmission (CSI analysis) was sufficient to allow for such identification. ...

Jerome Henry
Nicolas Montavont

The time-of-flight based ranging mechanism defined in 802.11-2016 offers a range of parameters too rich to be implemented with similar pattern among vendors, unless further guidance is formulated on what parameter sets are reasonable. We examine 802.11-2016 FTM, and show that simple FTM frame observation can easily allow for individual chipset identification. We also show that a learning machine can recognize individual machines performing FTM exchanges, even when these machines implement the same chipset or the same hardware platform. We also suggest ways to mitigate individual device patterning based on FTM exchange observation.

... The following paragraphs describe each component in detail. To capture the MAC address of Wi-Fi management frames, the Wi-Fi 801.22ngb adapter was set in monitor mode in which the Wi-Fi adapter can capture the management frames sent from the discoverable mobile devices in Wi-Fi network within the detection range (Cunche, 2014). In this study, a Wi-Fi adapter with Ralink 5370 Wi-Fi chipset was used. ...

Transit ridership flow and origin-destination (O-D) information is essential for enhancing transit network design, optimizing transit route and improving service. The effectiveness and preciseness of the traditional survey-based and smart card data-driven method for O-D information inference have multiple disadvantages due to the insufficient sample, the high time and energy cost, and the lack of inferring results validation. By considering the ubiquity of smart mobile devices in the world, several methods were developed for estimating the transit ridership flow from Wi-Fi and Bluetooth sensing data by filtering out the non-passenger MAC addresses based on the predefined thresholds. However, the accuracy of the filtering methods is still questionable for the indeterminate threshold values and the lack of quantitative results validation. By combining the consideration of the assumed overlapped feature space of passenger and non-passenger with the above concerns, a three steps data-driven method for estimating transit ridership flow and O-D information from Wi-Fi and Bluetooth sensing data is proposed in this paper. The observed ridership flow is used as ground truth for calculating the performance measurements. According to the results, the proposed approach outperformed all selected baseline models and existing filtering methods. The findings of this study can help to provide real-time and precise transit ridership flow and O-D information for supporting transit vehicle management and the quality of service enhancement.

... In [8], Cho et al demonstrate that a different type of indoor positioning system using high-frequency audio signals can also be vulnerable to similar location spoofing attacks, through a case study: an in-depth security analysis of the recently launched Starbucks service called Siren Order. Cunche [9] fabricated the access point (i.e, AP, or BS) that the target user has previously connected to via the WiFi replay attack, and tracked the user's web data to obtain the user's private information. ...

Ayong Ye
Qing Li
Qiang Zhang
Rongbao Cheng

WLAN-based localization is widely adopted for mobile positioning, which is the prerequisite for location based services and more. However, the existing positioning systems are vulnerable to location spoofing attacks, which may bring major privacy concerns to mobile social network service (MSNS). In this paper, we first show a privacy attack model base on spoofing attack in MSNS, and then propose a novel defense mechanism based on WiFi-hotspot tags (i.e. base-station tags, BS tags). Specially, we utilize the unpredictability and reproducibility of BS tags to authenticate the spatial-temporal property of a geolocation. Furthermore, we introduce the bloom filter to compress parts of real-time hotspots frames, while guaranteeing its high entropy. Also, we design a tag verification algorithm based on the fuzzy extractors, which can well adapt to the high-bit error rates of wireless transmission. Finally, the safety and feasibility of the mechanism are proved by theoretical and experimental analysis.

... MAC addresses are designed to be persistent and globally unique (Martin et al., 2017). A MAC address is a 48-bit number used to identify a network interface (Cunche, 2014). The Wi-Fi connection for smartphones is designed to periodically transmit a probe-requestframe to determine a known access point (Matte, 2017;Yaik et al., 2016). ...

Currently, the development of WiFi is proliferating, especially in the field of transportation and smart cities. At the same time, WiFi is a low-cost technology, which offers a longer survey time and is able to support the Big Data era. This paper describes our study, which first uses a WiFi scanner to capture media access control (MAC) address data of bus passengers' WiFi devices and then identifies each MAC address travel time to confirm the bus passengers. The MAC address is a unique ID for each device used such as mobile phones, smartphones, laptops, tablets, and other WiFi-enabled equipment. The WiFi scanner was placed inside the bus to capture all the MAC addresses inside and around the bus. The survey was conducted for one day (eight hours). The paper describes the procedure of the time travel estimation for each MAC address using the "point to path" analysis in QGIS open source software. This procedure, using point to path-GIS, produced 70,000-80,000 raw data points cleaned into 100-130 new data points. The procedure determined how many passengers traveled and explained which bus passengers used based on travel time.

... However, the increasing ubiquity of public wireless networks in urban environments creates nascent pathways to understand population dynamics across space and over time [12]. As an emerging location sensor, Wi-Fi probes can conveniently obtain location information from mobile devices [13]. Given the popularity of smartphones today, Wi-Fi probes may prove indispensable in acquiring aggregate movement information in an area of interest [14]. ...

Urban open places with a public service function (e.g., urban parks) are likely to be populated in peak hours and during public events. To mitigate the risk of overcrowding and even events of stampedes, it is of considerable significance to realize a real-time full coverage estimate of the population density. The main challenge has been the limited deployment of crowd surveillance detectors in open public spaces, leading to incomplete data coverage and thus impacting the quality and reliability of the density estimation. To remedy this issue, this paper proposes a modified inverse distance weighting (IDW) method, named the inverse distance weighting based on path selection behavior (IDWPSB) method. The proposed IDWPSB method adjusts the distance decay effect according to visitors' path selection behavior, which better characterizes the human dynamics in open spaces. By implementing the model in a real-world road network in the Shichahai scenic area in Beijing, China, the study shows a decrease in the absolute deviation by 17.62% comparing the results between the new method and the traditional IDW method, justifying the effectiveness of the new method for spatial interpolation in open public places. By considering the behavioral factor, the proposed IDWPSB method can provide insights into public safety management with the increasing availability of data derived from location-based services.

... These messages contain protocol-specific hardware identifiers that are transmitted in plaintext and are trivially retrieved. The use of these identifiers as tracking mechanisms has been well documented [9,5,19,20]. Researchers have described that operating systems designed to curtail such tracking vulnerabilities often leave the user exposed due to implementation design flaws [31,18,13]. ...

Brian Thompson
Dave Cedel
Sarah Kern
Jeremy Martin

Use of persistent identifiers in wireless communication protocols is a known privacy concern as they can be used to track the location of mobile devices. Furthermore, inherent structure in the assignment of hardware identifiers as well as upper-layer network protocol data attributes can leak additional device information. We introduce SEXTANT, a computational framework that combines improvements on previously published device identification techniques with novel spatio-temporal correlation algorithms to perform multi-protocol entity resolution, enabling large-scale tracking of mobile devices across protocol domains. Experiments using simulated data representing Las Vegas residents and visitors over a 30-day period, consisting of about 300,000 multi-protocol mobile devices generating over 200 million sensor observations, demonstrate SEXTANT's ability to perform effectively at scale while being robust to data heterogeneity, sparsity, and noise, highlighting the urgent need for the adoption of new standards to protect the privacy of mobile device users.

... Cunche [13] presented linking of wireless devices using probe request messages over the preferred APs. In passive scanning, AP sends probe request messages while in active scanning device sends probe request messages to discover the available list of wireless devices. ...

Sandhya Aneja
Nagender Aneja
Md Shohidul Islam

Device Fingerprinting (DFP) is the identification of a device without using its network or other assigned identities including IP address, Medium Access Control (MAC) address, or International Mobile Equipment Identity (IMEI) number. DFP identifies a device using information from the packets which the device uses to communicate over the network. Packets are received at a router and processed to extract the information. In this paper, we worked on the DFP using Inter Arrival Time (IAT). IAT is the time interval between the two consecutive packets received. This has been observed that the IAT is unique for a device because of different hardware and the software used for the device. The existing work on the DFP uses the statistical techniques to analyze the IAT and to further generate the information using which a device can be identified uniquely. This work presents a novel idea of DFP by plotting graphs of IAT for packets with each graph plotting 100 IATs and subsequently processing the resulting graphs for the identification of the device. This approach improves the efficiency to identify a device DFP due to achieved benchmark of the deep learning libraries in the image processing. We configured Raspberry Pi to work as a router and installed our packet sniffer application on the Raspberry Pi. The packet sniffer application captured the packet information from the connected devices in a log file. We connected two Apple devices iPad4 and iPhone 7 Plus to the router and created IAT graphs for these two devices. We used Convolution Neural Network (CNN) to identify the devices and observed the accuracy of 86.7%.

... These systems allow to sense the location of smart phones using a cluster of Wi-Fi access points (AP), as shown in figure 6. If customers use the wireless network of an organisation, they leave traces with the MAC address of their device, which constitutes a unique identifier to track the owner [25]. Even when they do not actively use a wireless network, the communication devices often send polling requests for currently available networks. ...

Data analysis is becoming a popular tool to gain marketing insights from heterogeneous and often unstructured sensor data. Online stores make use of click stream analysis to understand customer intentions. Meanwhile, retail companies transition to locating technologies like RFID to gain better control and visibility of the inventory in a store. To further exploit the potential of these technologies, retail companies invest in novel services for their customers, such as smart fitting rooms or location of items in real time. In such a setting, a company can not only get insights similar to online stores, but can potentially also monitor customers. In this chapter, we discuss various location-sensing technologies used in retail and identify possible direct and indirect privacy threats that arise with their use. Subsequently, we present technological and organisational privacy controls that can help to minimise the identified privacy threats without losing on relevant marketing insights.

... For example, researchers have found the way many devices utilize 802.11 Media Access Control (MAC) addresses and cellular International Mobile Equipment Identities (IMEI) and International Mobile Subscriber Identities (IMSI) can make them particularly vulnerable to tracking [15,25,29,30,34]. As such, Operating System (OS) vendors and network standards bodies have implemented protocols and policies to mitigate these vulnerabilities. ...

Lucas Foppe
Jeremy Martin
Travis Mayberry
Lamont Brown

TLS, and SSL before it, has long supported the option for clients to authenticate to servers using their own certificates, but this capability has not been widely used. However, with the development of its Push Notification Service, Apple has deployed this technology on millions of devices for the first time. Wachs et al. [42] determined iOS client certificates could be used by passive network adversaries to track individual devices across the internet. Subsequently, Apple has patched their software to fix this vulnerability. We show these countermeasures are not effective by demonstrating three novel active attacks against TLS Client Certificate Authentication that are successful despite the defenses. Additionally, we show these attacks work against all known instances of TLS Client Certificate Authentication, including smart cards like those widely deployed by the Estonian government as part of their Digital ID program. Our attacks include in-path man-in-the-middle versions as well as a more powerful on-path attack that can be carried out without full network control.

... In the study by Matte et al. [4], researchers combined the WiFi location spoofing method with the social network information leakage to obtain the user identity of nearby smartphones, which poses a great threat to personal privacy. Reference [5] proposed a method of using fake WiFi hotspots in specific places to recognize the MAC address of a specific user's device and track the activities. Since location-based services have been integrated into a wide range of mobile applications (apps) on the smartphone, the location spoofing attacks in WPS may directly threaten the usability of those applications and the user's information security. ...

Yinghua Tian
Nae Zheng
Xiang Chen
Liuyang Gao

WiFi positioning systems (WPS) have been introduced as parts of 5G location services (LCS) to provide fast positioning results of user devices in urban areas. However, they are prominently threatened by location spoofing attacks. To end this, we present a Wasserstein metric-based attack detection scheme to counter the location spoofing attacks in the WPS. The Wasserstein metric is used to measure the similarity of each two hotspots by their signal's frequency offset distribution features. Then, we apply the clustering method to find the fake hotspots which are generated by the same device. When applied with WPS, the proposed method can prevent location spoofing by filtering out the fake hotspots set by attackers. We set up experimental tests by commercial WiFi devices, which show that our method can detect fake devices with 99% accuracy. Finally, the real-world test shows our method can effectively secure the positioning results against location spoofing attacks. 1. Introduction Driven by the demands of location-based services (LBS) and the Internet of Things (IoT), 3GPP Release 16 has introduced a variety of positioning technologies as supplements to the cellular-based positioning method in the 5G location services (LCS) [1]. As shown in Figure 1, the hybrid LCS architecture integrates global navigation satellite systems (GNSS) and WiFi positioning systems (WPS), to offer a positioning result of high accuracy, availability, and reliability. Applications such as autonomous driving, unmanned aerial vehicles, and massive IoT tracking will benefit from the improvement of LCS.

... Moreover, the current massive adoption of portable devices and wireless networks may raise those privacy and security threats. Historically, two types of problems have been identified [121]- [124]: The first problem concerns the scan for nearby Wi-Fi access points actively sending probe requests. The probe requests may include the name (SSID) of the network used in the previous connections. ...

As we move into a new decade, the global world of Intelligent Infrastructure (II) services integrated into the Internet of Things (IoT) are at the forefront of technological advancements. With billions of connected devices spanning continents through interconnected networks, security and privacy protection techniques for the emerging II services become a paramount concern. In this paper, an up-to-date privacy method mapping and relevant use cases are surveyed for II services. Particularly, we emphasize on post-quantum cryptography techniques that may (or must when quantum computers become a reality) be used in the future through concrete products, pilots, and projects. The topics presented in this paper are of utmost importance as (1) several recent regulations such as Europe's General Data Protection Regulation (GDPR) have given privacy a significant place in digital society, and (2) the increase of IoT/II applications and digital services with growing data collection capabilities are introducing new threats and risks on citizens' privacy. This in-depth survey begins with an overview of security and privacy threats in IoT/IIs. Next, we summarize some selected Privacy-Enhancing Technologies (PETs) suitable for privacy-concerned II services, and then map recent PET schemes based on post-quantum cryptographic primitives which are capable of withstanding quantum computing attacks. This paper also overviews how PETs can be deployed in practical use cases in the scope of IoT/IIs, and maps some current projects, pilots, and products that deal with PETs. A practical case study on the Internet of Vehicles (IoV) is presented to demonstrate how PETs can be applied in reality. Finally, we discuss the main challenges with respect to current PETs and highlight some future directions for developing their post-quantum counterparts.

... The SSID gives the network a name and this leads to identity leakage. Similar to Bluetooth, both the hotspot and IEEE 802.11 devices will broadcast their MAC addresses [38], the channel the hotspot communicates on is another dimension that can be used to identify a target in more detail, and there are a variety of additional pieces of information that can be used to fingerprint an IEEE 802.11 device [39]. ...

Future Intelligent Transport Systems (ITS) will require that vehicles are equipped with Dedicated Short Range Communications (DSRC). With these DSRC capabilities, new privacy threats are emerging that can be taken advantage of by threat actors with little experience and cheap components. However, the origins of these privacy threats are not limited to the vehicle and its communications, but extend to non-vehicular devices carried by the driver and passengers. A shortcoming of existing work is that it tends to focus on a specific aspect of privacy leakage when attempting to protect location privacy. In doing so, interactions between privacy threats are not considered. In this work, we investigate the privacy surface of a vehicle by considering the many different ways in which location privacy can be leaked. Following this, we identify techniques to protect privacy and that it is insufficient to provide location privacy against a single threat vector. A methodology to calculate the interactions of privacy preserving techniques is used to highlight the need to consider the wider threat landscape and for techniques to collaborate to ensure location privacy is provided against multiple sources of privacy threats where possible.

... Since the simulation does not incorporate information beyond what might be observed in the real environments, we believe that it demonstrates the practical viability of the attack. With the unique tag, attackers would be able to physically locate the user [44] (e.g. by leveraging WiFi location data published by Wigle [22]) or track the user in the future [29]. In addition, video feeds could be combined with Tag database information to obtain a picture of candidate victims who might then be de-anonymized using face detection search engines like PimEyes [21]. ...

Jianwei Huang
Vinod Yegneswaran
Phillip Porras
Guofei Gu

{Smartphone-based contact-tracing applications are at the epicenter of the global fight against the Covid-19 pandemic. While governments and healthcare agencies are eager to mandate the deployment of such applications en-masse, they face increasing scrutiny from the popular press, security companies, and human rights watch agencies that fear the exploitation of these technologies as surveillance tools. Finding the optimal balance between community safety and privacy has been a challenge, and strategies to address these concerns have varied among countries. This paper describes two important attacks that affect a broad swath of contact-tracing applications. The first, referred to as {\em contact-isolation attack}, is a user-privacy attack that can be used to identify potentially infected patients in your neighborhood. The second is a {\em contact-pollution attack} that affects the integrity of contact tracing applications by causing them to produce a high volume of false-positive alerts. We developed prototype implementations and evaluated both attacks in the context of the DP-3T application framework, but these vulnerabilities affect a much broader class of applications. We found that both attacks are feasible and realizable with a minimal attacker work factor. We further conducted an impact assessment of these attacks by using a simulation study and measurements from the SafeGraph database. Our results indicate that attacks launched from a modest number (on the order of 10,000) of monitoring points can effectively decloak between 5-40\% of infected users in a major metropolis, such as Houston.

... Such data can also be used in transportation planning and management to estimate travel time (Musa and Eriksson 2011) and real time traffic monitoring (Abbott-Jard et al. 2013). Using techniques demonstrated by Franklin et al. (2006) and Pang et al. (2007), along with information present in the probe requests, one can even model interactions between the users (Cheng et al. 2012, Barbera et al. 2013, Cunche 2014 such as predicting which of them are most likely to meet again (Cunche et al. 2012). Using the semantic information present in these probe requests it even is possible to understand the nature of population at a large scale (Di Luzio et al. 2016). ...

BalaMurugan Soundararaj
James Cheshire
Paul Longley

The accurate measurement of human activity with high spatial and temporal granularity is crucial for understanding the structure and function of the built environment. With increasing mobile ownership, the Wi-Fi 'probe requests' generated by mobile devices can act as a cheap, scalable and real-time source of data for establishing such measures. The two major challenges we face in using these probe requests for estimating human activity are: filtering the noise generated by the uncertain field of measurement and clustering anonymised probe requests generated by the same devices together without compromising the privacy of the users. In this paper, we demonstrate that we can overcome these challenges by using class intervals and a novel graph-based technique for filtering and clustering the probe requests which in turn, enables us to reliably measure real-time pedestrian footfall at retail high streets.

... Wi-Fi and Bluetooth obtain MAC addresses with a high and low-frequency from Wi-Fi or Bluetooth-enabled devices. A media access control (MAC) address is a unique device identifier that consists of particular numbers and letters specific to a device with Wi-Fi or Bluetooth capability (Cunche, 2014;Dunlap et al., 2016;Musa and Eriksson, 2012;Vanhoef et al., 2016). Additionally, people at some places or regions do not use Bluetooth only for the headset on smartphone or printer devices. ...

Currently, transport survey methods are very diverse. Transportation data retrieval using information technology, such as Bluetooth, Wi-Fi, and smartcards, is prominent. This study aims to obtain media access control (MAC) addresses of individual bus passengers by using a Wi-Fi scanner. This Wi-Fi scanner is capable of engaging a probe request mode to capture MAC addresses from mobile devices or other Wi-Fi-enabled modalities without connecting to the internet. This study also describes a new data cleaning procedure that is used to characterize bus passenger volume and travel trends using a combination of MAC address and GPS data. The approach developed in the proposed study is capable of producing outputs, such as an origin-destination (OD) matrix and passenger volume for a bus route section. A comparison between passenger volumes obtained from the Wi-Fi data processing procedure and the data obtained using the ground truth procedure indicates the number of passengers determined using the Wi-Fi data acquisition and processing procedure is less than the number of passengers determined using the ground truth procedure.

... A smartphone can be identified by its international mobile equipment identity (IMEI) number or MAC address. A MAC address consists of numbers and letters specific to a device with Wi-Fi capability (Cunche, 2014;Dunlap et al., 2016;Musa and Eriksson, 2012;Vanhoef et al., 2016). A MAC address is a unique code, and does not contain any personal information about the user. ...

The main objective of this study is to estimate bus passenger volume based on a Wi-Fi scanner transportation survey. The study proposes a new data cleaning procedure to characterize bus passenger volume using a combination of media access control (MAC) address and global positioning system (GPS) data. We used a Wi-Fi scanner to detect the MAC addresses of individual bus passengers. The Wi-Fi scanner, used as a tool to capture passenger device data, can engage in a probe request mode to capture the MAC addresses of mobile devices or other Wi-Fi-enabled modalities without connecting to the internet. The approach proposed in this study can yield the passenger volume outputs for various bus route sections. A comparison of the passenger volume results obtained from Wi-Fi data and ground truth data indicates that the number of passengers determined from the former is less than that from the latter. The correlation between Wi-Fi estimation and ground truth is 0.78, and the trend line in both methods is similar. Therefore, the cleaning procedure proposed in this study can effectively clean raw Wi-Fi data to extract passenger volume data.

... 60% cases WiFi logs attached to specific locations can be used to identify the person behind the device. In [22] propose a stalker attack, where the attacker physically follows the target for a certain time, while monitoring all the WiFi traffic, ultimately associating the person to the MAC with highest number of Probe Request packets sent. WiFi positioning has been improved using a system of cameras where the electronic and visual signals are combined in order to match the person on the video and a MAC address in [23] . ...

... Contained in each frame is the client's source MAC address; this 48-bit value uniquely identifies the client seeking network service to access points that provide it. Unfortunately, this also provides adversaries a unique identifier to track users [16,18,19,26]. To address the privacy concerns inherent in the use of the MAC address assigned by the device manufacturer (a globally unique MAC address), manufacturers have shifted to broadcasting ephemeral, random MAC addresses while the device is in an unassociated state; unfortunately, MAC address randomization in 802.11 can often be defeated [25,28]. ...

Douglas Alpuche
Kristina Bodeman
Sam Teplov
Jeremy Martin

In recent versions of iOS, Apple has incorporated new wireless protocols to support automatic configuration and communication between devices. In this paper, we investigate these protocols, specifically Bluetooth Low Energy (BLE) "Continuity," and show that the price for this seamless user experience is substantial leakage of identifying information and users' behavioral data to a passive listening adversary. We start by reverse engineering Apple's proprietary protocol and identifying a number of data fields that are transmitted unencrypted. Plaintext messages are broadcast over BLE in response to user actions such as locking and unlocking a device's screen, using the copy/paste feature and tapping the screen while it is unlocked. We also demonstrate that the format and contents of these messages can be used to identify the type and OS version of a device. Finally, we show how the predictable sequence numbers of these frames can allow an adversary to track iOS devices from location to location over time, defeating existing anti-tracking techniques like MAC address randomization.

Md. Abdullah Yusuf Imam

Using MAC filtering on a network permits and denies network access to specific devices through the use of blacklists and white lists. In IP networks, the MAC address of an interface can be queried given the IP address using the Address Resolution Protocol (ARP) for internet protocol version 4 (IPV4) or the neighbor discovery protocol (NDP) for IPV6 [1],[2]. In this way, ARP or NDP is used to relate IP addresses (OSI layer 3) to ethernet MAC addresses (OSI layer 2) [3]. A MAC address is like a social security number which remains unchanged for a person's life time (the device), while an IP address is like a postal code which can be changed. Now we find how MAC & IP are related, how MAC route from pc to switch(Routing scheme).

The user privacy, in particular, user tracking, has always been a considerable concern, and moreover nowadays, when we are completely surrounded by Wi-Fi enabled devices (smartphones, tablets, wearables, etc.). These devices transmit unique unencrypted signals containing information which includes a device's MAC (Media Access Control) address. Such signals can be monitored with a passive attack by using cheap hardware. Since the MAC address is unique for each device, there is an unquestionable privacy threat to the devices' owners. To this moment, the only countermeasure vendors have the MAC Address Randomization. In this paper, we show that the effectiveness of this solution, five years after it was introduced for the first time, is insufficient to prevent Wi-Fi users from tracking. Moreover, the solution itself is not even widely used.

Analisa-se a viabilidade de pesquisas sobre usuários de ônibus com base na detecção de endereços MAC WiFi de dispositivos portáteis. A motivação para o estudo decorre da aparente contradição entre casos de sucesso publicados na literatura e resultados de experimentos de campo que realizamos. Requisitos para identificação adequada de passageiros de ônibus são usados como base para avaliar as capacidades do hardware e software de detecção comumente disponíveis. Mais especificamente, os intervalos de tempo decorridos entre as detecções do mesmo dispositivo são tomados como requisito para a determinação do estado do portador do dispositivo e, portanto, a identificação deste como passageiro. Por exemplo, ao realizar pesquisas de embarque e desembarque com equipamentos de detecção instalados a bordo, é necessário que várias detecções ocorram logo após o embarque do passageiro e antes do desembarque, permitindo assim uma estimativa precisa da origem e destino da viagem. Resultados experimentais em ensaios controlados e não controlados indicam que os componentes disponíveis no mercado com software de código aberto podem não fornecer detecções bem-sucedidas. No experimento controlado, encontramos tempos de 40 s para a primeira detecção de 86% dos dispositivos e uma média de 80 s para a segunda detecção de dispositivos. Para o experimento não controlado de viagens em ônibus com carregamento médio, foram encontradas diferenças significativas entre as contagens manuais e os dispositivos detectados. Como resultado dessas observações empíricas, recomenda-se uma avaliação cuidadosa dos esquemas de detecção existentes usados nas pesquisas de número de passageiros.

K. L. Tan
K. C. Lim

span>Conventional public safety surveillance video camera systems required 24/7 monitoring of security officers with video wall display installed in the control room. When a crime or incident is reported, all the recorded surveillance video streams nearby the incident area are playback simultaneously on video wall to help locate the target person. The security officers can fast forward the video playback to speed up the video search, but it requires massive manpower if there are hundreds of video streams required to be examined on the video wall. One of the possible solutions is through a suitable video indexing and retrieval technique to prioritize the video frames that need to be processed. This paper presents a WiFi sniffer enabled surveillance camera, with 3-stage WiFi frame inspection filter and the use of collected WiFi signal strength for filtering, to tag the collected WiFi MAC addresses to the surveillance video frames according to the time of the MAC address is sniffed. Additional metadata (WiFi MAC address of smartphone) collected during the occurrence of the incident can be used to prioritize the retrieving of surveillance video frames for subsequent image processing. </span

Real-time public transit ridership flow and Origin-Destination (O-D) information is essential for improving transit service quality and optimizing transit networks in smart cities. The effectiveness and accuracy of the traditional survey-based methods and smart card data-driven methods for O-D information inference have multiple disadvantages in terms of biased results, high latency, insufficient sample size, the high-cost of time and energy. By considering the ubiquity of smart mobile devices in the world, monitoring public transit ridership flow can be accomplished by passively sensing Wi-Fi and Bluetooth (BT) mobile devices of passengers. This study proposed a system for monitoring real-time public transit passenger ridership flow and O-D information based on customized Wi-Fi and BT sensing device. By combining the consideration of the assumed overlapping feature spaces of passenger and non-passenger MAC address data, a three-step data-driven algorithm framework for estimating transit ridership flow and O-D information is proposed. The observed ridership flow is used as the ground truth for evaluating the performance of the proposed algorithm. According to the evaluation results, the proposed algorithm outperformed all selected baseline models and the existing filtering methods. The findings of this study can help to provide real-time and precise transit ridership flow and O-D information for supporting transit vehicle management and the quality of service enhancement.

Matthew White

The Court of Justice of the European Union (ECJ) in 2014 ruled in Digital Rights Ireland that the Data Retention Directive was invalid for exceeding the limits of proportionality in light of Articles 7, 8 and 52(1) of the EU Charter of Fundamental Rights (Charter). Subsequently, preliminary references from the England and Wales Court of Appeal and the Swedish Administrative Court of Appeal sought clarification from the ECJ as to whether EU law permitted a general obligation to retain traffic data covering all persons, all means of electronic communication and all traffic data without any distinctions, limitations or exceptions for the purpose of combating crime. The ECJ in Tele2 and Watson ruled that in light of Articles 7, 8, 11 and 52(1) of the Charter, EU Member States were precluded from adopting national measures which provided general and indiscriminate retention of traffic and location data of all subscribers and registered users relating to all means of electronic communication. The ECJ also ruled that Member States were only permitted to adopt data retention measures for the purpose of fighting serious crime, and only when access to retained data was subject to prior review by a court or an independent administrative body. In 2018, the issue of the UK's data retention regime envisaged in Part 4 of the Investigatory Powers Act 2016 came before the England and Wales High Court. The High Court ruled that Part 4 was incompatible with EU law because access to retained communications data was not limited to the purpose of fighting serious crime, and it was not subject to prior review by a court or an independent administrative body. This judgment was regarded by the claimants, Liberty, as a 'landmark victory for privacy rights'. However, this paper questions whether certain aspects of the High Court ruling are indeed a victory, by assessing its compatibility with EU law and the European Convention on Human Rights (ECHR).

For parents of young children and adolescents, the digital age has in- troduced many new challenges, including excessive screen time, in- appropriate online content, cyber predators, and cyberbullying. To address these challenges, many parents rely on numerous parental control solutions on different platforms, including parental con- trol network devices (e.g., WiFi routers) and software applications on mobile devices and laptops. While these parental control solu- tions may help digital parenting, they may also introduce serious security and privacy risks to children and parents, due to their elevated privileges and having access to a significant amount of privacy-sensitive data. In this paper, we present an experimental framework for systematically evaluating security and privacy is- sues in parental control software and hardware solutions. Using the developed framework, we provide the first comprehensive study of parental control tools on multiple platforms including network devices, Windows applications, Chrome extensions and Android apps. Our analysis uncovers pervasive security and privacy issues that can lead to leakage of private information, and/or allow an adversary to fully control the parental control solution, and thereby may directly aid cyberbullying and cyber predators.

Inexpensive WiFi-capable hardware can be nowadays easily used to capture traffic from end users and extract knowledge. Such knowledge can be leveraged to support advanced services like user profiling, device classification. We review here the main building blocks to develop a system based on passive WiFi monitors, that is, cheap and viable sniffers which collect data from end devices even without an explicit association to any Wi-Fi network. We provide an overview of the services which can be enabled by such approach with three practical scenarios: user localization, user profiling and device classification. We evaluate the performance of each one of the three scenarios and highlight the challenges and threats for the aforementioned systems.

Mathieu Cunche
Mohamed Ali Kaafar
Roksana Boreli

Active service discovery in Wi-Fi involves wireless stations broadcasting their Wi-Fi fingerprint, i.e. the SSIDs of their preferred wireless networks. The content of those Wi-Fi fingerprints can reveal different types of information about the owner. We focus on the relation between the fingerprints and the links between the owners. Our hypothesis is that social links between devices' owners can be identified by exploiting the information contained in the fingerprint. More specifically we propose to consider the similarity between fingerprints as a metric, with the underlying idea: similar fingerprints are likely to be linked. We first study the performances of several similarity metrics on a controlled dataset and then apply the designed classifier to a dataset collected in the wild. Finally we discuss potential countermeasures and propose a new one based on geolocation. This study is based on a dataset collected in Sydney, Australia, composed of fingerprints belonging to more than 8000 devices.

Ben Greenstein
Ramakrishna Gummadi
Jeffrey Pang
David Wetherall

Today's rich and varied wireless environment, including mobile phones, Wi-Fi-enabled laptops, and Bluetooth headsets, poses threats to our privacy that cannot be ad- dressed with existing protocols. By considering 802.11 as a case study and analyzing publicly available 802.11 traces, we show that a device can be identified and tracked over time through its persistent link-layer address, list o f known networks (SSIDs), and other protocol and phys- ical layer characteristics. We argue that it is in the best interest of providers as well as users to design systems that maintain user privacy. We identify several research challenges to doing so and offer some direction towards a solution.

Craig A. Shue
Nathanael Paul
Curtis R. Taylor

How quickly can somebody convert an IP address of a target into a real-word street address? Law enforcement regularly has need to determine a suspect's exact location when investigating crimes on the Internet. They first use geolocation software and databases to determine the suspect's rough location. Recent research has been able to scope a targeted IP address to within a 690m (0.43 mile) radius circle, which is enough to determine the relevant law enforcement department that has jurisdiction. Unfortunately, investigators face a "last half mile" problem: their only mechanism to determine the exact address of the suspect is to subpoena the suspect's Internet Service Provider, a process that can take weeks. Instead, law enforcement would rather locate the suspect within the hour with the hope of catching the suspect while the crime is still on-going, which leads to stronger evidence and straightforward prosecution. Given these time constraints, we investigate how quickly an adversary can locate a target without any special law enforcement powers. Instead, we leverage the use of ubiquitous wireless networks and a mobile physical observer that performs wireless monitoring (akin to "wardriving," which seeks to search for wireless networks). We develop an approach that allows an adversary to send traffic to the target's address that can be detected by the observer, even if wireless encryption is in use. We evaluated the approach in two common real-world settings. In one of these, a residential neighborhood, we used a single-blind trial in which an observer located a target network to within three houses in less than 40 minutes (with potential for more exact results using hardware such as directional antennas). This approach had only a 0.38% false positive rate, despite 24,000 observed unrelated packets and many unrelated networks. These results show significant promise for the geolocation strategy and demonstrate that adversaries with multiple potential observation points, such as law enforcement personnel, could quickly locate a target.

Smartphones with Wi-Fi enabled periodically transmit Wi-Fi messages, even when not associated to a network. In one 12-hour trial on a busy road (average daily traffic count 37,000 according to the state DOT), 7,000 unique devices were detected by a single road-side monitoring station, or about 1 device for every 5 vehicles. In this paper, we describe a system for passively tracking unmodified smartphones, based on such Wi-Fi detections. This system uses only common, off-the-shelf access point hardware to both collect and deliver detections. Thus, in addition to high detection rates, it potentially offers very low equipment and installation cost. However, the long range and sparse nature of our opportunistically collected Wi-Fi transmissions presents a significant localization challenge. We propose a trajectory estimation method based on Viterbi's algorithm which takes second-by-second detections of a moving device as input, and produces the most likely spatio-temporal path taken. In addition, we present several methods that prompt passing devices to send additional messages, increasing detection rates an use signal-strength for improved accuracy. Based on our experimental evaluation from one 9-month deployment and several single-day deployments, passive Wi-Fi tracking detects a large fraction of passing smartphones, and produces high-accuracy trajectory estimates.

Paramvir Bahl
Venkata N. Padmanabhan

The proliferation of mobile computing devices and local-area wireless networks has fostered a growing interest in location-aware systems and services. In this paper we present RADAR, a radio-frequency (RF) based system for locating and tracking users inside buildings. RADAR operates by recording and processing signal strength information at multiple base stations positioned to provide overlapping coverage in the area of interest. It combines empirical measurements with signal propagation modeling to determine user location and thereby enable location-aware services and applications. We present experimental results that demonstrate the ability of RADAR to estimate user location with a high degree of accuracy.

Nathaniel Husted
Steven Myers

Digital wireless radios broadcast identification numbers that uniquely identify them. As has been previously observed, given the ubiquity with which people carry smartphones with their embedded WiFi radios powered on, comes the ability to track individuals' movements. The ability to use wireless radios for positioning has been previously observed and developed in to useful products. In these systems a user willingly geolocates themselves by providing identifiers to infrastructure hardware. In this paper we consider the converse question: what rates of monitoring by smartphones devices in a given metropolitan area are necessary to achieve different levels of involuntary geolocation. While previous work has looked at countermeasure that attempt to maintain privacy, no work has attempted to quantify the problem and risks. Using appropriate simulations we give the first quantitative support for the number and conditions of tracking devices necessary to track the locations of non-participant individuals in urban environments. We provide evidence that a small, but not insignificant, number of mobile devices can be used to track a majority of users during a significant fraction of their travel with current devices. We conclude that in the immediate future, malnets would require relatively high infection rates to pose a significant threat, but that voluntary networks, with perceived benefit can probably achieve the usage rates necessary to track individual movements of non-subscribed users to a high-degree of accuracy. Our results also suggest ubiquitous deployment of 802.11n in smartphones would make geolocation feasible by malnets

In this work, we study the security of public WLAN-based positioning systems. Specifically, we investigate the Sky- hook positioning system, available on PCs and used on a number of mobile platforms, including Apple's iPod touch and iPhone. By implementing and analyzing several kinds of attacks, we demonstrate that this system is vulnerable to location spoofing and location database manipulation. In both, the attacker can arbitrarily change the result of the localization at the victim device, by either impersonat- ing remote infrastructure or by tampering with the service database. Our attacks can easily be replicated and we con- jecture that—without appropriate countermeasures—public WLAN-based positioning should therefore be used with cau- tion in safety-critical contexts. We further discuss several approaches for securing WLAN-based positioning systems.

Ian Rose
Matt Welsh

Passive monitoring is an important tool for measuring, troubleshooting, and protecting modern wireless networks. To date, WiFi monitoring has focused primarily on indoor settings or ephemeral outdoor studies though wardriving. We present Argos, the first urban-scale wireless sensor network designed explicitly to support measurement of ambient WiFi traffic across an entire city. Urban-scale wireless monitoring presents unique challenges due to limited packet-capture ability, heterogeneous traffic loads, and limited backhaul capacity between sensor nodes. Argos addresses these through in-network traffic merging and processing, plus an intelligent approach to coordinated channel sampling by multiple sniffers. Argos provides a rich query interface allowing users to study the complex dynamics of ambient wireless traffic. We present a detailed evaluation of a 26-node Argos network deployed on streetlights and rooftops around a city, demonstrating its ability to detect and classify wireless access points and clients; monitor Web page usage; detect malicious traffic; track the mobility of WiFi-equipped public transport vehicles; and fingerprint individual users through 802.11 probe request packets.

Philippe Golle
Kurt Partridge

Many applications benet from user location data, but lo- cation data raises privacy concerns. Anonymization can protect privacy, but identities can sometimes be inferred from supposedly anonymous data. This paper studies a new attack on the anonymity of location data. We show that if the approximate locations of an individual's home and workplace can both be deduced from a location trace, then the median size of the individual's anonymity set in the U.S. working population is 1, 21 and 34,980, for locations known at the granularity of a census block, census track and county respectively. The location data of people who live and work in dierent regions can be re-identied even more easily. Our results show that the threat of re-identication for location data is much greater when the individual's home and work locations can both be deduced from the data. To preserve anonymity, we oer guidance for obfuscating location traces before they are disclosed.

Laurent Butti
Julien Tinnés

802.11 Wireless local area networks are unfortunately notoriously infamous due to their many, critical security flaws. Last year, world-first 802.11 wireless driver vulnerabilities were publicly disclosed, making them a critical and recent threat. In this paper, we expose our research results on 802.11 driver vulnerabilities by focusing on the design and implementation of a fully featured 802.11 fuzzer that enabled us to find several critical implementation bugs that are potentially exploitable by attackers. Lastly, we will detail the successful exploitation of the first 802.11 remote kernel stack overflow under Linux (madwifi driver).

Paramvir Bahl
Venkata N. Padmanabhan

The proliferation of mobile computing devices and local-area wireless networks has fostered a growing interest in location-aware systems and services. In this paper we present RADAR, a radio-frequency (RF)-based system for locating and tracking users inside buildings. RADAR operates by recording and processing signal strength information at multiple base stations positioned to provide overlapping coverage in the area of interest. It combines empirical measurements with signal propagation modeling to determine user location and thereby enable location-aware services and applications. We present experimental results that demonstrate the ability of RADAR to estimate user location with a high degree of accuracy

Wireless Geographic Logging Engine The wireshark network analyzer

Wigle

WiGLE: Wireless Geographic Logging Engine. http://wigle.net/ 3. The wireshark network analyzer. http://www.wireshark.org/

Cafe latte with a free topping of cracked wep retrieving wep keys from road warriors

M S Ahmad
V Ramachandran

M. S. Ahmad and V. Ramachandran. Cafe latte with a free topping of cracked wep retrieving wep keys from road warriors. In TOORCON9, 2007.

CreepyDOL: cheap, distributed stalking

B Oconnor

Brendan OConnor. CreepyDOL: Cheap, Distributed Stalking. In BlackHat, 2013.

Linking wireless devices using information contained in Wi-Fi probe requests

Mohamed-Ali Mathieu Cunche
Roksana Kaafar
Boreli

Mathieu Cunche, Mohamed-Ali Kaafar, and Roksana Boreli. Linking wireless devices using information contained in Wi-Fi probe requests. Pervasive and Mobile Computing, (0):-, 2013.

Snoopy: distributed tracking and pro-filing framework

D Cuthbert
G Wilkinson

Cuthbert, D., Wilkinson, G.: Snoopy: distributed tracking and pro-filing framework. In: 44Con 2012 (2012)

Set Up Wifi to Track Mac Addresses

Source: https://www.researchgate.net/publication/271960115_I_know_your_MAC_Address_Targeted_tracking_of_individual_using_Wi-Fi

Set Up Wifi to Track Mac Addresses

0 Response to "Set Up Wifi to Track Mac Addresses"

Post a Comment

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel