skip to main content
10.1145/2897845.2897883acmconferencesArticle/Chapter ViewAbstractPublication Pagesasia-ccsConference Proceedingsconference-collections
research-article

Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms

Published: 30 May 2016 Publication History

Abstract

We present several novel techniques to track (unassociated) mobile devices by abusing features of the Wi-Fi standard. This shows that using random MAC addresses, on its own, does not guarantee privacy. First, we show that information elements in probe requests can be used to fingerprint devices. We then combine these fingerprints with incremental sequence numbers, to create a tracking algorithm that does not rely on unique identifiers such as MAC addresses. Based on real-world datasets, we demonstrate that our algorithm can correctly track as much as 50% of devices for at least 20 minutes. We also show that commodity Wi-Fi devices use predictable scrambler seeds. These can be used to improve the performance of our tracking algorithm. Finally, we present two attacks that reveal the real MAC address of a device, even if MAC address randomization is used. In the first one, we create fake hotspots to induce clients to connect using their real MAC address. The second technique relies on the new 802.11u standard, commonly referred to as Hotspot 2.0, where we show that Linux and Windows send Access Network Query Protocol (ANQP) requests using their real MAC address.

References

[1]
Tails - privacy for anyone anywhere. Retrieved from https://tails.boum.org.
[2]
Android 6.0 changes. Retrieved from https://developer.android.com/about/versions/marshmallow/android-6.0-changes.html, 2015.
[3]
O. Abukmail. Wifi Mac Changer. Retrieved from https://play.google.com/store/apps/details?id=com.wireless.macchanger.
[4]
M. V. Barbera, A. Epasto, A. Mei, S. Kosta, V. C. Perta, and J. Stefa. CRAWDAD dataset sapienza/probe-requests (v. 2013-09--10). Retrieved 10 November, 2015, from, http://crawdad.org/sapienza/probe-requests/20130910, Sept. 2013.
[5]
B. Bloessl, M. Segata, C. Sommer, and F. Dressler. An IEEE 802.11 a/g/p OFDM receiver for GNU radio. In SRIF Workshop, 2013.
[6]
B. Bloessl, C. Sommer, F. Dressler, and D. Eckhoff. The scrambler attack: A robust physical layer attack on location privacy in vehicular networks. In ICNC, 2015.
[7]
V. Brik, S. Banerjee, M. Gruteser, and S. Oh. Wireless device identification with radiometric signatures. In MobiCom, 2008.
[8]
P. O. Carlos J. Bernardos, Juan Carlos Zúniga. Wi-Fi internet connectivity and privacy: hiding your tracks on the wireless internet. In IEEE CSCN, 2015.
[9]
Chainfire. Pry-Fi. Retrieved from https://play.google.com/store/apps/details?id=eu.chainfire.pryfi.
[10]
M. Cristea and B. Groza. Fingerprinting smartphones remotely via ICMP timestamps. Communications Letters, IEEE, 17(6):1081--1083, 2013.
[11]
D. A. Dai Zovi, S. Macaulay, et al. Attacking automatic wireless network selection. In Proc. of the Sixth Annual SMC Inf. Assurance Workshop, 2005.
[12]
B. Danev, D. Zanetti, and S. Capkun. On physical-layer identification of wireless devices. ACM Computing Surveys (CSUR), 45(1):6, 2012.
[13]
C. Daniel and W. Glenn. Snoopy: Distributed tracking and profiling framework. In 44Con 2012, 2012.
[14]
L. Demir, M. Cunche, and C. Lauradoux. Analysing the privacy policies of Wi-Fi trackers. In Proc. of the 2014 workshop on physical analytics, 2014.
[15]
L. C. C. Desmond, C. C. Yuan, T. C. Pheng, and R. S. Lee. Identifying unique devices through wireless fingerprinting. In WiSec, 2008.
[16]
P. Eckersley. How unique is your web browser? In Privacy Enhancing Technologies, 2010.
[17]
J. Franklin, D. McCoy, P. Tabriz, V. Neagoe, J. V. Randwyk, and D. Sicker. Passive data link layer 802.11 wireless device driver fingerprinting. In USENIX Security, 2006.
[18]
J. Freudiger. How talkative is your mobile device? An experimental study of Wi-Fi probe requests. In WiSec, 2015.
[19]
B. Gellman and A. Soltani. NSA tracking cellphone locations worldwide, Snowden documents show. The Washington Post, 2013.
[20]
M. X. Gong, B. Hart, L. Xia, and R. Want. Channel bounding and MAC protection mechanisms for 802.11ac. In GLOBECOM, 2011.
[21]
F. Gont. A method for generating semantically opaque interface identifiers with ipv6 stateless address autoconfiguration (slaac). RFC 7217, 2014.
[22]
D. Goodin. No, this isn't a scene from minority report. This trash can is stalking you. Ars Technica, 2013.
[23]
B. Greenstein, R. Gummadi, J. Pang, M. Y. Chen, T. Kohno, S. Seshan, and D. Wetherall. Can Ferris Bueller still have his day off? protecting privacy in the wireless era. In USENIX HotOS, 2007.
[24]
E. Grumbach. iwlwifi: mvm: support random MAC address for scanning. Linux committexttteffd05ac479b.
[25]
M. Gruteser and D. Grunwald. Enhancing location privacy in wireless LAN through disposable interface identifiers: A quantitative analysis. Mobile Networks and Applications, 10(3):315--325, 2005.
[26]
F. Guo and T. Chiueh. Sequence number-based MAC address spoof detection. In RAID, 2006.
[27]
C. Huitema. Experience with MAC address randomization in Windows 10. In 93th Internet Engineering Task Force Meeting (IETF), July 2015.
[28]
C. Huitema. Personal communication, Nov. 2015.
[29]
M. Humbert, M. H. Manshaei, J. Freudiger, and J.-P. Hubaux. Tracking games in mobile networks. In Conf. on Decision and Game Theory for Security, 2010.
[30]
N. Husted and S. Myers. Mobile location tracking in metro areas: Malnets and others. In CCS, 2010.
[31]
IEEE Std 802.11--2012. Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications, 2012.
[32]
IEEE Std 802.11u. Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications: Amendment 9: Interworking with External Networks, 2011.
[33]
S. Jana and S. K. Kasera. On fast and accurate detection of unauthorized wireless access points using clock skews. In MobiCom, 2008.
[34]
P. Leach, M. Mealling, and R. Salz. A universally unique identifier (UUID) URN namespace. RFC 4122 (Proposed Standard), July 2005.
[35]
J. Lindqvist, T. Aura, G. Danezis, T. Koponen, A. Myllyniemi, J. Maki, and M. Roe. Privacy-preserving 802.11 access-point discovery. In WiSec, 2009.
[36]
B. Misra. iOS 8 MAC randomization -- analyzed! http://blog.airtightnetworks.com/ios8-mac-randomization-analyzed/.
[37]
A. B. M. Musa and J. Eriksson. Tracking unmodified smartphones using Wi-Fi monitors. In SenSys, 2012.
[38]
B. O'Connor. CreepyDOL: Cheap, distributed stalking. In BlackHat, 2013.
[39]
J. Pang, B. Greenstein, R. Gummadi, S. Seshan, and D. Wetherall. 802.11 user fingerprinting. In MobiCom, 2007.
[40]
J. Pang, B. Greenstein, S. Seshan, and D. Wetherall. Tryst: The case for confidential service discovery. In HotNets, 2007.
[41]
J. Scahill and G. Greenwald. The NSA's secret role in the U.S. assassination program. The Intercept, 2014.
[42]
K. Skinner and J. Novak. Privacy and your app. In Apple Worldwide Dev. Conf. (WWDC), June 2015.
[43]
T. Stöber, M. Frank, J. Schmitt, and I. Martinovic. Who do you sync you are?: smartphone fingerprinting via application behaviour. In WiSec, 2013.
[44]
L. Wang and C. Tellambura. An overview of peak-to-average power ratio reduction techniques for OFDM systems. In IEEE ISSPIT, 2006.
[45]
W. Wang. Wireless networking in Windows 10. In Windows Hardware Engineering Community conference (WinHEC), Mar. 2015.
[46]
Wi-Fi Alliance. Hotspot 2.0 (Release 2) Technical Specification v1.1.0, 2010.
[47]
Wi-Fi Alliance. Wi-Fi Simple Configuration Protocol and Usability Best Practices for the Wi-Fi Protected Setup Program, v2.0.1, April 2011.

Cited By

View all
  • (2025)RSSI-based attacks for identification of BLE devicesComputers and Security10.1016/j.cose.2024.104080147:COnline publication date: 7-Jan-2025
  • (2024)Probing with a Generic MAC Address: An Alternative to MAC Address Randomisation2024 International Conference on Software, Telecommunications and Computer Networks (SoftCOM)10.23919/SoftCOM62040.2024.10721764(1-6)Online publication date: 26-Sep-2024
  • (2024)Spoofing Attack Detection in the Physical Layer with Robustness to User Movement2024 IEEE Wireless Communications and Networking Conference (WCNC)10.1109/WCNC57260.2024.10570909(1-6)Online publication date: 21-Apr-2024
  • Show More Cited By

Index Terms

  1. Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms

        Recommendations

        Comments

        Information & Contributors

        Information

        Published In

        cover image ACM Conferences
        ASIA CCS '16: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security
        May 2016
        958 pages
        ISBN:9781450342339
        DOI:10.1145/2897845
        Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

        Sponsors

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        Published: 30 May 2016

        Permissions

        Request permissions for this article.

        Check for updates

        Author Tags

        1. 802.11
        2. 802.11u
        3. MAC address randomization
        4. anonymity
        5. fingerprinting
        6. hotspot 2.0
        7. karma attack
        8. privacy
        9. pseudonym
        10. scrambler
        11. tracking
        12. wi-fi
        13. wifi

        Qualifiers

        • Research-article

        Conference

        ASIA CCS '16
        Sponsor:

        Acceptance Rates

        ASIA CCS '16 Paper Acceptance Rate 73 of 350 submissions, 21%;
        Overall Acceptance Rate 418 of 2,322 submissions, 18%

        Contributors

        Other Metrics

        Bibliometrics & Citations

        Bibliometrics

        Article Metrics

        • Downloads (Last 12 months)255
        • Downloads (Last 6 weeks)8
        Reflects downloads up to 20 Feb 2025

        Other Metrics

        Citations

        Cited By

        View all
        • (2025)RSSI-based attacks for identification of BLE devicesComputers and Security10.1016/j.cose.2024.104080147:COnline publication date: 7-Jan-2025
        • (2024)Probing with a Generic MAC Address: An Alternative to MAC Address Randomisation2024 International Conference on Software, Telecommunications and Computer Networks (SoftCOM)10.23919/SoftCOM62040.2024.10721764(1-6)Online publication date: 26-Sep-2024
        • (2024)Spoofing Attack Detection in the Physical Layer with Robustness to User Movement2024 IEEE Wireless Communications and Networking Conference (WCNC)10.1109/WCNC57260.2024.10570909(1-6)Online publication date: 21-Apr-2024
        • (2024)Spoofing Detection in the Physical Layer with Graph Neural Networks2024 IEEE 99th Vehicular Technology Conference (VTC2024-Spring)10.1109/VTC2024-Spring62846.2024.10683545(1-6)Online publication date: 24-Jun-2024
        • (2024)Precise Wireless Camera Localization Leveraging Traffic-Aided Spatial AnalysisIEEE Transactions on Mobile Computing10.1109/TMC.2023.333327223:6(7256-7269)Online publication date: Jun-2024
        • (2024)Privacy-Preserving Randomized-MAC WiFi Client Counting with Short-Term-Coherent Waveform Features and a Bayesian Information Criterion2024 International Conference on Smart Applications, Communications and Networking (SmartNets)10.1109/SmartNets61466.2024.10577720(1-5)Online publication date: 28-May-2024
        • (2024)Surveilling the Masses with Wi-Fi-Based Positioning Systems2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00239(2831-2846)Online publication date: 19-May-2024
        • (2024)Practical Obfuscation of BLE Physical-Layer Fingerprints on Mobile Devices2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00073(2867-2885)Online publication date: 19-May-2024
        • (2024)MAC Address De-Randomization using Multi-Channel Sniffers and Two-Stage Clustering2024 IEEE 35th International Symposium on Personal, Indoor and Mobile Radio Communications (PIMRC)10.1109/PIMRC59610.2024.10817186(1-6)Online publication date: 2-Sep-2024
        • (2024)Third Eye: Inferring the State of Your Smartphone Through Wi-Fi2024 IEEE 49th Conference on Local Computer Networks (LCN)10.1109/LCN60385.2024.10639774(1-7)Online publication date: 8-Oct-2024
        • Show More Cited By

        View Options

        Login options

        View options

        PDF

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader

        Figures

        Tables

        Media

        Share

        Share

        Share this Publication link

        Share on social media