A Study of MAC Address Randomization in Mobile Devices and When it Fails
01 Oct 2017-Vol. 2017, Iss: 4, pp 365-383
TL;DR: In this paper, the authors present a wide-scale study of MAC address randomization in the wild, including a detailed breakdown of different randomization techniques by operating system, manufacturer, and model of device.
Abstract: MAC address randomization is a privacy technique whereby mobile devices rotate through random hardware addresses in order to prevent observers from singling out their traffic or physical location from other nearby devices. Adoption of this technology, however, has been sporadic and varied across device manufacturers. In this paper, we present the first wide-scale study of MAC address randomization in the wild, including a detailed breakdown of different randomization techniques by operating system, manufacturer, and model of device.
We then identify multiple flaws in these implementations which can be exploited to defeat randomization as performed by existing devices. First, we show that devices commonly make improper use of randomization by sending wireless frames with the true, global address when they should be using a randomized address. We move on to extend the passive identification techniques of Vanhoef et al. to effectively defeat randomization in ~96% of Android phones. Finally, we show a method that can be used to track 100% of devices using randomization, regardless of manufacturer, by exploiting a previously unknown flaw in the way existing wireless chipsets handle low-level control frames.
Citations
More filters
01 Jan 2016
TL;DR: The 80211 wireless networks the definitive guide is universally compatible with any devices to read and is available in the book collection an online access to it is set as public so you can get it instantly.
Abstract: Thank you for reading 80211 wireless networks the definitive guide. As you may know, people have look numerous times for their favorite books like this 80211 wireless networks the definitive guide, but end up in malicious downloads. Rather than reading a good book with a cup of tea in the afternoon, instead they cope with some infectious virus inside their computer. 80211 wireless networks the definitive guide is available in our book collection an online access to it is set as public so you can get it instantly. Our digital library hosts in multiple countries, allowing you to get the most less latency time to download any of our books like this one. Kindly say, the 80211 wireless networks the definitive guide is universally compatible with any devices to read.
96 citations
01 Jan 2018
TL;DR: It is shown that an adversary can track subscribers’ location as in previous studies by using this predictability to show that the current implementation of the GUTI reallocation mechanism can provide enough security to protect subscriber’ privacy.
Abstract: To keep subscribers’ identity confidential, a cellular network operator must use a temporary identifier instead of a permanent one according to the 3GPP standard. Temporary identifiers include Temporary Mobile Subscriber Identity (TMSI) and Globally Unique Temporary Identifier (GUTI) for GSM/3G and Long-Term Evolution (LTE) networks, respectively. Unfortunately, recent studies have shown that carriers fail to protect subscribers in both GSM/3G and LTE mainly because these identifiers have static and persistent values. These identifiers can be used to track subscribers’ locations. These studies have suggested that temporary identifiers must be reallocated frequently to solve this privacy problem. The only mechanism to update the temporary identifier in current LTE implementations is called GUTI reallocation. We investigate whether the current implementation of the GUTI reallocation mechanism can provide enough security to protect subscribers’ privacy. To do this, we collect data by performing GUTI reallocation more than 30,000 times with 28 carriers across 11 countries using 78 SIM cards. Then, we investigate whether (1) these reallocated GUTIs in each carrier show noticeable patterns and (2) if they do, these patterns are consistent among different SIM cards within each carrier. Among 28 carriers, 19 carriers have easily predictable and consistent patterns in their GUTI reallocation mechanisms. Among the remaining 9 carriers, we revisit 4 carriers to investigate them in greater detail. For all these 4 carriers, we could find interesting yet predictable patterns after invoking GUTI reallocation multiple times within a short time period. By using this predictability, we show that an adversary can track subscribers’ location as in previous studies. Finally, we present a lightweight and unpredictable GUTI reallocation mechanism as a solution.
68 citations
01 Jul 2019
TL;DR: It is shown that it is possible to extract identifying tokens from the pay-load of advertising messages for tracking purposes and an address-carryover algorithm is presented which exploits the asynchronous nature of payload and address changes to achieve tracking beyond the address randomization of a device.
Abstract: Abstract Bluetooth Low Energy (BLE) devices use public (non-encrypted) advertising channels to announce their presence to other devices. To prevent tracking on these public channels, devices may use a periodically changing, randomized address instead of their permanent Media Access Control (MAC) address. In this work we show that many state-of-the-art devices which are implementing such anonymization measures are vulnerable to passive tracking that extends well beyond their address randomization cycles. We show that it is possible to extract identifying tokens from the pay-load of advertising messages for tracking purposes. We present an address-carryover algorithm which exploits the asynchronous nature of payload and address changes to achieve tracking beyond the address randomization of a device. We furthermore identify an identity-exposing attack via a device accessory that allows permanent, non-continuous tracking, as well as an iOS side-channel which allows insights into user activity. Finally, we provide countermeasures against the presented algorithm and other privacy flaws in BLE advertising.
68 citations
01 Oct 2019
TL;DR: It is shown that predictable sequence numbers in these frames can allow an adversary to track Apple devices across space and time, defeating existing anti-tracking techniques such as MAC address randomization.
Abstract: We investigate Apple's Bluetooth Low Energy (BLE) Continuity protocol, designed to support interoperability and communication between iOS and macOS devices, and show that the price for this seamless experience is leakage of identifying information and behavioral data to passive adversaries. First, we reverse engineer numerous Continuity protocol message types and identify data fields that are transmitted unencrypted. We show that Continuity messages are broadcast over BLE in response to actions such as locking and unlocking a device's screen, copying and pasting information, making and accepting phone calls, and tapping the screen while it is unlocked. Laboratory experiments reveal a significant flaw in the most recent versions of macOS that defeats BLE Media Access Control (MAC) address randomization entirely by causing the public MAC address to be broadcast. We demonstrate that the format and content of Continuity messages can be used to fingerprint the type and Operating System (OS) version of a device, as well as behaviorally profile users. Finally, we show that predictable sequence numbers in these frames can allow an adversary to track Apple devices across space and time, defeating existing anti-tracking techniques such as MAC address randomization.
47 citations
TL;DR: Wang et al. as discussed by the authors proposed a comprehensive data analysis framework to fully analyze the collected probe requests to extract three types of patterns related to crowd behaviors in a large social event, with the help of statistics, visualization, and unsupervised machine learning.
Abstract: Understanding crowd behaviors in a large social event is crucial for event management. Passive WiFi sensing, by collecting WiFi probe requests sent from mobile devices, provides a better way to monitor crowds compared with people counters and cameras in terms of free interference, larger coverage, lower cost, and more information on people’s movement. In the existing studies, however, not enough attention has been paid to the thorough analysis and mining of collected data. Especially, the power of machine learning has not been fully exploited. In this article, therefore, we propose a comprehensive data analysis framework to fully analyze the collected probe requests to extract three types of patterns related to crowd behaviors in a large social event, with the help of statistics, visualization, and unsupervised machine learning. First, trajectories of the mobile devices are extracted from probe requests and analyzed to reveal the spatial patterns of the crowds’ movement. Hierarchical agglomerative clustering is adopted to find the interconnections between different locations. Next, $k$ -means and $k$ -shape clustering algorithms are applied to extract temporal visiting patterns of the crowds by days and locations, respectively. Finally, by combining with time, trajectories are transformed into spatiotemporal patterns, which reveal how trajectory duration changes over the length and how the overall trends of crowd movement change over time. The proposed data analysis framework is fully demonstrated using real-world data collected in a large social event. Results show that one can extract comprehensive patterns from data collected by a network of passive WiFi sensors.
40 citations
References
More filters
Book•
01 Apr 2002
TL;DR: After a general introduction to wireless networks, this practical book moves quickly into the gory details of the 802.11 standard, with clear, no-nonsense guide for using802.11 on Windows and Linux, using and selecting access points, making deployment considerations, and seeing to 802.
Abstract: From the Publisher:
As a network administrator, architect, or security professional, you need to understand the capabilities, limitations, and risks associated with integrating wireless LAN technology into your current infrastructure 80211 Wireless Networks: The Definitive Guide provides all the information necessary to analyze and deploy wireless networks with confidence Over the past five years, the world has become increasingly mobile Traditional ways of networking have altered to accommodate new lifestyles and ways of working Wireless networks offer several advantages over fixed (or “wired”) networks, with mobility, flexibility, ease and speed of deployment, and low-cost at the top of the list Large productivity gains are possible when developers, students, and professionals are able to access data on the move Ad-hoc meetings in the lunch room, library, or across the street in the cafe allow you to develop ideas collaboratively and act on them right away Wireless networks are typically very flexible, which can translate into rapid deployment Once the infrastructure is in place, adding new users is just a matter of authorization After a general introduction to wireless networks, this practical book moves quickly into the gory details of the 80211 standard If you ever need to debug a wireless network that isn't working properly, you'd better understand this material 80211 MAC (Media Access Control), detailed 80211 framing, WEP (Wired Equivalent Privacy protocol), 8021x, management operations, and the PCF (point coordination function) are all covered in detail Author Matthew Gast also supplies impressive detail on the physical layers As for getting awireless network up and running, Gast offers clear, no-nonsense guide for using 80211 on Windows and Linux, using and selecting access points, making deployment considerations, and seeing to 80211 network monitoring and performance tuning In the final section of the book, he summarizes the standardization work pending in the 80211 working group If you're looking for one book that provides a full spectrum view of 80211, from the minute details of the specification, to deployment, monitoring, and troubleshooting, 80211 Wireless Networks: The Definitive Guide is worth its weight in gold
773 citations
Proceedings Article•
31 Jul 2006
TL;DR: A unique fingerprinting technique is developed that accurately and efficiently identifies the wireless driver without modification to or cooperation from a wireless device.
Abstract: Motivated by the proliferation of wireless-enabled devices and the suspect nature of device driver code, we develop a passive fingerprinting technique that identifies the wireless device driver running on an IEEE 802.11 compliant device. This technique is valuable to an attacker wishing to conduct reconnaissance against a potential target so that he may launch a driver-specific exploit.
In particular, we develop a unique fingerprinting technique that accurately and efficiently identifies the wireless driver without modification to or cooperation from a wireless device. We perform an evaluation of this fingerprinting technique that shows it both quickly and accurately fingerprints wireless device drivers in real world wireless network conditions. Finally, we discuss ways to prevent fingerprinting that will aid in improving the security of wireless communication for devices that employ 802.11 networking.
285 citations
06 Nov 2012
TL;DR: In this paper, the authors proposed a trajectory estimation method based on Viterbi's algorithm which takes second-by-second detections of a moving device as input, and produces the most likely spatio-temporal path taken.
Abstract: Smartphones with Wi-Fi enabled periodically transmit Wi-Fi messages, even when not associated to a network. In one 12-hour trial on a busy road (average daily traffic count 37,000 according to the state DOT), 7,000 unique devices were detected by a single road-side monitoring station, or about 1 device for every 5 vehicles.In this paper, we describe a system for passively tracking unmodified smartphones, based on such Wi-Fi detections. This system uses only common, off-the-shelf access point hardware to both collect and deliver detections. Thus, in addition to high detection rates, it potentially offers very low equipment and installation cost.However, the long range and sparse nature of our opportunistically collected Wi-Fi transmissions presents a significant localization challenge. We propose a trajectory estimation method based on Viterbi's algorithm which takes second-by-second detections of a moving device as input, and produces the most likely spatio-temporal path taken. In addition, we present several methods that prompt passing devices to send additional messages, increasing detection rates an use signal-strength for improved accuracy.Based on our experimental evaluation from one 9-month deployment and several single-day deployments, passive Wi-Fi tracking detects a large fraction of passing smartphones, and produces high-accuracy trajectory estimates.
271 citations
09 Sep 2007
TL;DR: It is shown that even a single implicit identifier is sufficient to distinguish many users, and it is argued that design considerations beyond eliminating explicit identifiers, must be addressed in order to prevent user tracking in wireless networks.
Abstract: The ubiquity of 802.11 devices and networks enables anyone to track our every move with alarming ease. Each 802.11 device transmits a globally unique and persistent MAC address and thus is trivially identifiable. In response, recent research has proposed replacing such identifiers with pseudonyms (i.e., temporary, unlinkable names). In this paper, we demonstrate that pseudonyms are insufficient to prevent tracking of 802.11 devices because implicit identifiers, or identifying characteristics of 802.11 traffic, can identify many users with high accuracy. For example, even without unique names and addresses, we estimate that an adversary can identify 64% of users with 90% accuracy when they spend a day at a busy hot spot. We present an automated procedure based on four previously unrecognized implicit identifiers that can identify users in three real 802.11 traces even when pseudonyms and encryption are employed. We find that the majority of users can be identified using our techniques, but our ability to identify users is not uniform; some users are not easily identifiable. Nonetheless, we show that even a single implicit identifier is sufficient to distinguish many users. Therefore, we argue that design considerations beyond eliminating explicit identifiers (i.e., unique names and addresses), must be addressed in order to prevent user tracking in wireless networks.
232 citations
30 May 2016
TL;DR: This work presents several novel techniques to track (unassociated) mobile devices by abusing features of the Wi-Fi standard, and shows that using random MAC addresses, on its own, does not guarantee privacy.
Abstract: We present several novel techniques to track (unassociated) mobile devices by abusing features of the Wi-Fi standard. This shows that using random MAC addresses, on its own, does not guarantee privacy. First, we show that information elements in probe requests can be used to fingerprint devices. We then combine these fingerprints with incremental sequence numbers, to create a tracking algorithm that does not rely on unique identifiers such as MAC addresses. Based on real-world datasets, we demonstrate that our algorithm can correctly track as much as 50% of devices for at least 20 minutes. We also show that commodity Wi-Fi devices use predictable scrambler seeds. These can be used to improve the performance of our tracking algorithm. Finally, we present two attacks that reveal the real MAC address of a device, even if MAC address randomization is used. In the first one, we create fake hotspots to induce clients to connect using their real MAC address. The second technique relies on the new 802.11u standard, commonly referred to as Hotspot 2.0, where we show that Linux and Windows send Access Network Query Protocol (ANQP) requests using their real MAC address.
186 citations