Skip to main content
SpringerLink
Log in

Probing for Passwords – Privacy Implications of SSIDs in Probe Requests

  • Conference paper
  • First Online:
Applied Cryptography and Network Security (ACNS 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13269))

Included in the following conference series:

Abstract

Probe requests help mobile devices discover active Wi-Fi networks. They often contain a multitude of data that can be used to identify and track devices and thereby their users. The past years have been a cat-and-mouse game of improving fingerprinting and introducing countermeasures against fingerprinting.

This paper analyses the content of probe requests sent by mobile devices and operating systems in a field experiment. In it, we discover that users (probably by accident) input a wealth of data into the SSID field and find passwords, e-mail addresses, names and holiday locations. With these findings we underline that probe requests should be considered sensitive data and be well protected. To preserve user privacy, we suggest and evaluate a privacy-friendly hash-based construction of probe requests and improved user controls.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 109.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 139.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://www.wigle.net.

References

  1. Acar, C.: Whitepaper: Smart Store (2018). https://www.ehi.org/de/studien/whitepaper-smart-store/

  2. Apple Inc.: Use private Wi-Fi addresses on iPhone, iPad, iPod touch, and Apple Watch. https://support.apple.com/en-us/HT211227

  3. Apple Inc.: Apple Platform Security (2021). https://manuals.info.apple.com/MANUALS/1000/MA1902/en_US/apple-platform-security-guide.pdf

  4. Bernardos, C.J., Zuniga, J.C., O’Hanlon, P.: Wi-Fi internet connectivity and privacy: hiding your tracks on the wireless Internet. In: IEEE Conference on Standards for Communications and Networking (CSCN), pp. 193–198. IEEE (2015). https://doi.org/10.1109/CSCN.2015.7390443, http://ieeexplore.ieee.org/document/7390443/

  5. Cunche, M., Kaafar, M.A., Boreli, R.: Linking wireless devices using information contained in Wi-Fi probe requests. Pervas. Mobile Comput. 11, 56–69 (2018)

    Article  Google Scholar 

  6. Dagelić, A., Perković, T., Čagalj, M.: Location privacy and changes in WiFi probe request based connection protocols usage through years. In: International Conference on Smart and Sustainable Technologies (SpliTech), pp. 1–5. IEEE (2019)

    Google Scholar 

  7. Harkins, D.: Wi-Fi CERTIFIED Enhanced Open™: Transparent Wi-Fi® protections without complexity. https://www.wi-fi.org/beacon/dan-harkins/wi-fi-certified-enhanced-open-transparent-wi-fi-protections-without-complexity

  8. Deutscher Bundestag: Datenschutzrechtliche Zulässigkeit des WLAN-Trackings (2021). https://www.bundestag.de/resource/blob/538890/3dfae197d2c930693aa16d1619204f58/WD-3-206-17-pdf-data.pdf

  9. Ebbecke, P.: Protected Management Frames enhance Wi-Fi Network Security (2020). https://www.wi-fi.org/beacon/philipp-ebbecke/protected-management-frames-enhance-wi-fi-network-security

  10. European Union: Regulation (EU) 2016/679 - general data protection regulation. Official J. Eur. Union L119, 1–88 (2016). http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L:2016:119:TOC

  11. Fenske, E., Brown, D., Martin, J., Mayberry, T., Ryan, P., Rye, E.C.: Three years later: a study of MAC address randomization in mobile devices and when it succeeds. In: PETS 2021, pp. 164–181 (2021)

    Google Scholar 

  12. Freudiger, J.: How talkative is your mobile device? An experimental study of Wi-Fi probe requests. In: WiSec 2015. ACM (2015). https://doi.org/10.1145/2766498.2766517

  13. Google Android Documentation: Implementing MAC Randomization (2021). https://source.android.com/devices/tech/connect/wifi-mac-randomization

  14. Google Android Documentation: MAC Randomization Behavior (2022). https://source.android.com/devices/tech/connect/wifi-mac-randomization-behavior

  15. Goovaerts, F., Acar, G., Galvez, R., Piessens, F., Vanhoef, M.: Improving privacy through fast passive Wi-Fi scanning. In: Askarov, A., Hansen, R.R., Rafnsson, W. (eds.) NordSec 2019. LNCS, vol. 11875, pp. 37–52. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-35055-0_3

    Chapter  Google Scholar 

  16. Gu, X., Wu, W., Gu, X., Ling, Z., Yang, M., Song, A.: Probe request based device identification attack and defense. Sensors 20(16), 4620 (2020). https://doi.org/10.3390/s20164620, https://www.mdpi.com/1424-8220/20/16/4620

  17. Harkins, D., Kumari, W.A.: Opportunistic Wireless Encryption. RFC 8110, March 2017. https://doi.org/10.17487/RFC8110, https://rfc-editor.org/rfc/rfc8110.txt

  18. IEEE: IEEE STD 802.11 - Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications (2020). https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9363693

  19. Martin, J., et al.: A study of MAC address randomization in mobile devices and when it fails. In: PETS 2017, vol. 4, pp. 268–286 (2017)

    Google Scholar 

  20. Martinez, S.: Update add network dialog to not make networks hidden by default (2018). https://android.googlesource.com/platform/packages/apps/Settings/+/8bc3fa0649a3ecff5e42fb0d14ddb8ff6f7f7507

  21. McElhearn, K.: How to Remove Wi-Fi Networks from Your Mac and iOS Device. The Mac Security Blog (2021). https://www.intego.com/mac-security-blog/how-to-remove-wi-fi-networks-from-your-mac-and-ios-device/

  22. Pang, J., Seshan, S.: Tryst: the case for confidential service discovery. In: HotNets 2007 (2007)

    Google Scholar 

  23. Post, T.: Scharfe Kritik an Frequenzmessung. Kieler Nachrichten (2017). https://www.kn-online.de/Lokales/Eckernfoerde/Datenschutz-Diskussion-um-WLAN-Tracking-in-Eckernfoerder-Innenstadt

  24. Redondi, A.E., Cesana, M.: Building up knowledge through passive WiFi probes. Comput. Commun. 117, 1–12 (2018)

    Article  Google Scholar 

  25. Schepers, D., Ranganathan, A., Vanhoef, M.: Let numbers tell the tale: measuring security trends in Wi-Fi networks and best practices. In: WiSec 2021, pp. 100–105. ACM (2021). https://doi.org/10.1145/3448300.3468286

  26. statcounter: Mobile & Tablet Android Version Market Share Worldwide - December 2021 (2021). https://gs.statcounter.com/os-version-market-share/android/mobile-tablet/worldwide#monthly-202112-202112-bar

  27. statcounter: Mobile & Tablet iOS Version Market Share Worldwide - December 2021 (2021). https://gs.statcounter.com/ios-version-market-share/mobile-tablet/worldwide/#monthly-202112-202112-bar

  28. statcounter: Mobile operating system market share worldwide (2021). https://gs.statcounter.com/os-market-share/mobile/worldwide

  29. Struever, A.: Vorteile und Nachteile WLAN-Tracking - Ist WLAN-Tracking DSGVO-Konform? (2019). https://www.expocloud.com/de/blog/vorteile-und-nachteile-wlan-tracking-wifi-tracking

  30. Tan, J., Chan, S.H.G.: Efficient association of Wi-Fi probe requests under MAC address randomization. In: INFOCOM 2021, pp. 1–10. IEEE (2021)

    Google Scholar 

  31. Unabhängiges Landeszentrum für Datenschutz: 5.4.8 - Offline-Tracking/Ortung von Mobiltelefonen in Fußgängerzone. Unabhängiges Landeszentrum für Datenschutz (2021). https://www.datenschutzzentrum.de/tb/tb37/kap05.html

  32. Vanhoef, M., Matte, C., Cunche, M., Cardoso, L.S., Piessens, F.: Why MAC address randomization is not enough: an analysis of Wi-Fi network discovery mechanisms. In: Asia CCS 2016, pp. 413–424. ACM (2016). https://doi.org/10.1145/2897845.2897883

  33. Zhao, F., Shi, W., Gan, Y., Peng, Z., Luo, X.: A localization and tracking scheme for target gangs based on big data of Wi-Fi locations. Clust. Comput. 22(1), 1679–1690 (2018). https://doi.org/10.1007/s10586-018-1737-7

    Article  Google Scholar 

  34. Zúñiga, J.C., Bernardos, C.J., Andersdotter, A.: MAC address randomization. Technical report, IETF, July 2021. https://datatracker.ietf.org/doc/html/draft-zuniga-mac-address-randomization-01

Download references

Acknowledgements

We would like to thank our reviewers for their valuable and constructive feedback.

Author information

Authors and Affiliations

  1. University of Hamburg, Hamburg, Germany

    Johanna Ansohn McDougall, Christian Burkert, Daniel Demmler, Monina Schwarz, Vincent Hubbe & Hannes Federrath

Authors
  1. Johanna Ansohn McDougall
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Christian Burkert
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Daniel Demmler
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Monina Schwarz
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Vincent Hubbe
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Hannes Federrath
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Johanna Ansohn McDougall .

Editor information

Editors and Affiliations

  1. Stevens Institute of Technology, Hoboken, NJ, USA

    Giuseppe Ateniese

  2. Sapienza University of Rome, Rome, Italy

    Daniele Venturi

A Appendix

A Appendix

1.1 A.1 Ethical collection of probe requests

Following approval and in coordination with the ethics committee of the informatics faculty of the University of Hamburg, we conformed to the following measures to observe and protect users’ privacy rights:

  • During the time of the experiment, we set up a well visible sign declaring the undergoing probe request monitoring, including information on how to contact the person in charge.

  • We informed and obtained consent from building management to conduct the experiment.

  • We provided an option to remove recorded probe requests should participants state their non-consent.

  • We used off-the-shelf wireless USB antennae with a limited range to narrow the radius of our measurement

  • In case the data set contains personal information, we either anonymise it before storing, or delete it directly after analysing it.

  • Any personal data is stored securely, both technically as well as organisationally, to prevent misuse.

  • To preserve location privacy, we limit the amount of decimal places of the coordinates returned by WiGLE to 2, thereby providing an approximate 1-kilometre radius in which the actual network can be found.

Rights and permissions

Reprints and permissions

Copyright information

© 2022 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ansohn McDougall, J., Burkert, C., Demmler, D., Schwarz, M., Hubbe, V., Federrath, H. (2022). Probing for Passwords – Privacy Implications of SSIDs in Probe Requests. In: Ateniese, G., Venturi, D. (eds) Applied Cryptography and Network Security. ACNS 2022. Lecture Notes in Computer Science, vol 13269. Springer, Cham. https://doi.org/10.1007/978-3-031-09234-3_19

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-09234-3_19

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-09233-6

  • Online ISBN: 978-3-031-09234-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation