Improving Privacy Through Fast Passive Wi-Fi Scanning

  • Frederik Goovaerts
  • Gunes Acar
  • Rafael Galvez
  • Frank Piessens
  • Mathy VanhoefEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11875)


Traditionally, Wi-Fi networks are discovered by actively transmitting probe requests. The alternative, passive scanning, is rarely used because it is substantially slower. Unfortunately, active scanning can be abused to track users based on (physical) fingerprints of probe requests. Previous work attempted to address these issues by making active scanning more privacy-friendly. For instance, Franklin et al. proposed to make implementations more uniform (USENIX Security 2006), and Lindqvist et al. suggested to use encrypted probe requests (WiSec 2009). However, a better approach is to make passive scanning faster. This motivates vendors to use passive scanning, increasing the privacy of users.

Motivated by the above insight, we improve the performance of passive scanning. We implement our proposals on Android, and show the average time needed to connect to a known network using passive scanning now matches active scanning. Additionally, we implement a new network-discovery mechanism that drastically decreases scanning times, and present a new method to fingerprint Wi-Fi radios. All combined, our results show that passive scanning is a viable and more privacy-friendly alternative to active scanning.


Tracking Anonymity Passive scanning Priority scanning 



Gunes Acar and Mathy Vanhoef hold a Postdoctoral fellowship from the Research Foundation Flanders (FWO). This work is partially supported by the Research Fund KU Leuven and by the Center for Cyber Security at New York University Abu Dhabi (NYUAD).


  1. 1.
    Arcia-Moret, A., Molina, L., Montavont, N., Castignani, G., Blanc, A.: Access point discovery in 802.11 networks. In: IFIP WD (2014)Google Scholar
  2. 2.
    Barbera, M.V., Epasto, A., Mei, A., Perta, V.C., Stefa, J.: Signals from the crowd: uncovering social relationships through smartphone probes. In: IMC (2013)Google Scholar
  3. 3.
    Bonne, B., Barzan, A., Quax, P., Lamotte, W.: WiFiPi: involuntary tracking of visitors at mass events. In: WoWMoM Workshop (2013)Google Scholar
  4. 4.
    Brik, V., Banerjee, S., Gruteser, M., Oh, S.: Wireless device identification with radiometric signatures. In: MobiCom (2008)Google Scholar
  5. 5.
    Campbell-Dollaghan, K.: Brave new garbage: London’s trash cans track you using your smartphone (2013)Google Scholar
  6. 6.
    Castignani, G., Arcia, A., Montavont, N.: A study of the discovery process in 802.11 networks. ACM Mob. Comput. Commun. Rev. 15(1), 25–36 (2011)CrossRefGoogle Scholar
  7. 7.
  8. 8.
    Cisco Systems: Channel deployment issues for 2.4-GHz 802.11 WLANs (2004). Accessed 16 July 2018
  9. 9.
    Franklin, J., McCoy, D., Tabriz, P., Neagoe, V., Randwyk, J.V., Sicker, D.: Passive data link layer 802.11 wireless device driver fingerprinting. In: USENIX Sec (2006)Google Scholar
  10. 10.
    Freudiger, J.: How talkative is your mobile device? An experimental study of Wi-Fi probe requests. In: WiSec (2015)Google Scholar
  11. 11.
    Greenstein, B., McCoy, D., Pang, J., Kohno, T., Seshan, S., Wetherall, D.: Improving wireless privacy with an identifier-free link layer protocol. In: MobiSys (2008)Google Scholar
  12. 12.
    Gupta, V., Beyah, R., Corbett, C.: A characterization of wireless NIC active scanning algorithms. In: WCNC (2007)Google Scholar
  13. 13.
    IEEE Std 802.11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Spec (2016)Google Scholar
  14. 14.
    Khoury, P.: Multiple BSSID support. In: IEEE 802.11-16/0586r1 (2016)Google Scholar
  15. 15.
    Kim, Y.S., Tian, Y., Nguyen, L.T., Tague, P.: LAPWiN: location-aided probing for protecting user privacy in Wi-Fi networks. In: CNS (2014)Google Scholar
  16. 16.
    Lindqvist, J., Aura, T., Danezis, G., Koponen, T., Myllyniemi, A., Mäki, J., Roe, M.: Privacy-preserving 802.11 access-point discovery. In: WiSec (2009)Google Scholar
  17. 17.
    Martin, J., et al.: A study of MAC address randomization in mobile devices and when it fails. PETS 2017(4), 365–383 (2017)Google Scholar
  18. 18.
    Matte, C., Cunche, M., Franck, R., Vanhoef, M.: Defeating MAC address randomization through timing attacks. In: WiSec, July 2016Google Scholar
  19. 19.
    Microsoft: Non-broadcast wireless SSIDs: why hidden wireless networks are a bad idea (2008). Accessed 16 July 2018
  20. 20.
    Nicholson, A.J., Noble, B.D.: Breadcrumbs: Forecasting mobile connectivity. In: MobiCom (2008)Google Scholar
  21. 21.
    Pang, J., Greenstein, B., Gummadi, R., Seshan, S., Wetherall, D.: 802.11 user fingerprinting. In: MobiCom (2007)Google Scholar
  22. 22.
    Peddemors, A., Eertink, H., Niemegeers, I.: Predicting mobility events on personal devices. Pervasive Mob. Comput. 6(4), 401–423 (2010)CrossRefGoogle Scholar
  23. 23.
    Vanhoef, M., Matte, C., Cunche, M., Cardoso, L.S., Piessens, F.: Why MAC address randomization is not enough: an analysis of Wi-Fi network discovery mechanisms. In: Asia CCS (2016)Google Scholar
  24. 24.
    ZyXel: Dynamic channel selection (DCS). Accessed 1 Aug 2019

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Frederik Goovaerts
    • 1
  • Gunes Acar
    • 2
  • Rafael Galvez
    • 2
  • Frank Piessens
    • 1
  • Mathy Vanhoef
    • 1
    • 3
    Email author
  1. 1.imec-DistriNetKU LeuvenLeuvenBelgium
  2. 2.imec-COSICKU LeuvenLeuvenBelgium
  3. 3.New York University Abu DhabiAbu DhabiUnited Arab Emirates

Personalised recommendations