Abstract
Traditionally, Wi-Fi networks are discovered by actively transmitting probe requests. The alternative, passive scanning, is rarely used because it is substantially slower. Unfortunately, active scanning can be abused to track users based on (physical) fingerprints of probe requests. Previous work attempted to address these issues by making active scanning more privacy-friendly. For instance, Franklin et al. proposed to make implementations more uniform (USENIX Security 2006), and Lindqvist et al. suggested to use encrypted probe requests (WiSec 2009). However, a better approach is to make passive scanning faster. This motivates vendors to use passive scanning, increasing the privacy of users.
Motivated by the above insight, we improve the performance of passive scanning. We implement our proposals on Android, and show the average time needed to connect to a known network using passive scanning now matches active scanning. Additionally, we implement a new network-discovery mechanism that drastically decreases scanning times, and present a new method to fingerprint Wi-Fi radios. All combined, our results show that passive scanning is a viable and more privacy-friendly alternative to active scanning.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
This is the file /system/etc/firmware/wlan/qca_cld/WCNSS_qcom_cfg.ini.
- 2.
Our code, including a build for the Nexus 5X, is available at https://github.com/vanhoefm/nordsec-passivescan.
- 3.
References
Arcia-Moret, A., Molina, L., Montavont, N., Castignani, G., Blanc, A.: Access point discovery in 802.11 networks. In: IFIP WD (2014)
Barbera, M.V., Epasto, A., Mei, A., Perta, V.C., Stefa, J.: Signals from the crowd: uncovering social relationships through smartphone probes. In: IMC (2013)
Bonne, B., Barzan, A., Quax, P., Lamotte, W.: WiFiPi: involuntary tracking of visitors at mass events. In: WoWMoM Workshop (2013)
Brik, V., Banerjee, S., Gruteser, M., Oh, S.: Wireless device identification with radiometric signatures. In: MobiCom (2008)
Campbell-Dollaghan, K.: Brave new garbage: London’s trash cans track you using your smartphone (2013)
Castignani, G., Arcia, A., Montavont, N.: A study of the discovery process in 802.11 networks. ACM Mob. Comput. Commun. Rev. 15(1), 25–36 (2011)
Cisco: Dynamic channel assignment (DCA). www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-1/mobility_express/b_RRM_White_Paper/b_RRM_White_Paper_chapter_0100.pdf. Accessed 1 Aug 2019
Cisco Systems: Channel deployment issues for 2.4-GHz 802.11 WLANs (2004). xenguard.com/library/wifi/wifi-channels.pdf. Accessed 16 July 2018
Franklin, J., McCoy, D., Tabriz, P., Neagoe, V., Randwyk, J.V., Sicker, D.: Passive data link layer 802.11 wireless device driver fingerprinting. In: USENIX Sec (2006)
Freudiger, J.: How talkative is your mobile device? An experimental study of Wi-Fi probe requests. In: WiSec (2015)
Greenstein, B., McCoy, D., Pang, J., Kohno, T., Seshan, S., Wetherall, D.: Improving wireless privacy with an identifier-free link layer protocol. In: MobiSys (2008)
Gupta, V., Beyah, R., Corbett, C.: A characterization of wireless NIC active scanning algorithms. In: WCNC (2007)
IEEE Std 802.11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Spec (2016)
Khoury, P.: Multiple BSSID support. In: IEEE 802.11-16/0586r1 (2016)
Kim, Y.S., Tian, Y., Nguyen, L.T., Tague, P.: LAPWiN: location-aided probing for protecting user privacy in Wi-Fi networks. In: CNS (2014)
Lindqvist, J., Aura, T., Danezis, G., Koponen, T., Myllyniemi, A., Mäki, J., Roe, M.: Privacy-preserving 802.11 access-point discovery. In: WiSec (2009)
Martin, J., et al.: A study of MAC address randomization in mobile devices and when it fails. PETS 2017(4), 365–383 (2017)
Matte, C., Cunche, M., Franck, R., Vanhoef, M.: Defeating MAC address randomization through timing attacks. In: WiSec, July 2016
Microsoft: Non-broadcast wireless SSIDs: why hidden wireless networks are a bad idea (2008). blogs.technet.microsoft.com. Accessed 16 July 2018
Nicholson, A.J., Noble, B.D.: Breadcrumbs: Forecasting mobile connectivity. In: MobiCom (2008)
Pang, J., Greenstein, B., Gummadi, R., Seshan, S., Wetherall, D.: 802.11 user fingerprinting. In: MobiCom (2007)
Peddemors, A., Eertink, H., Niemegeers, I.: Predicting mobility events on personal devices. Pervasive Mob. Comput. 6(4), 401–423 (2010)
Vanhoef, M., Matte, C., Cunche, M., Cardoso, L.S., Piessens, F.: Why MAC address randomization is not enough: an analysis of Wi-Fi network discovery mechanisms. In: Asia CCS (2016)
ZyXel: Dynamic channel selection (DCS). https://www.zyxel.com/uploads/Dynamic_Channel_Selection_4.20.pdf. Accessed 1 Aug 2019
Acknowledgments
Gunes Acar and Mathy Vanhoef hold a Postdoctoral fellowship from the Research Foundation Flanders (FWO). This work is partially supported by the Research Fund KU Leuven and by the Center for Cyber Security at New York University Abu Dhabi (NYUAD).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Goovaerts, F., Acar, G., Galvez, R., Piessens, F., Vanhoef, M. (2019). Improving Privacy Through Fast Passive Wi-Fi Scanning. In: Askarov, A., Hansen, R., Rafnsson, W. (eds) Secure IT Systems. NordSec 2019. Lecture Notes in Computer Science(), vol 11875. Springer, Cham. https://doi.org/10.1007/978-3-030-35055-0_3
Download citation
DOI: https://doi.org/10.1007/978-3-030-35055-0_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-35054-3
Online ISBN: 978-3-030-35055-0
eBook Packages: Computer ScienceComputer Science (R0)