Presentation is loading. Please wait.

Presentation is loading. Please wait.

Julien Freudiger, PARC (A Xerox Company)

Published byMyles Shields Modified over 8 years ago

Similar presentations

Presentation on theme: "Julien Freudiger, PARC (A Xerox Company)"— Presentation transcript:

1 Julien Freudiger, PARC (A Xerox Company)
How Talkative is your Mobile Device? An experimental Study of Wi-Fi Probe Requests Julien Freudiger, PARC (A Xerox Company) Hi everyone, I am Julien Freudiger. Today, I would like to talk about a privacy threat that we are all currently experiencing, and that is yet very invisible: that of WiFi probe requests. I decided to use this magnificent photograph from Andreas Gursky to illustrate an industry that is benefiting from WiFi probe requests for location analytics: retail stores. So what are we talking about here? Andreas Gursky, 99 cents

2 Passive Network Discovery
Router Beacons Network discovery is a set of methods used by mobile devices to discover nearby networks. There are mainly two ways to do so, passive and active. Passive network discovery is currently used by WiFi access points across the world. It consists of WiFi beacons that are broadcasted at regular intervals. Mobile devices listen for those beacons and can attempt to associated with the access points. The main issues with beacons is that network discovery tends to be slow, since beacons are transmitted on a channel at a time, and energy consuming since devices must listen for them continuously.

3 Active Network Discovery
Router Probe Response Probe Requests With active network discovery, mobile devices send probe requests. By actively sending WiFi probes, a mobile device can keep the Wi-Fi radio on for just a few milliseconds, the amount of time it takes for a probe response to be received, and quickly discover nearby networks. It is thus fast, and energy efficient. It also supports user mobility and hidden networks. All mobile devices in the world, laptops, smart phones, smart watches, support active network discovery and make use of it on a daily basis. Fast Energy efficient Supports mobility Supports hidden networks

4 Threat Wi-Fi Probe Requests Easy to collect by passive eavesdropper
Are non-encrypted Contain MAC address May contain SSID Easy to collect by passive eavesdropper Setup sniffing material Mobile Location Analytics As a result, an industry of service providers started piggybacking on probe requests to track user locations over time. This enables the industry to track users inside retail stores, and study which products attract attention, how long customers stay in stores, and the path they follow. This is often used in conjunction with surveillance cameras for better user tracking and identification. Our goal in this work is not to challenge this existing business model, but to better understand the potential privacy threats.

5 Research Questions How can we design an experiment to efficiently collect Wi-Fi probe requests? When and how often are Wi-Fi probe requests broadcasted? What about privacy mechanisms in place? In particular, with this paper, we seek to investigate the following research questions

6 Experimental Setup How many antennas? Which mobile devices? Sniffer
First, we must design an experimental system that enables the capture of as many wifi probe requests as possible. We experimented with as many as three sniffing antennas, support b/g/n channels. 2.4GHz 5GHz 11 channels 21 channels

7 Charged, connected to charger, no apps running, Bluetooth off, locked
Mobile Devices We selected a series of mobile devices that represents more than 95% of mobile OS usage. For Android devices, we assume that Google Services are enabled. iPhone 6 iOS 8.1.3 Nexus 5 Android L 5.0.1 Samsung Galaxy S3 CyanogenMod 11 Android 4.4.2 Blackberry Q10 OS Charged, connected to charger, no apps running, Bluetooth off, locked

8 Capture Configurations
We collect data for exactly one hour in each experiment, repeat each experiment 5 times, and then average our measurements. We setup the Samsung Galaxy S3 in default configuration and test a series of capture configurations. We find that setting up three antennas in a static manner (each sniffing a fixed WiFi channel) gave the best results (3.static): We collected the highest average number of proves, and missed few probes. We estimate the number of missed probes using the sequence number contained in wifi probe requests.

9 Regular bursts of Wi-Fi probe requests
Probing Bursts Another interesting observation is that WiFi probe requests are sent in bursts. The image above shows the number of probe requests sent per second by the Samsung Galaxy S3. We observe that many probes are sent within the same second, and a regular broadcasting pattern is clearly visible. Regular bursts of Wi-Fi probe requests

10 Known SSIDs On average, Android L and 4.4.2 >1000 iOS ~100
We then tested the effect of the number of SSIDs known to a device on the average number of broadcasted probes. Our hypothesis is that the more SSIDs are stored in a device memory (i.e., the user connected its device to many different SSIDs in the past), the more probe requests will be sent. We observe that this is try for Android Fortunately, others Oses seem to not exhibit such properties. On average, Android L and >1000 iOS ~100 Blackberry 0

11 Know Networks Frequency
0 Known SSIDs 4 Known SSIDs 20 Known SSIDs Then we fix the set of known SSIDs to 0, 4, and 20 and check the bursting behavior over time. We observe that as the number of known SSIDs increases, the distribution of probe requests over time changes and approaches an exponential distribution: Probes tend to be sent over short periods of time, and with decreasing probability. This means that among the attendance today, most of you are broadcasting probe requests at a regular interval. With 4 known SSIDs, Android L broadcasts every 66 seconds, Android every 72 seconds, iOS every 330 seconds

12 Device Configurations
We observe that NotCharging and AirplaneOn do not have much of an effect. Wi-FiSettingsOn increases the number of broadcasted probes for Android and iOS 8.1.3, but not for Android L In contrast, device unlocking (ScreenOn) dramatically increases the number of probes for Android and iOS 8.1.3, and to a lesser extent, for Android L Once connected to Wi-Fi (Wi-FiConnected), most devices stop transmitting probes, except Android L which surprisingly continues broadcasting. WiFiConnected: Android L continues broadcast KnownInProximity: Android broadcasts a lot more

13 Privacy Protection 121 probes with true MAC address,
iOS privacy mechanism randomizes MAC addresses over time. Careful analysis of sequence numbers (SEQ) in probe requests reveals that it is possible to link packets sent by the same device using different MAC addresses. This bug was duly reported to Apple. 121 probes with true MAC address, and could re-identify 16 randomized probes

14 Opt-Out? Self-regulated code of conduct by Future of Privacy Forum I doubt many of you in this room have opted-out given how few people are aware that this threat actually exists. The industry claims not to collect any personal data about individuals, but then use cameras, and provide male/female/kids statistics. Self-regulation effort is great, but there should be also individual control.

15 Conclusion We quantify threat posed by Wi-Fi probe requests
Third parties can monitor billions of mobile device precisely today (approx. every minute) Possible to re-identify iOS randomized probes Privacy-conscious users might be wise to turn off their Wi-Fi interface when not in use Future Work Test other configurations Test other re-identification attacks In summary, as of 2015, billions of smartphones in the world are publicly broadcasting their unique identifiers at a high frequency. Although wireless network discovery is an important problem, privacy consequences seem at odds with technical gains associated with active network discovery.

Download ppt "Julien Freudiger, PARC (A Xerox Company)"

Similar presentations

SECURING WIRELESS LANS PRESENTED BY VICTOR C. NWALA CS555 Department of Computer Science Old Dominion University.

SECURING WIRELESS LANS PRESENTED BY VICTOR C. NWALA CS555 Department of Computer Science Old Dominion University.
310KM M-Commerce Application Cheuk Ting Hei, Ng Ka Ming, Yuen Chun Pong.

310KM M-Commerce Application Cheuk Ting Hei, Ng Ka Ming, Yuen Chun Pong.
Android Power Calculations Approaches and Best Practice Hafed Alghamdi.

Android Power Calculations Approaches and Best Practice Hafed Alghamdi.
Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.

Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.
Chung Man Ho Willims Chow Man Kei Gary Kwok Pak Wai Lion.

Chung Man Ho Willims Chow Man Kei Gary Kwok Pak Wai Lion.
Hidden Apps Carrier IQ and Privacy in Mobile Devices.

Hidden Apps Carrier IQ and Privacy in Mobile Devices.
CCNA Exploration Semester 3 Modified by Profs. Ward and Cappellino

CCNA Exploration Semester 3 Modified by Profs. Ward and Cappellino
 Any unauthorized device that provides wireless access  Implemented using software, hardware, or a combination of both  It can be intentional or unintentionally.

 Any unauthorized device that provides wireless access  Implemented using software, hardware, or a combination of both  It can be intentional or unintentionally.
802.11 Networks Olga Agnew Bryant Likes Daewon Seo.

Networks Olga Agnew Bryant Likes Daewon Seo.
Privecsg-15-0017-01-0000 1 Tracking of Link Layer Identifiers Date: [2015-01-15] Authors: NameAffiliationPhone Juan Carlos ZúñigaInterDigital

Privecsg Tracking of Link Layer Identifiers Date: [ ] Authors: NameAffiliationPhone Juan Carlos ZúñigaInterDigital
Professor Michael J. Losacco CIS 1150 – Introduction to Computer Information Systems System Software Chapter 4.

Professor Michael J. Losacco CIS 1150 – Introduction to Computer Information Systems System Software Chapter 4.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Dell Venue 7 & 8 Android Tablet. Agenda Know Your Tablet Do’s & Don’ts Insertion of Sim/Charging Devices/Power ON & OFF Basic Troubleshooting Install.

Dell Venue 7 & 8 Android Tablet. Agenda Know Your Tablet Do’s & Don’ts Insertion of Sim/Charging Devices/Power ON & OFF Basic Troubleshooting Install.
Wireless(review). 802.11a (1999) 802.11a speed ◦ 54 Mb/s & frequency of 5 GHz Used by ◦ Government buildings ◦ Older style networks.

Wireless(review) a (1999) a speed ◦ 54 Mb/s & frequency of 5 GHz Used by ◦ Government buildings ◦ Older style networks.
Firewalls CS158B Don Tran. What is a Firewall? A firewall can be a program or a device that controls access to a network.

Firewalls CS158B Don Tran. What is a Firewall? A firewall can be a program or a device that controls access to a network.
195Eg Ethernet Wired LAN 195Eg. Wireless Ethernet Setting IP Address Using Utility Programs Begin Programming Definition Selection Programming Modes of.

195Eg Ethernet Wired LAN 195Eg. Wireless Ethernet Setting IP Address Using Utility Programs Begin Programming Definition Selection Programming Modes of.
CS378 - Mobile Computing Connecting Devices. How to pass data between devices? – Chat – Games – Driving Options: – Use the cloud and a service such as.

CS378 - Mobile Computing Connecting Devices. How to pass data between devices? – Chat – Games – Driving Options: – Use the cloud and a service such as.
Android 5.0 “Lollipop” Eric Moore Computer Users Group of Greeley February 14, 2015.

Android 5.0 “Lollipop” Eric Moore Computer Users Group of Greeley February 14, 2015.
Shared success Outline What is network security? Why do we need security? Who is vulnerable? Common security attacks and countermeasures. How to secure.

Shared success Outline What is network security? Why do we need security? Who is vulnerable? Common security attacks and countermeasures. How to secure.
Wi-Fi Wireless LANs Dr. Adil Yousif. What is a Wireless LAN  A wireless local area network(LAN) is a flexible data communications system implemented.

Wi-Fi Wireless LANs Dr. Adil Yousif. What is a Wireless LAN  A wireless local area network(LAN) is a flexible data communications system implemented.

Similar presentations

Ads by Google