Julien Freudiger, PARC (A Xerox Company) How Talkative is your Mobile Device? An experimental Study of Wi-Fi Probe Requests Julien Freudiger, PARC (A Xerox Company) Hi everyone, I am Julien Freudiger. Today, I would like to talk about a privacy threat that we are all currently experiencing, and that is yet very invisible: that of WiFi probe requests. I decided to use this magnificent photograph from Andreas Gursky to illustrate an industry that is benefiting from WiFi probe requests for location analytics: retail stores. So what are we talking about here? Andreas Gursky, 99 cents

Passive Network Discovery Router Beacons Network discovery is a set of methods used by mobile devices to discover nearby networks. There are mainly two ways to do so, passive and active. Passive network discovery is currently used by WiFi access points across the world. It consists of WiFi beacons that are broadcasted at regular intervals. Mobile devices listen for those beacons and can attempt to associated with the access points. The main issues with beacons is that network discovery tends to be slow, since beacons are transmitted on a channel at a time, and energy consuming since devices must listen for them continuously.

Active Network Discovery Router Probe Response Probe Requests With active network discovery, mobile devices send probe requests. By actively sending WiFi probes, a mobile device can keep the Wi-Fi radio on for just a few milliseconds, the amount of time it takes for a probe response to be received, and quickly discover nearby networks. It is thus fast, and energy efficient. It also supports user mobility and hidden networks. All mobile devices in the world, laptops, smart phones, smart watches, support active network discovery and make use of it on a daily basis. Fast Energy efficient Supports mobility Supports hidden networks

Threat Wi-Fi Probe Requests Easy to collect by passive eavesdropper Are non-encrypted Contain MAC address May contain SSID Easy to collect by passive eavesdropper Setup sniffing material Mobile Location Analytics As a result, an industry of service providers started piggybacking on probe requests to track user locations over time. This enables the industry to track users inside retail stores, and study which products attract attention, how long customers stay in stores, and the path they follow. This is often used in conjunction with surveillance cameras for better user tracking and identification. Our goal in this work is not to challenge this existing business model, but to better understand the potential privacy threats.

Research Questions How can we design an experiment to efficiently collect Wi-Fi probe requests? When and how often are Wi-Fi probe requests broadcasted? What about privacy mechanisms in place? In particular, with this paper, we seek to investigate the following research questions

Experimental Setup How many antennas? Which mobile devices? Sniffer First, we must design an experimental system that enables the capture of as many wifi probe requests as possible. We experimented with as many as three sniffing antennas, support 802.11 b/g/n channels. 2.4GHz 5GHz 11 channels 21 channels

Charged, connected to charger, no apps running, Bluetooth off, locked Mobile Devices We selected a series of mobile devices that represents more than 95% of mobile OS usage. For Android devices, we assume that Google Services are enabled. iPhone 6 iOS 8.1.3 Nexus 5 Android L 5.0.1 Samsung Galaxy S3 CyanogenMod 11 Android 4.4.2 Blackberry Q10 OS 10.3.1 Charged, connected to charger, no apps running, Bluetooth off, locked

Capture Configurations We collect data for exactly one hour in each experiment, repeat each experiment 5 times, and then average our measurements. We setup the Samsung Galaxy S3 in default configuration and test a series of capture configurations. We find that setting up three antennas in a static manner (each sniffing a fixed WiFi channel) gave the best results (3.static): We collected the highest average number of proves, and missed few probes. We estimate the number of missed probes using the sequence number contained in wifi probe requests.

Regular bursts of Wi-Fi probe requests Probing Bursts Another interesting observation is that WiFi probe requests are sent in bursts. The image above shows the number of probe requests sent per second by the Samsung Galaxy S3. We observe that many probes are sent within the same second, and a regular broadcasting pattern is clearly visible. Regular bursts of Wi-Fi probe requests

Known SSIDs On average, Android L and 4.4.2 >1000 iOS ~100 We then tested the effect of the number of SSIDs known to a device on the average number of broadcasted probes. Our hypothesis is that the more SSIDs are stored in a device memory (i.e., the user connected its device to many different SSIDs in the past), the more probe requests will be sent. We observe that this is try for Android 4.4.2. Fortunately, others Oses seem to not exhibit such properties. On average, Android L and 4.4.2 >1000 iOS ~100 Blackberry 0

Know Networks Frequency 0 Known SSIDs 4 Known SSIDs 20 Known SSIDs Then we fix the set of known SSIDs to 0, 4, and 20 and check the bursting behavior over time. We observe that as the number of known SSIDs increases, the distribution of probe requests over time changes and approaches an exponential distribution: Probes tend to be sent over short periods of time, and with decreasing probability. This means that among the attendance today, most of you are broadcasting probe requests at a regular interval. With 4 known SSIDs, Android L broadcasts every 66 seconds, Android 4.4.2 every 72 seconds, iOS every 330 seconds

Device Configurations We observe that NotCharging and AirplaneOn do not have much of an effect. Wi-FiSettingsOn increases the number of broadcasted probes for Android 4.4.2 and iOS 8.1.3, but not for Android L 5.0.1. In contrast, device unlocking (ScreenOn) dramatically increases the number of probes for Android 4.4.2 and iOS 8.1.3, and to a lesser extent, for Android L 5.0.1. Once connected to Wi-Fi (Wi-FiConnected), most devices stop transmitting probes, except Android L which surprisingly continues broadcasting. WiFiConnected: Android L continues broadcast KnownInProximity: Android 4.4.2 broadcasts a lot more

Privacy Protection 121 probes with true MAC address, iOS privacy mechanism randomizes MAC addresses over time. Careful analysis of sequence numbers (SEQ) in probe requests reveals that it is possible to link packets sent by the same device using different MAC addresses. This bug was duly reported to Apple. 121 probes with true MAC address, and could re-identify 16 randomized probes

Opt-Out? Self-regulated code of conduct by Future of Privacy Forum https://optout.smart-places.org https://www.ftc.gov/system/files/documents/public_comments/2014/03/00002-88948.pdf I doubt many of you in this room have opted-out given how few people are aware that this threat actually exists. The industry claims not to collect any personal data about individuals, but then use cameras, and provide male/female/kids statistics. Self-regulation effort is great, but there should be also individual control.

Conclusion We quantify threat posed by Wi-Fi probe requests Third parties can monitor billions of mobile device precisely today (approx. every minute) Possible to re-identify iOS randomized probes Privacy-conscious users might be wise to turn off their Wi-Fi interface when not in use Future Work Test other configurations Test other re-identification attacks In summary, as of 2015, billions of smartphones in the world are publicly broadcasting their unique identifiers at a high frequency. Although wireless network discovery is an important problem, privacy consequences seem at odds with technical gains associated with active network discovery.