Presentation is loading. Please wait.

Presentation is loading. Please wait.

The pitfalls of address randomization in wireless networks

Published byAgus Kusumo Modified over 4 years ago

Similar presentations

Presentation on theme: "The pitfalls of address randomization in wireless networks"— Presentation transcript:

1 The pitfalls of address randomization in wireless networks
Month Year doc.: IEEE yy/xxxxr0 July 2019 The pitfalls of address randomization in wireless networks Date: Authors: Name Affiliation Contact Mathieu Cunche Univ. Lyon, INSA Lyon, Inria, CITI Slide 1 Mathieu Cunche Page 1 John Doe, Some Company

2 Month Year doc.: IEEE yy/xxxxr0 July 2019 Abstract Address randomization has been adopted by vendors as a technique to protect users against passive tracking. This anti-tracking mechanism can be undermine by some elements of transmitted frames. Those issues should be carefully considered by developers. Slide 2 Mathieu Cunche Page 2 John Doe, Some Company

3 Tracking people using radio signals
Month Year doc.: IEEE yy/xxxxr0 July 2019 Tracking people using radio signals Set of sensors capturing identifiers found in frames User detection and tracking Slide 3 Mathieu Cunche Page 3 John Doe, Some Company

4 Discovery protocols in wireless networks
Month Year doc.: IEEE yy/xxxxr0 July 2019 Discovery protocols in wireless networks Discovery frames: probe requests / advertising packets Slide 4 Mathieu Cunche Page 4 John Doe, Some Company

5 Address randomization
Month Year doc.: IEEE yy/xxxxr0 July 2019 Address randomization Adoption of address randomization Random WiFi addresses implemented in major systems (iOS, Android, Windows, GNU/Linux) Random BLE addresses since version 4.2 of Bluetooth Slide 5 Mathieu Cunche Page 5 John Doe, Some Company

6 Model Attacker model: Capabilities: Monitor the wireless channel(s)
Month Year doc.: IEEE yy/xxxxr0 July 2019 Model Attacker model: Capabilities: Monitor the wireless channel(s) Objective: track a device over time by linking frames Slide 6 Mathieu Cunche Page 6 John Doe, Some Company

7 Secondary Stable Identifiers
Month Year doc.: IEEE yy/xxxxr0 July 2019 Secondary Stable Identifiers Secondary stable identifiers: several byte-long fields whose value is constant across frames Slide 7 Mathieu Cunche Page 7 John Doe, Some Company

8 Secondary Stable Identifiers
Month Year doc.: IEEE yy/xxxxr0 July 2019 Secondary Stable Identifiers WPS UUID in Wi-Fi frames A 128 bits UUID derived from the MAC address Slide 8 Mathieu Cunche Page 8 John Doe, Some Company

9 Synchronization issues
Month Year doc.: IEEE yy/xxxxr0 July 2019 Synchronization issues All identifiers must be rotated together with the device address Those change must be synchronized ... Otherwise the identifier can be used to trivially link two consecutive addresses Slide 9 Mathieu Cunche Page 9 John Doe, Some Company

10 Synchronization issues
Month Year doc.: IEEE yy/xxxxr0 July 2019 Synchronization issues Ex.: Bad synchronization of Nearby Id in Apple Handoff (BLE) Slide 10 Mathieu Cunche Page 10 John Doe, Some Company

11 Month Year doc.: IEEE yy/xxxxr0 July 2019 Predictable fields Predictable field: a fields whose value can be computed from the previous occurrences(s) Slide 11 Mathieu Cunche Page 11 John Doe, Some Company

12 Month Year doc.: IEEE yy/xxxxr0 July 2019 Predictable fields Ex.: sequence number field in early implementations of address randomization Slide 12 Mathieu Cunche Page 12 John Doe, Some Company

13 Content based fingerprinting
Month Year doc.: IEEE yy/xxxxr0 July 2019 Content based fingerprinting Fingerprint: set of stable fields that can be used to identify a device Slide 13 Mathieu Cunche Page 13 John Doe, Some Company

14 Content based fingerprinting
Month Year doc.: IEEE yy/xxxxr0 July 2019 Content based fingerprinting Ex.: Wi-Fi information elements in probe requests Slide 14 Mathieu Cunche Page 14 John Doe, Some Company

15 Active attacks Attacker allowed to capture, replay, forge frames
Month Year doc.: IEEE yy/xxxxr0 July 2019 Active attacks Attacker allowed to capture, replay, forge frames Ex.: Revisited Karma Attack Attack: set up Karma AP and wait for devices to reveal their MAC addr Slide 15 Mathieu Cunche Page 15 John Doe, Some Company

16 Active attacks Ex.: Send control frame attacks
Month Year doc.: IEEE yy/xxxxr0 July 2019 Active attacks Ex.: Send control frame attacks Send RTS frame to the target real MAC addr; it will respond if in range Slide 16 Mathieu Cunche Page 16 John Doe, Some Company

17 Technical countermeasures
Month Year doc.: IEEE yy/xxxxr0 July 2019 Technical countermeasures Identifiers Remove them or rotate them with device address Predictable fields Reset to random value when rotating device address Content-based fingerprinting Reduce content to bare minimum Timing-based fingerprinting Introduce randomness in timings Replay attacks Timestamps and authentication Slide 17 Mathieu Cunche Page 17 John Doe, Some Company

18 Month Year doc.: IEEE yy/xxxxr0 July 2019 Lessons learned Bugs: new mechanisms integrated in already complex systems Lack of specifications: no specification for address randomization in Wi-Fi Specifications: Too much freedom given to vendors ? (Vendor specific fields) Privacy is not always considered Interactions with privacy and security researchers could be improved Slide 18 Mathieu Cunche Page 18 John Doe, Some Company

19 Manufacturer specific data
Month Year doc.: IEEE yy/xxxxr0 July 2019 Manufacturer specific data Manufacturer/Vendor Specific Data: fields dedicated to carry custom data Available in BLE and Wi-Fi Up to 32 bytes of data for custom applications Used to implement Proximity Protocols Custom protocols for close range applications Google Nearby, Apple Continuity, Microsoft CDP ... Activity transfer, pairing, Instant Hotspot No specification/restriction on their content Source of major privacy and security issues in BLE Slide 19 Mathieu Cunche Page 19 John Doe, Some Company

20 Conclusion Address Randomization is hard
Month Year doc.: IEEE yy/xxxxr0 July 2019 Conclusion Address Randomization is hard Complex protocols and a lot of freedom left to vendors Wireless networks are affected by other privacy issues Activity inference, inventory attacks, leaks of private data ... Issues that are likely to grow … Growing number of connected objects using wireless communications (IoT, wearables …) Growing number of the applications and use cases (smarthome, health, V2X, …) Growing number of number of standards and protocols (LPWAN, p, Z-Wave, Zigbee, LPD ) Slide 20 Mathieu Cunche Page 20 John Doe, Some Company

21 Month Year doc.: IEEE yy/xxxxr0 July 2019 References Julien Freudiger. “How talkative is your mobile device?: an experimental study of Wi-Fi probe requests”. In: Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks. ACM, 2015, p. 8 Mathy Vanhoef et al. “Why MAC Address Randomization is Not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms”. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security. ASIA CCS ’16. New York, NY, USA: ACM, 2016, pp. 413–424. isbn: Jeremy Martin, Travis Mayberry, et al. “A Study of MAC Address Randomization in Mobile Devices and When it Fails”. In: Proceedings on Privacy Enhancing Technologies (Mar. 2017), pp. 268–286. (Visited on 03/10/2017) “Saving Private Addresses: An Analysis of Privacy Issues in the Bluetooth-Low- Energy Advertising Mechanism”. In: (2019). Under review and embargo due to responsible disclosure Jeremy Martin, Douglas Alpuche, et al. “Handoff All Your Privacy: A Review of Apple’s Bluetooth Low Energy Implementation”. In:arXiv: [cs] (Apr ). arXiv: url: Slide 21 Mathieu Cunche Page 21 John Doe, Some Company

Download ppt "The pitfalls of address randomization in wireless networks"

Similar presentations

Doc.: IEEE 802.11-13/1448 r00 Submission Paul A. Lambert, Marvell SemiconductorSlide 1 802.11 Privacy Date: 2013-11-14 Authors: November 2013.

Doc.: IEEE /1448 r00 Submission Paul A. Lambert, Marvell SemiconductorSlide Privacy Date: Authors: November 2013.
Julien Freudiger, PARC (A Xerox Company)

Julien Freudiger, PARC (A Xerox Company)
Submission doc.: IEEE 802.11-11/1003r2 July 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Upper Layer Data on Management frames Date: 2011-07-18.

Submission doc.: IEEE /1003r2 July 2011 Hiroki Nakano, Trans New Technology, Inc.Slide 1 Upper Layer Data on Management frames Date:
Submission doc.: IEEE 11-14/0877r0 July 2014 SK Yong et.al., AppleSlide 1 Generic Service Discovery Proposal: Dynamic Bloom Filter Operation Date: 2014-07-14.

Submission doc.: IEEE 11-14/0877r0 July 2014 SK Yong et.al., AppleSlide 1 Generic Service Discovery Proposal: Dynamic Bloom Filter Operation Date:
WIRELESS COMMUNICATION Husnain Sherazi Lecture 1.

WIRELESS COMMUNICATION Husnain Sherazi Lecture 1.
Doc.: IEEE 802.11-12/1324r0 November 2012 Very Low Energy Paging Date: 2012-11-12 Authors: Slide 1 S. Merlin et al.

Doc.: IEEE /1324r0 November 2012 Very Low Energy Paging Date: Authors: Slide 1 S. Merlin et al.
Doc.: IEEE 802.11-12/0854r0 Submission NameAffiliationsAddressPhoneemail Zhuang Yan Huawei Technologies 101 Software Avenue Yuhua District, Nanjing 210012,

Doc.: IEEE /0854r0 Submission NameAffiliationsAddressPhone Zhuang Yan Huawei Technologies 101 Software Avenue Yuhua District, Nanjing ,
Wireless Communication David Kopczyk. AM/FM Most current wireless tech utilizes FM Radio Transmission.

Wireless Communication David Kopczyk. AM/FM Most current wireless tech utilizes FM Radio Transmission.
Privacy Issues in Networks

Privacy Issues in Networks
History and Implementation of the IEEE 802 Security Architecture

History and Implementation of the IEEE 802 Security Architecture
Outline What is Wireless LAN Wireless Transmission Types

Outline What is Wireless LAN Wireless Transmission Types
Content Protection Support in

Content Protection Support in
Instructor Materials Chapter 6 Building a Home Network

Instructor Materials Chapter 6 Building a Home Network
WUR Reconnection Usage Model

WUR Reconnection Usage Model
Packet Leashes: Defense Against Wormhole Attacks

Packet Leashes: Defense Against Wormhole Attacks
Further Consideration on Smart Scanning Usage Model

Further Consideration on Smart Scanning Usage Model
Further Consideration on Smart Scanning Usage Model

Further Consideration on Smart Scanning Usage Model
Relay Threat Model for TGaz

Relay Threat Model for TGaz
Relay Threat Model for TGaz

Relay Threat Model for TGaz
Follow-Up on WUR Discovery Frame and Discovery Channel

Follow-Up on WUR Discovery Frame and Discovery Channel

Similar presentations

Ads by Google