Yanfei Fan,Bin Lin,Yixin Jiang,Xuemin (Sherman) Shen

DOI: https://doi.org/10.1109/glocom.2008.ecp.891

2008-01-01

Abstract:In this paper, we propose an efficient privacy-preserving scheme for secure packet transmission at wireless link layer. The proposed scheme is constructed by using hash values in reverse hash chains as interface identifiers. It can successfully and efficiently resist the Media Access Control (MAC) address based attacks, such as flow tracking and traffic analysis, which are launched by either outside or even inside attackers. In addition, some optimization techniques are also introduced to further improve the efficiency of the proposed scheme. The extensive analysis and simulations demonstrate the enhanced security and efficiency of the proposed scheme.

Oisín Kyne

DOI: https://doi.org/10.48550/arXiv.1805.07613

2018-05-19

Abstract:This project is an exploration into analysing WiFi probe requests, a management frame described as part of the IEEE 802.11 protocol which publicly broadcasts the senders MAC address. The intention was to collect these probe requests to use as a basis to link people's information to the MAC of their device. This would enable people to be identified in future by the presence of their device near a probe request detector. Due to data protection and privacy issues preventing access to real data of people's names and locations, this project was divided into two parts. Firstly, an identification algorithm was developed and tested on simulated data sets of MAC addresses and names, to prove MAC address identification is possible. And secondly, a distributed system of probe request detectors coupled with a centralised MAC address database was developed to demonstrate that these simulated MAC addresses are obtainable in the real world. The capturing software was initially developed for Unix systems and uses a Django-powered web server to store data from multiple capturing devices. Python was used to model and test the identification algorithm.

Networking and Internet Architecture

Yuxiang Lin,Yi Gao,Bingji Li,Wei Dong

DOI: https://doi.org/10.1145/3536423

2022-01-01

ACM Transactions on Sensor Networks

Abstract:The broadcast nature of wireless media makes WLANs easily attacked by rogue Access Points (APs) . Rogue AP attacks can potentially cause severe privacy leakage and financial loss. Hardware fingerprinting is the state-of-the-art technology to detect rogue APs since an attacker would find it difficult to set up a rogue AP with specific hardware fingerprints. However, existing hardware fingerprints not only depend on the AP but also depend on the client, significantly limiting their application scenarios. In this work, we investigate two novel client-agnostic fingerprints, which can be extracted using commercial off-the-shelf WiFi devices, to detect rogue APs. One is the power amplifier non-linearity fingerprint and the other is the frame interval distribution fingerprint . These two fingerprints remain consistent over time and space for the same AP but vary across different APs even with the same brand, model, and firmware. We use the fingerprint similarity between the candidate AP and the authorized AP for device authentication in typical indoor environments. We have also proposed a threshold-improved authentication scheme to improve the robustness of our system in dynamic environments. Our schemes can be implemented without modifying the infrastructural APs and can work well with new clients without rebuilding the fingerprint database. We evaluate our scheme in both in-lab and field scenarios, by analyzing 18 million WiFi packets. Results show that our scheme achieves an overall 96.55% positive detection rate and a 4.31% false alarm rate. Moreover, the threshold-improved authentication scheme can further reduce the false alarm rate by 13.0%-44.8% for dynamic environments.

Johanna Ansohn McDougall,Christian Burkert,Daniel Demmler,Monina Schwarz,Vincent Hubbe,Hannes Federrath

DOI: https://doi.org/10.1007/978-3-031-09234-3_19

2022-07-06

Abstract:Probe requests help mobile devices discover active Wi-Fi networks. They often contain a multitude of data that can be used to identify and track devices and thereby their users. The past years have been a cat-and-mouse game of improving fingerprinting and introducing countermeasures against fingerprinting. This paper analyses the content of probe requests sent by mobile devices and operating systems in a field experiment. In it, we discover that users (probably by accident) input a wealth of data into the SSID field and find passwords, e-mail addresses, names and holiday locations. With these findings we underline that probe requests should be considered sensitive data and be well protected. To preserve user privacy, we suggest and evaluate a privacy-friendly hash-based construction of probe requests and improved user controls.

Cryptography and Security

Xiaolin Gu,Wenjia Wu,Xiaodan Gu,Zhen Ling,Ming Yang,Aibo Song

DOI: https://doi.org/10.3390/s20164620

IF: 3.9

2020-01-01

Sensors

Abstract:Wi-Fi network has an open nature so that it needs to face greater security risks compared to wired network. The MAC address represents the unique identifier of the device, and is easily obtained by an attacker. Therefore MAC address randomization is proposed to protect the privacy of devices in a Wi-Fi network. However, implicit identifiers are used by attackers to identify user’s device, which can cause the leakage of user’s privacy. We propose device identification based on 802.11ac probe request frames. Here, a detailed analysis on the effectiveness of 802.11ac fields is given and a novel device identification method based on deep learning whose average f1-score exceeds 99% is presented. With a purpose of preventing attackers from obtaining relevant information by the device identification method above, we design a novel defense mechanism based on stream cipher. In that case, the original content of probe request frame is hidden by encrypting probe request frames and construction of probe request is reserved to avoid the finding of attackers. This defense mechanism can effectively reduce the performance of the proposed device identification method whose average f1-score is below 30%. In general, our research on attack and defense mechanism can preserve device privacy better.

Xiuping Han,Zhi Wang,Dan Pei

DOI: https://doi.org/10.1109/ICC.2018.8422764

2018-01-01

Abstract:Mobile devices adopt probe requests to discover nearby Wi-Fi access points (APs) and set up fast Wi-Fi connections. Preferred Network Lists (PNLs) are used to store the lists of connected Wi-Fi APs in the past. Previous studies have shown that such mechanism can lead to serious privacy leakage, for example, attackers can infer users' identity information and movement histories. In this paper, we investigate the privacy issue and propose a data-driven protection strategy. First, we conduct extensive measurement studies based on 27 million users associating with 4 million Wi-Fi APs in 4 cities. We show that probe requests can be used to identify and profile users. Despite that some actions have been taken to reduce privacy leakage (e.g., MAC address randomization), users' PNLs can still be inferred by attackers. Second, we propose a novel privacy protection method, in which users' PNLs are "blurred" by adding faked SSIDs generated using a collaborative filtering algorithm, such that nearby users' PNLs are similar to each other. Finally, we evaluate the performance of our design using real-world Wi-Fi association traces. Our trace-driven simulation shows that the refined PNLs can effectively protect user privacy and ensure fast Wi-Fi connection at the same time.

Giovanni Baccichet,Fabio Palmese,Alessandro E.C. Redondi,Matteo Cesana

2024-12-14

Abstract:Probe Requests are Wi-Fi management frames periodically sent by devices during network discovery. Tracking Probe Requests over time offers insights into movement patterns, traffic flows, and behavior trends, which are keys in applications such as urban planning, human mobility analysis, and retail analytics. To protect user privacy, techniques such as MAC address randomization are employed, periodically altering device MAC addresses to limit tracking. However, research has shown that these privacy measures can be circumvented. By analyzing the Information Elements (IE) within the Probe Request body, it is possible to fingerprint devices and track users over time. This paper presents a machine learning-based approach for fingerprinting Wi-Fi Probe Requests in a compact fashion. We utilize Asymmetric Pairwise Boosting to learn discriminating filters which are then used to process specific bit sequences in Probe Request frames, and quantize the results into a compact binary format. Extensive evaluation on public datasets demonstrates a two-order-of-magnitude storage reduction compared to existing methods while maintaining robust fingerprinting performance.

Networking and Internet Architecture

Giovanni Baccichet,Corrado Innamorati,Alessandro E. C. Redondi,Matteo Cesana

2024-08-03

Abstract:MAC randomization is a widely used technique implemented on most modern smartphones to protect user's privacy against tracking based on Probe Request frames capture. However, there exist weaknesses in such a methodology which may still expose distinctive information, allowing to track the device generating the Probe Requests. Such techniques, known as MAC de-randomization algorithms, generally exploit Information Elements (IEs) contained in the Probe Requests and use clustering methodologies to group together frames belonging to the same device. While effective on heterogeneous device types, such techniques are not able to differentiate among devices of identical type and running the same Operating System (OS). In this paper, we propose a MAC de-randomization technique able to overcome such a weakness. First, we propose a new dataset of Probe Requests captured from devices sharing the same characteristics. Secondly, we observe that the time-frequency pattern of Probe Request emission is unique among devices and can therefore be used as a discriminative feature. We embed such a feature in a two-stage clustering methodology and show through experiments its effectiveness compared to state-of-the-art techniques based solely on IEs fingerprinting. The original dataset used in this work is made publicly available for reproducible research.

Networking and Internet Architecture

Yu,Yulian Pan,Wenjia Wu,Ming Yang

DOI: https://doi.org/10.1109/msn60784.2023.00056

2023-01-01

Abstract:MAC address randomization is being adopted by an ever-increasing number of Wi-Fi-enabled devices, which aims to prevent users from being tracked by embedding random MAC addresses in probe request frames. Through measurement and analysis, researchers have found that its specific implementation mechanism differs for devices with different operating systems and obtained some analysis results. However, since the MAC address constantly changes, it is challenging to efficiently capture probe request frames of multiple target devices in an environment that typically has a large number of devices. Additionally, new devices are constantly emerging, making the results of previous analysis likely to be outdated. To address these issues, we propose a novel solution to measure and analyze Wi-Fi MAC address randomization with a sniffer array, called MASA. Firstly, we utilize a sniffer array to simultaneously capture probe request frames by multiple sniffers in the environment. Then, we propose a timeout bloom filter-based frame aggregation and processing method to aggregate the frames from the sniffer array, exclude frames of non-target devices, and split frames into their own set for the target device in real time. On this basis, we analyze the MAC address randomization mechanism in terms of address changing pattern, frame transmission frequency, and frame field/Information Element (IE) variation, considering devices’ association state, display status, and power-saving mode. Finally, we conduct corresponding experiments in real environments and make some new findings in the analysis. For example, all the latest iOS devices implement randomization strategies not only in the MAC address field but also in the Sequence Number field, while the MAC address randomization mechanism of some Android and HarmonyOS devices exhibits significantly different behaviors in the unassociated state and associated state.

Hongyu Jin,Panos Papadimitratos

2024-05-25

Abstract:Medium Access Control (MAC) address randomization is a key component for privacy protection in Wi-Fi networks. Current proposals periodically change the mobile device MAC addresses when it disconnects from the Access Point (AP). This way frames cannot be linked across changes, but the mobile device presence is exposed as long as it remains connected: all its communication is trivially linkable by observing the randomized yet same MAC address throughout the connection. Our runtime MAC re-randomization scheme addresses this issue, reducing or eliminating Wi-Fi frames linkability without awaiting for or requiring a disconnection. Our MAC re-randomization is practically 'over-the-air': MAC addresses are re-randomized just before transmission, while the protocol stacks (at the mobile and the AP) maintain locally the original connection MAC addresses - making our MAC layer scheme transparent to upper layers. With an implementation and a set of small-scale experiments with off-the-shelf devices, we show the feasibility of our scheme and the potential towards future deployment.

Networking and Internet Architecture,Cryptography and Security

Feifei Yang,Iness Ahriz,Bruce Denby

DOI: https://doi.org/10.3390/s22228679

2022-11-10

Abstract:In the past few years, the ability of wireless network operators to monitor audience using control frames emitted by client devices has been compromised, both by legislation treating client MAC addresses as private information and by the difficulty of distinguishing genuine client frames from those arising from the Internet of Things or from certain enhanced services. Here, a deterministic model, based on characteristics of human activity and on seasonal trends, is used to reveal underlying client statistics in raw MAC-randomized WiFi Probe Request data. The method proposes a candidate conversion factor, X, between probe request counts and the client population, which offers plausible predictions on real-world datasets.

Xiang Gao,Yong Li,Limeng Dong,Wei Cheng,Ge Shi

DOI: https://doi.org/10.1109/jiot.2024.3498061

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:This paper investigates the physical layer security for user-centric cell-free massive multiple-input multiple-output (UC-CF-mMIMO)-enabled Internet of Things (IoT) network with multiple active eavesdroppers (Eves). We assume that each Eve intends to decode the information of the user (UE) closest to it and is intelligent enough to eliminate interference of other UEs perfectly. Two eavesdropping modes of non-colluding and colluding Eves are considered. Additionally, access points (APs) inject artificial noise (AN) into confidential data signal to hamper the eavesdropping of Eves. To assess the secrecy performance of UC-CF-mMIMO-enabled IoT network, we derive the worst-case secrecy rate expression. Then, a max-min secrecy rate (MMSR) problem is formulated via joint optimization of AP clustering, AN selection, and power allocation, which aims to maximize the minimal secrecy rate among attacked UEs while adhering to the quality-of-service requirement of UEs, the limitation on the number of UEs and AN sent by each AP, and maximum transmit power limitation of APs. Due to the mixed-integer and non-convex nature, the formulated problem is tackled via employing the ℓ1-norm relaxation and successive convex approximation approach. Finally, we obtain a near-optimal solution to the MMSR problem by iteratively solving a sequence of second-order cone programmings. Simulation results demonstrate the superiority of proposed approach by the comparison with some existing schemes.

Dheryta Jaisinghani,Vinayak Naik,Sanjit K. Kaul,Rajesh Balan,Sumit Roy

DOI: https://doi.org/10.48550/arXiv.1807.05523

2018-07-15

Abstract:We consider the problem of excessive and unnecessary active scans in heavily utilized WLANs during which low rate probe requests and responses are broadcast. These management frames severely impact the goodput. Our analysis of two production WLANs reveals that lesser number of non-overlapping channels in $2.4$ GHz makes it more prone to the effects of increased probe frames than $5$ GHz. We find that not only up to $90$% of probe responses carry redundant information but the probe traffic can be as high as $60$\% of the management traffic. Furthermore, active scanning severely impacts real-time applications at a client as it increases the latency by $91$ times. We present a detailed analysis of the impact of active scans on an individual client and the whole network. We discuss three ways to control the probe traffic in production WLANs -- access point configurations, network planning, and client modification. Our proposals for access point configuration are in line with current WLAN deployments, better network planning is device agnostic in nature, and client modification reduces the average number of probe requests per client by up to $50$% without hampering the ongoing WiFi connection.

Networking and Internet Architecture,Performance

Tomáš Bravenec,Joaquín Torres-Sospedra,Michael Gould,Tomas Fryza

DOI: https://doi.org/10.1109/IPIN57070.2023.10332508

2023-12-08

Abstract:This paper focuses on the creation of a new, publicly available Wi-Fi probe request dataset. Probe requests belong to the family of management frames used by the 802.11 (Wi-Fi) protocol. As the situation changes year by year, and technology improves probe request studies are necessary to be done on up-to-date data. We provide a month-long probe request capture in an office environment, including work days, weekends, and holidays consisting of over 1 400 000 probe requests. We provide a description of all the important aspects of the dataset. Apart from the raw packet capture we also provide a Radio Map (RM) of the office to ensure the users of the dataset have all the possible information about the environment. To protect privacy, user information in the dataset is anonymized. This anonymization is done in a way that protects the privacy of users while preserving the ability to analyze the dataset to almost the same level as raw data. Furthermore, we showcase several possible use cases for the dataset, like presence detection, temporal Received Signal Strength Indicator (RSSI) stability, and privacy protection evaluation.

Networking and Internet Architecture,Cryptography and Security

Wei Wang,Qiang Wang,Wai Kay Leong,Ben Leong,Yi Li

DOI: https://doi.org/10.1109/SAHCN.2014.6990334

2014-01-01

Abstract:Previous work on 802.1 1x (Wi-Fi) power control have focused almost exclusively on the mitigation of interference from data frames. Since Wi-Fi wireless access points are increasingly ubiquitous, it is now common for an 802.1 1x client to be able to receive signals from more than 10 APs simultaneously in a modern urban operating environment. At such high densities, we found that the interference from the MAC acknowledgment (ACK) frames can potentially reduce throughput by several fold. We show that by dynamically adjusting the transmission power of the ACK frames, a simple ACK power control algorithm, which we call MinPACK, can significantly mitigate interference and increase throughput by a median of 31%, while simultaneously improving fairness. MinPACK is complementary to existing data frames power control algorithms, and adapts rapidly to dynamic environments.

Longjiang Li,Yuming Mao,Supeng Leng

DOI: https://doi.org/10.1016/j.comcom.2010.06.023

IF: 5.047

2010-01-01

Computer Communications

Abstract:Allowing truly spontaneous and infrastructureless networking, mobile ad hoc networks (MANETs) are the future of wireless networks. However, most autoconfiguration proposals for MANETs lack privacy support, namely anonymity or pseudonymity and unlinkability aspects, which has become important considerations in many practical applications. This paper presents a novel privacy extension approach (PEA) for MANETs, which prevents eavesdroppers from identifying a particular mobile node by its address. In addition to privacy concerns, our scheme also brings some performance benefits, e.g., reducing the possibility of address conflict when the merging of separately configured networks occurs.

Junade Ali,Vladimir Dyo

DOI: https://doi.org/10.5220/0009825105720579

2020-06-19

Abstract:Given that a MAC address can uniquely identify a person or a vehicle, continuous tracking over a large geographical scale has raised serious privacy concerns amongst governments and the general public. Prior work has demonstrated that simple hash-based approaches to anonymization can be easily inverted due to the small search space of MAC addresses. In particular, it is possible to represent the entire allocated MAC address space in 39 bits and that frequency-based attacks allow for 50% of MAC addresses to be enumerated in 31 bits. We present a practical approach to MAC address anonymization using both computationally expensive hash functions and truncating the resulting hashes to allow for k-anonymity. We provide an expression for computing the percentage of expected collisions, demonstrating that for digests of 24 bits it is possible to store up to 168,617 MAC addresses with the rate of collisions less than 1%. We experimentally demonstrate that a rate of collision of 1% or less can be achieved by storing data sets of 100 MAC addresses in 13 bits, 1,000 MAC addresses in 17 bits and 10,000 MAC addresses in 20 bits.

Cryptography and Security

Xiaoyu Li,Osamu Yoshie,Daoping Huang

DOI: https://doi.org/10.1108/ijpcc-03-2017-0025

2017-01-01

International Journal of Pervasive Computing and Communications

Abstract:Purpose The purpose of this paper is to detect the existence of unknown wireless devices which could result negative means to the privacy. The perceptual layer of internet of things (IoTs) suffers the most significant privacy disclosing because of limited hardware resources, huge quantity and wide varieties of sensing equipment. Determining whether there are unknown wireless devices in the communicating environment is an effective method to implement the privacy protection for the perceptual layer of IoTs. Design/methodology/approach The authors use horizontal hierarchy slicing (HHS) algorithm to extract the morphology feature of signals. Meanwhile, partitioning around medoids algorithm is used to cluster the HHS curves and agglomerative hierarchical clustering algorithm is utilized to distinguish final results. Link quality indicator (LQI) data are chosen as the network parameters in this research. Findings Nowadays data encryption and anonymization are the most common methods to protect private information for the perceptual layer of IoTs. However, these efforts are ineffective to avoid privacy disclosure if the communication environment exists unknown wireless nodes which could be malicious devices. How to detect these unknown wireless devices in the communication environment is a valuable topic in the further research. Originality/value The authors derive an innovative and passive unknown wireless devices detection method based on the mathematical morphology and machine learning algorithms to detect the existence of unknown wireless devices which could result negative means to the privacy. The simulation results show their effectiveness in privacy protection.

Suyang Wang,Yu Cheng,Lin X. Cai,Xianghui Cao

DOI: https://doi.org/10.1109/GLOBECOM48099.2022.10000608

2022-01-01

Abstract:In this paper, we study how to minimize the age of information (AoI) for remote monitoring over a WiFi network, where a tagged node under study needs to deliver the sampling messages to the monitoring application installed at the access point (AP). We consider a very challenging practical scenario where multiple background nodes might incorporate heterogeneous and generic traffic models; all the nodes contend for the transmission channel through the practical IEEE 802.11 based medium access control (MAC) protocol. The existing AoI analyses over distributed MAC protocol are not sufficient for our problem, which are limited to simplified MAC modeling or homogeneous traffic modeling. We propose an AoI optimization algorithm that integrates the AoI queueing analysis with the 802.11 MAC performance analysis. Specifically, we develop an innovative method to address the impact of the MAC channel attention on the message service time of the tagged node and compute the minimal AoI iteratively. Simulation results demonstrate that our algorithm is very accurate and robust crossing a variety of networking scenarios. Moreover, our methods require only local computation and slight probing of the conditional collision probability, making them suitable for practical use.

Domien Schepers,Aanjhan Ranganathan

DOI: https://doi.org/10.2478/popets-2022-0048

2022-03-03

Proceedings on Privacy Enhancing Technologies

Abstract:Abstract With the standardization of Wi-Fi Fine Timing Measurement (Wi-Fi FTM; IEEE 802.11mc), the IEEE introduced indoor positioning for Wi-Fi networks. To date, Wi-Fi FTM is the most widely supported Wi-Fi distance measurement and positioning system. In this paper, we perform the first privacy analysis of Wi-Fi FTM and evaluate devices from a wide variety of vendors. We find the protocol inherently leaks location-sensitive information. Most notably, we present techniques that allow any client to be localized and tracked by a solely passive adversary. We identify flaws inWi-Fi FTM MAC address randomization and present techniques to fingerprint stations with firmware-specific granularity further leaking client identity. We address these shortcomings and present a privacy-preserving passive positioning system that leverages existing Wi-Fi FTM infrastructure and requires no hardware changes. Due to the absence of any client-side transmission, our design hides the very existence of a client and as a side-effect improves overall scalability without compromising on accuracy. Finally, we present privacy-enhancing recommendations for the current and next-generation protocols such as Wi-Fi Next Generation Positioning (Wi-Fi NGP; IEEE 802.11az).