Yu,Yulian Pan,Wenjia Wu,Ming Yang

DOI: https://doi.org/10.1109/msn60784.2023.00056

2023-01-01

Abstract:MAC address randomization is being adopted by an ever-increasing number of Wi-Fi-enabled devices, which aims to prevent users from being tracked by embedding random MAC addresses in probe request frames. Through measurement and analysis, researchers have found that its specific implementation mechanism differs for devices with different operating systems and obtained some analysis results. However, since the MAC address constantly changes, it is challenging to efficiently capture probe request frames of multiple target devices in an environment that typically has a large number of devices. Additionally, new devices are constantly emerging, making the results of previous analysis likely to be outdated. To address these issues, we propose a novel solution to measure and analyze Wi-Fi MAC address randomization with a sniffer array, called MASA. Firstly, we utilize a sniffer array to simultaneously capture probe request frames by multiple sniffers in the environment. Then, we propose a timeout bloom filter-based frame aggregation and processing method to aggregate the frames from the sniffer array, exclude frames of non-target devices, and split frames into their own set for the target device in real time. On this basis, we analyze the MAC address randomization mechanism in terms of address changing pattern, frame transmission frequency, and frame field/Information Element (IE) variation, considering devices’ association state, display status, and power-saving mode. Finally, we conduct corresponding experiments in real environments and make some new findings in the analysis. For example, all the latest iOS devices implement randomization strategies not only in the MAC address field but also in the Sequence Number field, while the MAC address randomization mechanism of some Android and HarmonyOS devices exhibits significantly different behaviors in the unassociated state and associated state.

Yuxiang Lin,Yi Gao,Bingji Li,Wei Dong

DOI: https://doi.org/10.1145/3536423

2022-01-01

ACM Transactions on Sensor Networks

Abstract:The broadcast nature of wireless media makes WLANs easily attacked by rogue Access Points (APs) . Rogue AP attacks can potentially cause severe privacy leakage and financial loss. Hardware fingerprinting is the state-of-the-art technology to detect rogue APs since an attacker would find it difficult to set up a rogue AP with specific hardware fingerprints. However, existing hardware fingerprints not only depend on the AP but also depend on the client, significantly limiting their application scenarios. In this work, we investigate two novel client-agnostic fingerprints, which can be extracted using commercial off-the-shelf WiFi devices, to detect rogue APs. One is the power amplifier non-linearity fingerprint and the other is the frame interval distribution fingerprint . These two fingerprints remain consistent over time and space for the same AP but vary across different APs even with the same brand, model, and firmware. We use the fingerprint similarity between the candidate AP and the authorized AP for device authentication in typical indoor environments. We have also proposed a threshold-improved authentication scheme to improve the robustness of our system in dynamic environments. Our schemes can be implemented without modifying the infrastructural APs and can work well with new clients without rebuilding the fingerprint database. We evaluate our scheme in both in-lab and field scenarios, by analyzing 18 million WiFi packets. Results show that our scheme achieves an overall 96.55% positive detection rate and a 4.31% false alarm rate. Moreover, the threshold-improved authentication scheme can further reduce the false alarm rate by 13.0%-44.8% for dynamic environments.

Giovanni Baccichet,Corrado Innamorati,Alessandro E. C. Redondi,Matteo Cesana

2024-08-03

Abstract:MAC randomization is a widely used technique implemented on most modern smartphones to protect user's privacy against tracking based on Probe Request frames capture. However, there exist weaknesses in such a methodology which may still expose distinctive information, allowing to track the device generating the Probe Requests. Such techniques, known as MAC de-randomization algorithms, generally exploit Information Elements (IEs) contained in the Probe Requests and use clustering methodologies to group together frames belonging to the same device. While effective on heterogeneous device types, such techniques are not able to differentiate among devices of identical type and running the same Operating System (OS). In this paper, we propose a MAC de-randomization technique able to overcome such a weakness. First, we propose a new dataset of Probe Requests captured from devices sharing the same characteristics. Secondly, we observe that the time-frequency pattern of Probe Request emission is unique among devices and can therefore be used as a discriminative feature. We embed such a feature in a two-stage clustering methodology and show through experiments its effectiveness compared to state-of-the-art techniques based solely on IEs fingerprinting. The original dataset used in this work is made publicly available for reproducible research.

Networking and Internet Architecture

Yuxiang Lin,Yi Gao,Bingji Li,Wei Dong

DOI: https://doi.org/10.1109/percom45495.2020.9127375

2020-01-01

Abstract:The broadcast nature of wireless medium makes WLANs easily be attacked by rogue Access Points (APs). Rogue AP attacks can potentially cause severe privacy leakage and financial lost. Hardware fingerprinting is the state-of-the-art technology to detect rogue APs, since an attacker would find it difficult to set up a rogue AP with specific hardware fingerprints. However, existing hardware fingerprints not only depend on the AP, but also depend on the client, significantly limiting their applicable scenarios. In this work, we investigate two novel client-agnostic fingerprints, which can be extracted using commercial off-the-shelf WiFi devices, to detect rogue APs. One is the power amplifier non-linearity fingerprint and the other is the frame interval distribution fingerprint. These two fingerprints remain consistent over time and space for the same AP but vary across different APs even with the same brand, model and firmware. We use the fingerprint similarity between the candidate AP and the authorized AP for device authentication. Our scheme can be implemented without modifying the infrastructural APs and can work well with new clients without rebuilding the fingerprint database. We evaluate our scheme in both in-lab and field scenarios, by analyzing 12 million WiFi packets. Results shows that our scheme achieves an overall 96.55% positive detection rate and a 4.31% false alarm rate.

Yanfei Fan,Bin Lin,Yixin Jiang,Xuemin (Sherman) Shen

DOI: https://doi.org/10.1109/glocom.2008.ecp.891

2008-01-01

Abstract:In this paper, we propose an efficient privacy-preserving scheme for secure packet transmission at wireless link layer. The proposed scheme is constructed by using hash values in reverse hash chains as interface identifiers. It can successfully and efficiently resist the Media Access Control (MAC) address based attacks, such as flow tracking and traffic analysis, which are launched by either outside or even inside attackers. In addition, some optimization techniques are also introduced to further improve the efficiency of the proposed scheme. The extensive analysis and simulations demonstrate the enhanced security and efficiency of the proposed scheme.

Johanna Ansohn McDougall,Alessandro Brighente,Anne Kunstmann,Niklas Zapatka,Hannes Federrath

2024-05-15

Abstract:Abstract. Since the introduction of active discovery in Wi-Fi networks, users can be tracked via their probe requests. Although manufacturers typically try to conceal Media Access Control (MAC) addresses using MAC address randomisation, probe requests still contain Information Elements (IEs) that facilitate device identification. This paper introduces generic probe requests: By removing all unnecessary information from IEs, the requests become indistinguishable from one another, letting single devices disappear in the largest possible anonymity set. Conducting a comprehensive evaluation, we demonstrate that a large IE set contained within undirected probe requests does not necessarily imply fast connection establishment. Furthermore, we show that minimising IEs to nothing but Supported Rates would enable 82.55% of the devices to share the same anonymity set. Our contributions provide a significant advancement in the pursuit of robust privacy solutions for wireless networks, paving the way for more user anonymity and less surveillance in wireless communication ecosystems.

Cryptography and Security,Networking and Internet Architecture

Oisín Kyne

DOI: https://doi.org/10.48550/arXiv.1805.07613

2018-05-19

Abstract:This project is an exploration into analysing WiFi probe requests, a management frame described as part of the IEEE 802.11 protocol which publicly broadcasts the senders MAC address. The intention was to collect these probe requests to use as a basis to link people's information to the MAC of their device. This would enable people to be identified in future by the presence of their device near a probe request detector. Due to data protection and privacy issues preventing access to real data of people's names and locations, this project was divided into two parts. Firstly, an identification algorithm was developed and tested on simulated data sets of MAC addresses and names, to prove MAC address identification is possible. And secondly, a distributed system of probe request detectors coupled with a centralised MAC address database was developed to demonstrate that these simulated MAC addresses are obtainable in the real world. The capturing software was initially developed for Unix systems and uses a Django-powered web server to store data from multiple capturing devices. Python was used to model and test the identification algorithm.

Networking and Internet Architecture

Feifei Yang,Iness Ahriz,Bruce Denby

DOI: https://doi.org/10.3390/s22228679

2022-11-10

Abstract:In the past few years, the ability of wireless network operators to monitor audience using control frames emitted by client devices has been compromised, both by legislation treating client MAC addresses as private information and by the difficulty of distinguishing genuine client frames from those arising from the Internet of Things or from certain enhanced services. Here, a deterministic model, based on characteristics of human activity and on seasonal trends, is used to reveal underlying client statistics in raw MAC-randomized WiFi Probe Request data. The method proposes a candidate conversion factor, X, between probe request counts and the client population, which offers plausible predictions on real-world datasets.

Dai Ruilong,Li Bo,He Jing

DOI: https://doi.org/10.3969/j.issn.1007-757X.2011.05.008

2011-01-01

Abstract:While the multiple transmission rate modes are supported in the most widely used WLAN standard IEEE 802.11a, the implementation scheme of flexible transition between multiple transmission rate modes is not specified in the standard. In the paper, based on IEEE 802.11a, an AV-MAC (Variable rate Media Access Control protocol with Adaptive transmission-threshold) is proposed to improve the performance of WLAN by sensing the SNR of RTS frame, and dynamically determining whether to transmit the following frames and choosing the optimal transmission rate to adapt to dynamic channel conditions. Simulation results on OMNET++4.0 show that AV-MAC improves the network throughput significantly.

Xiuping Han,Zhi Wang,Dan Pei

DOI: https://doi.org/10.1109/ICC.2018.8422764

2018-01-01

Abstract:Mobile devices adopt probe requests to discover nearby Wi-Fi access points (APs) and set up fast Wi-Fi connections. Preferred Network Lists (PNLs) are used to store the lists of connected Wi-Fi APs in the past. Previous studies have shown that such mechanism can lead to serious privacy leakage, for example, attackers can infer users' identity information and movement histories. In this paper, we investigate the privacy issue and propose a data-driven protection strategy. First, we conduct extensive measurement studies based on 27 million users associating with 4 million Wi-Fi APs in 4 cities. We show that probe requests can be used to identify and profile users. Despite that some actions have been taken to reduce privacy leakage (e.g., MAC address randomization), users' PNLs can still be inferred by attackers. Second, we propose a novel privacy protection method, in which users' PNLs are "blurred" by adding faked SSIDs generated using a collaborative filtering algorithm, such that nearby users' PNLs are similar to each other. Finally, we evaluate the performance of our design using real-world Wi-Fi association traces. Our trace-driven simulation shows that the refined PNLs can effectively protect user privacy and ensure fast Wi-Fi connection at the same time.

Xiaolin Gu,Wenjia Wu,Xiaodan Gu,Zhen Ling,Ming Yang,Aibo Song

DOI: https://doi.org/10.3390/s20164620

IF: 3.9

2020-01-01

Sensors

Abstract:Wi-Fi network has an open nature so that it needs to face greater security risks compared to wired network. The MAC address represents the unique identifier of the device, and is easily obtained by an attacker. Therefore MAC address randomization is proposed to protect the privacy of devices in a Wi-Fi network. However, implicit identifiers are used by attackers to identify user’s device, which can cause the leakage of user’s privacy. We propose device identification based on 802.11ac probe request frames. Here, a detailed analysis on the effectiveness of 802.11ac fields is given and a novel device identification method based on deep learning whose average f1-score exceeds 99% is presented. With a purpose of preventing attackers from obtaining relevant information by the device identification method above, we design a novel defense mechanism based on stream cipher. In that case, the original content of probe request frame is hidden by encrypting probe request frames and construction of probe request is reserved to avoid the finding of attackers. This defense mechanism can effectively reduce the performance of the proposed device identification method whose average f1-score is below 30%. In general, our research on attack and defense mechanism can preserve device privacy better.

Xuejun Tian,Dejian Ye,Tetsuo Ideguchi,Takashi Okuda

DOI: https://doi.org/10.2197/ipsjjip.21.206

2013-01-01

Journal of Information Processing

Abstract:For WLANs, the efficiency of MAC protocol is related to throughput and power saving, which is an important item for wireless communication with limited bandwidth. Much research work has been carried out and some of the proposed schemes are effective. However, most proposals were ether based on contention mode or schedule mode and neither possessed both good characters of two methods. In this paper, we propose a MAC protocol named OSRAP that Scheduled Random access Protocol for one hop WLAN. OSRAP works in two modes, i.e., schedule and contention mode, which is able to dynamically adapt to traffic load and achieves high throughput which is close to transmission capacity in saturated case. Unlike conventional hybrid protocols, every node does not have to intentionally reset any parameter according to the changing traffic load except its queue length. A distinguishing feature of this scheme is the novel way of allowing nodes to work with low delay, as in the contention-based mode, and achieve a high throughput, as in the schedule-based mode, without complicated on-line estimation required in previous schemes. This makes OSRAP simpler and more reliable. Through our analysis results, we show that our scheme can greatly improve the probability of successful transmission which means a high throughput and low delay.

Jinzhe Pan,Jingqing Wang,Zelin Yun,Zhiyong Xiao,Yuehui Ouyang,Wenchi Cheng,Wei Zhang

2024-10-21

Abstract:The vast adoption of Wi-Fi and/or Bluetooth capabilities in Internet of Things (IoT) devices, along with the rapid growth of deployed smart devices, has caused significant interference and congestion in the industrial, scientific, and medical (ISM) bands. Traditional Wi-Fi Medium Access Control (MAC) design faces significant challenges in managing increasingly complex wireless environments while ensuring network Quality of Service (QoS) performance. This paper explores the potential integration of advanced Artificial Intelligence (AI) methods into the design of Wi-Fi MAC protocols. We propose AI-MAC, an innovative approach that employs machine learning algorithms to dynamically adapt to changing network conditions, optimize channel access, mitigate interference, and ensure deterministic latency. By intelligently predicting and managing interference, AI-MAC aims to provide a robust solution for next generation of Wi-Fi networks, enabling seamless connectivity and enhanced QoS. Our experimental results demonstrate that AI-MAC significantly reduces both interference and latency, paving the way for more reliable and efficient wireless communications in the increasingly crowded ISM band.

Networking and Internet Architecture,Artificial Intelligence

Luis F. Abanto-Leon,Andreas Baeuml,Gek Hong,Matthias Hollick,Arash Asadi

DOI: https://doi.org/10.1145/3428329

2020-11-27

Abstract:The intrinsic hardware imperfection of WiFi chipsets manifests itself in the transmitted signal, leading to a unique radiometric fingerprint. This fingerprint can be used as an additional means of authentication to enhance security. In fact, recent works propose practical fingerprinting solutions that can be readily implemented in commercial-off-the-shelf devices. In this paper, we prove analytically and experimentally that these solutions are highly vulnerable to impersonation attacks. We also demonstrate that such a unique device-based signature can be abused to violate privacy by tracking the user device, and, as of today, users do not have any means to prevent such privacy attacks other than turning off the device. We propose RF-Veil, a radiometric fingerprinting solution that not only is robust against impersonation attacks but also protects user privacy by obfuscating the radiometric fingerprint of the transmitter for non-legitimate receivers. Specifically, we introduce a randomized pattern of phase errors to the transmitted signal such that only the intended receiver can extract the original fingerprint of the transmitter. In a series of experiments and analyses, we expose the vulnerability of adopting naive randomization to statistical attacks and introduce countermeasures. Finally, we show the efficacy of RF-Veil experimentally in protecting user privacy and enhancing security. More importantly, our proposed solution allows communicating with other devices, which do not employ RF-Veil.

Cryptography and Security,Computers and Society,Networking and Internet Architecture,Performance

Wei Wang,Qiang Wang,Wai Kay Leong,Ben Leong,Yi Li

DOI: https://doi.org/10.1109/SAHCN.2014.6990334

2014-01-01

Abstract:Previous work on 802.1 1x (Wi-Fi) power control have focused almost exclusively on the mitigation of interference from data frames. Since Wi-Fi wireless access points are increasingly ubiquitous, it is now common for an 802.1 1x client to be able to receive signals from more than 10 APs simultaneously in a modern urban operating environment. At such high densities, we found that the interference from the MAC acknowledgment (ACK) frames can potentially reduce throughput by several fold. We show that by dynamically adjusting the transmission power of the ACK frames, a simple ACK power control algorithm, which we call MinPACK, can significantly mitigate interference and increase throughput by a median of 31%, while simultaneously improving fairness. MinPACK is complementary to existing data frames power control algorithms, and adapts rapidly to dynamic environments.

Jian-xin Wang,S. Makfile,Jing Li

DOI: https://doi.org/10.1007/s11771-009-0104-5

2009-01-01

Abstract:The IEEE 802.11e standard is proposed to provide QoS support in WLAN by providing prioritized differentiation of traffic. Since all the stations in the same priority access category (AC) have the same set of parameters, when the number of stations increases, the probability of different stations in the same AC choosing the same values will increase, which will result in collisions. Random adaptive MAC (medium access control) parameters scheme (RAMPS) is proposed, which uses random adaptive MAC differentiation parameters instead of the static ones used in the 802.11e standard. The performance of RAMPS is compared with that of enhanced distributed coordination access (EDCA) using NS2. The results show that RAMPS can reduce collision rate of the AC and improve the throughput by using adaptive random contention window size and inter-frame spacing values. RAMPS ensures that at any given time, several flows of the same priority have different MAC parameter values. By using the random offset for the inter-frame spacing value and the backoff time, RAMPS can provide intra-AC differentiation. The simulation results show that RAMPS outperforms EDCA in terms of both throughput and end-to-end delay irrespective of the traffic load.

Fei Ji,Weishan Lu,Xiaocheng Deng

DOI: https://doi.org/10.1109/CSAE.2011.5952760

2011-01-01

Abstract:It is well known that MIMO technology can provide additional space degrees of freedom and increase the channel capacity greatly. However, it is a challenge to design the MAC layer when using MIMO in ad hoc networks. In FT (Follow Traffic) scheme, RTS/CTSs are sent simultaneously and used to estimate the traffic load. The node allocates the channel estimation resources in order of decreasing received power of RTS. Though FT scheme greatly improves the throughput, the fairness among nodes is declined and the complexity of receivers is increased. To address the problem, this paper presents a scheme of MAC layer based on random number allocation strategy, in which the node allocates the channel estimation resources in an increasing order of random number in each RTS. The throughput performance of the proposed scheme is suboptimal, but it ensures the fairness and reduces the complexity of the receivers.

Qingsong Yao,Yong Qi,Jinsong Han,Jizhong Zhao,Xiangyang Li,Yunhao Liu

DOI: https://doi.org/10.1109/percom.2009.4912773

2009-01-01

Abstract:Privacy protection is increasingly important during authentications in Radio Frequency Identification (RFID) systems. In order to achieve high-speed authentication in large-scale RFID systems, researchers propose tree-based approaches, in which any pair of tags share a number of key components. Such designs, being efficient, often fail to achieve forward secrecy and resistance to attacks, such as compromising and desynchronization. Indeed, these attacks may still take effect even after a tag successfully finishes the authentication and key-updating procedure. To address the issue, we propose a lightweight RFID private authentication protocol, RWP, based on the random walk concept. RWP also provides the forward security and temporal resistance to the tracking attack. The analysis results show that RWP effectively enhances the security protection for RFID private authentication, and increases the authentication efficiency from O(logN) to O(1).

Bo Yang,Xuelin Cao,Zhu Han,Lijun Qian

DOI: https://doi.org/10.1109/twc.2019.2917131

IF: 10.4

2019-01-01

IEEE Transactions on Wireless Communications

Abstract:Nowadays, an Internet-of-Things (IoT) connected system brings a tremendous paradigm shift into the medium access control (MAC) design. In this paper, we present a distributed MAC framework assisted by machine learning for the Heterogeneous IoT system, where the IoT devices coexist with the WiFi users in the unlicensed industrial, scientific, and medical (ISM) spectrum. Specifically, the superframe is divided into two phases: a rendezvous phase and a transmission phase. During the rendezvous phase, the gateway that is capable of machine learning predicts the number of WiFi users and the IoT devices by performing a triangular handshake on the primary channel. The prediction takes advantage of the deep neural network (DNN) model which is pretrained on our universal software radio peripheral (USRP2) testbed offline. The gateway allocates the frequency channels to the WiFi and IoT systems based on the inference results. Then, the IoT devices and WiFi users initiate data transmissions during the transmission phase. Furthermore, system throughput is analyzed and optimized in two typical scenarios, respectively. An optimized MAC framework is proposed to maximize the total system throughput by finding the key design parameters. The analytical and simulation results that are conducted using the ns-2 demonstrate the effectiveness of the proposed MAC framework.

Sang-Yoon Chang,Yih-Chun Hu,Zhuotao Liu

DOI: https://doi.org/10.1109/tmc.2017.2693990

IF: 6.075

2017-01-01

IEEE Transactions on Mobile Computing

Abstract:Wireless network dynamically allocates channel resources to improve spectral efficiency and, to avoid collisions, has its users cooperate with each other using a medium access control (MAC) protocol. However, MAC assumes user compliance and can be detrimental when a user misbehaves. An attacker who compromised the network can launch more devastating denial-of-service (DoS) attacks than a network outsider by sending excessive reservation requests to waste bandwidth, by listening to the control messages and conducting power-efficient jamming, by falsifying information to manipulate the network control, and so on. We build SecureMAC to defend against such insider threats while retaining the benefits of coordination between the cooperative users. SecureMAC is comprised of four components: channelization to prevent excessive reservations, randomization to thwart reactive targeted jamming, coordination to counter control-message aware jamming and resolve over-reserved and under-reserved spectrum, and power attribution to determine each node's contribution to the received power. Our theoretical analyses and implementation evaluations demonstrate superior performance over previous approaches, which either ignore security issues or give up the benefit of cooperation when under attack by disabling user coordination (such as the Nash equilibrium of continuous wideband transmission). In realistic scenarios, our SecureMAC implementation outperforms such schemes by 76-159 percent.