[tor-talk] Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms

Zenaan Harkness zen at freedbms.net
Wed Jul 6 20:38:11 PDT 2016

On Wed, Jul 06, 2016 at 05:20:23PM -0400, grarpamp wrote:
> http://papers.mathyvanhoef.com/asiaccs2016.pdf
> -- 
> tor-talk mailing list - tor-talk at lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

We present several novel techniques to track (unassociated)
mobile devices by abusing features of the Wi-Fi standard.
This shows that using random MAC addresses, on its own,
does not guarantee privacy.
First, we show that information elements in probe requests
can be used to fingerprint devices. We then combine these
fingerprints with incremental sequence numbers, to create
a tracking algorithm that does not rely on unique identi-
fiers such as MAC addresses. Based on real-world datasets,
we demonstrate that our algorithm can correctly track as
much as 50% of devices for at least 20 minutes. We also
show that commodity Wi-Fi devices use predictable scram-
bler seeds. These can be used to improve the performance of
our tracking algorithm. Finally, we present two attacks that
reveal the real MAC address of a device, even if MAC ad-
dress randomization is used. In the first one, we create fake
hotspots to induce clients to connect using their real MAC
address. The second technique relies on the new 802.11u
standard, commonly referred to as Hotspot 2.0, where we
show that Linux and Windows send Access Network Query
Protocol (ANQP) requests using their real MAC address.

Sad state of "security" in the world today.

We know we need open source -everything-, including network
stacks, firmware, and even chip/ hardware designs, not to
mention manufacturing to end user chain of physical trust..

A long way to go.

More information about the cypherpunks mailing list