The experiment revealed that users mistakenly enter personal information such as passwords, e-mail addresses, and other personally identifiable data into the SSID field—the section for the name of a wireless network in the settings—and this is a privacy concern. The paper proposes a two-way “hash-based” approach to probe requests as well as “improved user controls” to remediate these threats and enhance users’ privacy.
Probe Requests and SSIDs
To connect to a WiFi hotspot, devices send out a probe request to available network access points (APs) in their surroundings. An available network sends a probe response, initiating the connection. While this process is standard, these requests “also serve as a means to track, trilaterate [locate], and identify devices for attackers who passively sniff network traffic,” the paper said. The researchers explained that since probe requests may contain identifying information about users’ devices and the last network they connected to, an SSID query via a mapping service such as WiGLE could easily reveal users’ home or work addresses, and the locations they’ve visited. It is possible to find users’ passwords, e-mail addresses, names, and holiday locations because “users (probably by accident) input a wealth of data into the SSID field.” Users’ devices can be pinpointed city-wide to an accuracy of 1.5 meters via probe requests, and 23% of stores already do this, the paper said. The researchers noted that organizations and cities that engage in WiFi tracking often use the legal defense that only users’ Media Access Control (MAC) addresses are regarded as personal data under the European Union’s General Data Protection Regulation (GDPR). A MAC address is a hardware identifier that can be used to track a user or a device on a network.
The Experiment
In November 2021, the researchers conducted a probe request experiment in a “busy pedestrian zone in the centre of a German city,” analyzing over 250,000 requests. They captured 23 probe requests per second, 23.2% of which contained SSIDs leaked by older mobile devices, such as those running versions of operating systems (OS) earlier than Android 10 and iOS 14. Such devices did not have MAC randomization and SSID omission. The researchers found that devices running on Android 8 and earlier versions of the operating system (OS) automatically assume that all networks added manually are hidden networks. As a result, the devices send users’ SSIDs in probe requests. They also found that some users mistakenly entered “the wrong strings as the SSIDs” when attempting to enter their SSID and password through the advanced network settings on these older operating systems. This resulted in leaked passwords, including some suspected to be for Fritzbox and Telekom home routers. Passwords mistakenly leaked via SSIDs could be “sniffed” by an attacker and then verified via a fake WiFi access point, resulting in users unknowingly connecting to a malicious hotspot where an attacker could hijack their device. The researchers noted that “with enough criminal energy, an attacker could follow the owner of a talkative device to their home and try out the password in their home network.”
Older Devices Are More Vulnerable
The paper explained that devices running on older operating systems are more prone to transmitting users’ last connected networks in probe requests, while newer devices solely transmit the SSIDs of hidden networks and are less traceable. Older devices also lack MAC address randomization, sequence number randomization, and SSID omission features. Newer devices “omit the real MAC address,” and instead transmit a randomized one. “The newer a device and its OS is, the more information is omitted and fields randomised in the probe requests,” the paper said. MAC randomization notwithstanding, it is possible for newer devices to be fingerprinted due to the Information Elements (IE) in them. IE contains information such as signal strength and sequence numbers. “Current iOS and Android version already employ mechanisms to prevent users from accidentally adding items to their PNL [preferred networks list]” while warning users about privacy risks and allowing them to configure the auto-joining of networks, the paper said.
“Hash-Based” Probe Requests Are Safer
Given these “shocking” findings, the researchers concluded that users either accidentally or willingly input information to their PNL in plain text, including sensitive information such as passwords. “To circumvent the need to broadcast “cleartext,” SSIDs,” the researchers suggested that SSIDs could instead be “hashed and salted” before and during transmission, thereby “improving the privacy of clients and AP operators.” Hashing and salting mean a mobile device would apply a hashing algorithm to its temporary MAC address, sequence number, and the SSID it will connect to before the transmission of any data. The WiFi access point must subsequently shake hands with the device in a similar fashion. Unfortunately, older devices would most likely not receive software updates to allow this, the paper states.
“Reduced Visibility Mode”
The researchers posited that, for privacy-conscious users, modern device manufacturers should allow probe requests to be disabled altogether in what they dubbed a “reduced visibility” feature. This could be particularly useful “when they pass through an untrusted area like a shopping centre known for extensive visitor analytics.” The researchers also called for the introduction of Opportunistic Wireless Encryption (OWE). “OWE describes the unauthenticated but encrypted connection between two devices, and is contained in the Wi-Fi specification under the name Wi-Fi CERTIFIED Enhanced Open,” the paper explained. For cybersecurity and privacy reasons and to avoid falling victim to network attacks via WiFi probes, it is crucial to keep your device’s software updated and, preferably, use a newer device. Information traveling between a device and a wireless access point can be subject to packet sniffing attacks and other forms of Man in the Middle (MiTM) attacks. Worse still, WiFi routers can be compromised with novel WiFi hacking methods if the proper security measures are not in place. Our guide to staying safe on public WiFi contains useful information about online threats and how to protect yourself. We recommend using a VPN as your first line of defense. If you’re looking for reliable VPN providers, check out our picks for the top VPN providers of 2022.
