Wi-Fi succesful units, like sensible telephones, usually mechanically ship out probe requests in an effort to detect accessible Wi-Fi networks within the space. These probe requests embody a tool identifier often known as a MAC tackle. Nowadays, most telephones, in addition to another units, make the most of randomized MAC addresses to extend privateness, as a non-randomized persistent MAC tackle uniquely identifies a tool for so long as it’s in operation, making it simple to trace over time. Some cities and shops conduct location monitoring by selecting up Wi-Fi probe requests from telephones and triangulating their places.

Wi-Fi probe requests are despatched out in bursts, and telephones that make use of MAC tackle randomization ship out every burst with a unique MAC tackle. Wi-Fi location monitoring can’t depend on MAC addresses to establish and observe units over time when the MAC addresses are continuously altering. However, Wi-Fi probe requests can comprise extra info that might be used for monitoring. 

Three probe request bursts with totally different MAC addresses, however the identical PNL (source: University of Hamburg)

Researchers on the University of Hamburg have revealed a paper drawing consideration to the truth that probe requests can embody a tool’s most well-liked community record (PNL), which is a listing of beforehand linked Wi-Fi networks. Wi-Fi networks are recognized in a PNL by their Service Set Identifiers (SSIDs), that are the Wi-Fi community names that seem in a tool’s Wi-Fi settings. Unlike randomized MAC addresses, PNLs keep constant over time, which signifies that they might be used to establish and observe units. The picture above reveals three Wi-Fi probe request bursts despatched by the identical machine, and, whereas the MAC tackle is totally different for every burst, the record of beforehand linked Wi-Fi networks stays the identical. Someone detecting close by probe requests might pick these three bursts as coming from the identical machine, regardless of the randomized MAC addresses.

The researchers demonstrated how this type of machine monitoring might be completed by establishing networking gear in a busy pedestrian space in a German metropolis and logging probe requests for one hour at a time. The researchers performed this experiment thrice, then analyzed the information. By evaluating the SSIDs broadcast with a number of the probe requests, the researchers had been capable of uniquely establish 362 units that employed randomized MAC addresses.

The researchers additionally highlighted an extra potential privateness concern related to broadcasting Wi-Fi community SSIDs together with probe requests. Geo-location companies, like Google’s, depend on mapping the location of Wi-Fi entry factors, and there are publicly accessible datasets with GPS coordinates tied to Wi-Fi networks. Using one such database, the researchers had been capable of pinpoint 334 of the SSIDs logged by their gear to distinctive places. Someone snooping on close by probe requests might use this method to search out where passersby dwell or work, because the Wi-Fi networks at these places are more likely to be within the PNLs of individuals’s telephones.

Probe request privateness options by cell OS model (source: University of Hamburg)

Fortunately, PNLs are now not included in probe requests of most telephones, except the networks are marked as hidden networks. However, Android model 8 considers any Wi-Fi community manually added by the person as a hidden community and can broadcast the SSIDs with probe requests, and units operating Android 8 nonetheless account for 10.2% of the worldwide smartphone market share.
Enhanced MAC randomization setting in Android 11 and up
Users desirous to protect their privateness shouldn’t use telephones nonetheless operating Android 8. iOS 15 and Android 11 and newer comprise the strongest probe request privateness protections, making them the popular choices for avoiding probe request machine identification and placement monitoring. Users also can stop their units from sending out Wi-Fi probe requests whereas out in public by disabling Wi-Fi. Lastly, customers operating Android 11 and up can go into developer choices and allow the improved MAC randomization function to additional enhance their privateness protections.

You can learn extra in regards to the researchers’ findings of their paper (PDF).