Explaining WiFi probe request privacy issue
WiFi is a group of wireless network protocols based on the IEEE 802.11 standard. WiFi is an ubiquitous wireless standard employed in laptops, mobile phones and IoT devices.
High level Architecture
A WiFi device typically connects to an access point (AP) or a wireless router to access the internet. Each 802.11 capable device has a 48-bit link layer Media access control (MAC) address. This MAC address serves as a unique WiFi device identifier.
Similarly, every AP has a unique Service Set Identifier (SSID) and is the network’s name. A WiFi device connects to a specific AP using the SSID and it’s password.
Frame types
802.11 standard has three types of frames
- Management Frame is used for joining and leaving a WiFi network.
- Control Frame is used for channel acquisition, clearing channel and acknowledging frame.
- Data Frame is used for data exchange.
Probe Request and Probe Response
A WiFi device periodically performs the probe request to discover and select the AP in the vicinity. An AP responds with a probe response. Both probe request and probe response are sub-types of management frame.
Packet Format
WiFi packet consists of a MAC header, a variable length frame body and a frame check sequence (FCS).
WiFi can have multiple (upto four) MAC address fields
- DA: Destination MAC Address
- SA: Source MAC Address
- BSSID: AP MAC address
Active Service discovery reduces latency but leaks sensitive user information
Imagine a user commuting between his home and his favorite coffee cafe. (S)he would prefer to have a short time to connect with these different WiFi networks. To reduce the latency, 802.11 standard body added active service discovery. In active service discovery, WiFi device sends probe request with its unique MAC address and the SSID of a known WiFi access point.
As this packet is sent in plain, a hacker can collect SSIDs for a specific WiFi device. Then the hacker can run these SSIDs through a SSID database and figure out the user visit to different locations.
MAC Randomization improves user privacy
To prevent this, MAC randomization anonymizes the MAC addresses during probe request packet. This feature prevents listeners from using MAC addresses to track device activity. Therefore it increases device privacy.
Apple and Android use MAC Randomization
Apple introduced MAC randomization in iOS 8.0 in 2014. Similarly from Android 8.0 onwards, Android devices use random MAC address when scanning new networks while not associated with a network.
Conclusion
All three major OS vendors Apple, Google and Microsoft have added MAC randomization in their operating systems to improve user privacy on smartphones and laptops/PC.