Researchers from the University of Hamburg in Germany conducted a field experiment that captured hundreds of thousands of WiFi connection survey requests from passersby to determine the type of data being sent without the device owners realizing it.
WiFi probing is a standard process, part of the bilateral communication required between a smartphone and an access point (modem/router) to establish a connection.
By default, and for usability reasons, most smartphones search for available Wi-Fi networks all the time and connect to them if they are trusted.
Many stores already use Wi-Fi probing to track the position and movement of their customers. Because this tracking only uses anonymized MAC addresses in the probe, it is considered GDPR compliant.
The researchers decided to analyze those probes to see what else they might contain, and in 23.2% of cases, they found that the requests broadcast SSIDs from networks that those devices were connected to in the past.
The experiment took place in November 2021 in a busy pedestrian zone in the center of a German city. The team used six antennas to capture probes in different channels and spectrums.
They recorded all broadcast Wi-Fi connectivity issues for three hours, capturing a total of 252,242 probe requests, 46.4% in the 2.4 GHz spectrum and 53.6% in 5 GHz.
In just three hours, the researchers collected 58,489 SSIDs from random passers-by, which in many cases contained 16 or more digit numbers that were likely “original passwords” of popular German home routers from FritzBox or Telekom.
“Leakage of passwords in SSIDs is especially critical if, in addition to the password, the device is also broadcasting the real SSID, either correct or with a wrong type that can be used to infer the real SSID,” the researchers explain. in the technical paper†
“In addition, the assumption that the sniffed passwords match SSIDs that were also sent can be verified by setting up fake access points on the fly using the potential credentials we observed.”
In other subsets of the captured SSIDs, the researchers found strings corresponding to Wi-Fi networks, 106 different names, three email addresses, and 92 vacation homes or accommodations that had previously been added as trusted networks.
Some of these sensitive strings were sent out dozens, hundreds, and in some cases thousands of times during the three-hour recording by repeated bursts of probing.
Aside from data exposure and the scenario of setting up malicious hotspots and accepting connections from nearby devices, the main implication here is persistent tracking.
The critical aspect on that front is MAC address randomization, which can serve as a defense against tracking attempts.
Though it has come a long way in both Android and iOS in making device tracking more difficult, if not impossible.
Newer OS versions offer more randomization and less information in the test requests, but combined with dataset parameters such as signal strength, sequence number, network capabilities, etc., it may still be possible to fingerprint individual devices.
Below is an overview of the privacy features of each OS version. Note that the market share percentages reflect the November 2021 figures.
Obviously, the more recent the OS version, the stronger the privacy protection features, but the availability of newer versions does not mean immediate adoption.
At the time of the field experiment, Android 8 and older versions accounted for about one in four Android smartphones. In iOS, the situation is better due to Apple’s tighter software update policy and long-term support, but many are still using older iPhone models.
Previous studies have also reflected the improvement of gradual upgrades to more secure operating systems. For example, in a 2014 study, 46.7% of recorded probe requests contained SSIDs, and in two others conducted in 2016, the percentage ranged between 29.9% and 36.4%.
How to strengthen your privacy
The first and easiest thing a smartphone user can do is upgrade their operating system and use a more recent and more secure version that offers more privacy protection.
Second, it’s a good idea to get rid of SSIDs you no longer use or need and are unnecessarily broadcast wherever you are.
Third, Android and iOS provide a quick way to disable auto-join networks, making hotspot attacks impossible.
Finally, users can completely mute probe requests, which can be done through advanced network settings. However, this approach has some practical drawbacks, such as a slower connection, the inability to discover hidden networks, and higher battery consumption.