Mathieu Cunche

I know who you will meet this evening! Linking wireless devices using Wi-Fi probe requests

Active service discovery in Wi-Fi involves wireless stations broadcasting their Wi-Fi fingerprint, i.e. the SSIDs of their preferred wireless networks. The content of those Wi-Fi fingerprints can reveal different types of information about the owner. We focus on the relation between the fingerprints and the links between the owners. Our hypothesis is that social links between devices owners can be identified by exploiting the information contained in the fingerprint. More specifically we propose to consider the similarity between fingerprints as a metric, with the underlying idea: similar fingerprints are likely to be linked. We first study the performances of several similarity metrics on a controlled dataset and then apply the designed classifier to a dataset collected in the wild. Finally we discuss how Wi-Fi fingerprint can reveal informations on the nature of the links between users. This study is based on a dataset collected in Sydney, Australia, composed of fingerprints corresponding to more than 8000 devices.

I know your MAC address: targeted tracking of individual using Wi-Fi

This work is about wireless communications technologies embedded in portable devices, namely Wi-Fi, Bluetooth and GSM. Focusing on Wi-Fi, we study the privacy issues and potential missuses that can affect the owners of wireless-enabled portable devices. Wi-Fi enable-devices periodically broadcast in plain-text their unique identifier along with other sensitive information. As a consequence, their owners are vulnerable to a range of privacy breaches such as the tracking of their movement and inference of private information (Cunche et al. in Pervasive Mobile Comput, 2013; Greenstein in Proceedings of the 11th USENIX workshop on hot topics in operating systems, pp 10:1–10:6. USENIX Association, Berkeley, 2007). As serious as those information leakage can be, linking a device with an individual and its real world identity is not a straightforward task. Focusing on this problem, we present a set of attacks that allow an attacker to link a Wi-Fi device to its owner identity. We present two methods that, given an individual of interest, allow identifying the MAC address of its Wi-Fi enabled portable device. Those methods do not require a physical access to the device and can be performed remotely, reducing the risks of being noticed. Finally we present scenarios in which the knowledge of an individual MAC address could be used for mischief.

Linking Wireless Devices Using Information Contained in Wi-Fi Probe Requests

Abstract Active service discovery in Wi-Fi involves wireless stations broadcasting their Wi-Fi fingerprint, i.e. the SSIDs of their preferred wireless networks. The content of those Wi-Fi fingerprints can reveal different types of information about the owner. We focus on the relation between the fingerprints and the links between the owners. Our hypothesis is that social links between devices’ owners can be identified by exploiting the information contained in the fingerprint. More specifically we propose to consider the similarity between fingerprints as a metric, with the underlying idea: similar fingerprints are likely to be linked. We first study the performances of several similarity metrics on a controlled dataset and then apply the designed classifier to a dataset collected in the wild. Finally we discuss potential countermeasures and propose a new one based on geolocation. This study is based on a dataset collected in Sydney, Australia, composed of fingerprints belonging to more than 8000 devices.

Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms

We present several novel techniques to track (unassociated) mobile devices by abusing features of the Wi-Fi standard. This shows that using random MAC addresses, on its own, does not guarantee privacy. First, we show that information elements in probe requests can be used to fingerprint devices. We then combine these fingerprints with incremental sequence numbers, to create a tracking algorithm that does not rely on unique identifiers such as MAC addresses. Based on real-world datasets, we demonstrate that our algorithm can correctly track as much as 50% of devices for at least 20 minutes. We also show that commodity Wi-Fi devices use predictable scrambler seeds. These can be used to improve the performance of our tracking algorithm. Finally, we present two attacks that reveal the real MAC address of a device, even if MAC address randomization is used. In the first one, we create fake hotspots to induce clients to connect using their real MAC address. The second technique relies on the new 802.11u standard, commonly referred to as Hotspot 2.0, where we show that Linux and Windows send Access Network Query Protocol (ANQP) requests using their real MAC address.

Inferring user relationship from hidden information in WLANs

With ever increasing usage of handheld devices and vast deployment of wireless networks, we observe that it is possible to collect data from mobile devices and reveal personal relationships of their owners. In the paper, we exploit the hidden information collected from WLAN devices and infer individual relationships between device pairs based on three observation dimensions: network association history, physical proximity and spatio-temporal behavior. By measuring WLAN data, we demonstrate that device owners with social relationship tend to share access points, or show similar behavior patterns in wireless communications (e.g. go to the same place periodically to access the same WLAN network). These results can be exploited for various network analytic purposes.

Censorship in the Wild: Analyzing Internet Filtering in Syria

Internet censorship is enforced by numerous governments worldwide, however, due to the lack of publicly available information, as well as the inherent risks of performing active measurements, it is often hard for the research community to investigate censorship practices in the wild. Thus, the leak of 600GB worth of logs from 7 Blue Coat SG-9000 proxies, deployed in Syria to filter Internet traffic at a country scale, represents a unique opportunity to provide a detailed snapshot of a real-world censorship ecosystem. This paper presents the methodology and the results of a measurement analysis of the leaked Blue Coat logs, revealing a relatively stealthy, yet quite targeted, censorship. We find that traffic is filtered in several ways: using IP addresses and domain names to block subnets or websites, and keywords or categories to target specific content. We show that keyword-based censorship produces some collateral damage as many requests are blocked even if they do not relate to sensitive content. We also discover that Instant Messaging is heavily censored, while filtering of social media is limited to specific pages. Finally, we show that Syrian users try to evade censorship by using web/socks proxies, Tor, VPNs, and BitTorrent. To the best of our knowledge, our work provides the first analytical look into Internet filtering in Syria.

Performance analysis of a high-performance real-time application with several AL-FEC schemes

Real-time streaming applications typically require minimizing packet loss and transmission delay so as to keep the best possible playback quality. From this point of view, IP datagram losses (e.g. caused by a congested router, or caused by a short term fading problem with wireless transmissions) have major negative impacts. Although Application Layer Forward Error Correction (AL-FEC) is a useful technique for protecting against packet loss, the playback quality is largely sensitive to the AL-FEC code/codec features and the way they are used. In this work, we consider three FEC schemes for the erasure channel: 2D parity check codes, Reed-Solomon over GF(28) codes, and LDPC-Staircase codes, all of them being currently standardized within IETF. We have integrated these FEC schemes in the FECFRAME framework, a framework that is also being standardized at IETF, and whose goal is to integrate AL-FEC schemes in real-time protocol stacks in a simple and flexible way. Then we modified the Digital Video Transport System (DVTS) high-performance real-time video streaming application so that it can benefit from FECFRAME in order to recover from transmission impairments. We then carried out several performance evaluations in order to identify, for a given loss rate, the optimal configuration in which DVTS performs the best.

Optimizing the error recovery capabilities of LDPC-staircase codes featuring a Gaussian elimination decoding scheme

This work focuses on the LDPC codes for the packet erasure channel, also called AL-FEC (application-level forward error correction codes). Previous work has shown that the erasure recovery capabilities of LDPC-triangle and LDPC-staircase AL-FEC codes can be greatly improved by means of a Gaussian elimination (GE) decoding scheme, possibly coupled to a preliminary Zyablov iterative decoding (ID) scheme. Thanks to the GE decoding, the LDPC-triangle codes were very close to an ideal code. If the LDPC-staircase performances were also improved, they were not as close to an ideal code as the LDPC-triangle codes were. The first goal of this work is to reduce the gap between the LDPC-staircase codes and the theoretical limit. We show that a simple modification of the parity check matrix can significantly improve their recovery capabilities when using a GE decoding. Unfortunately the performances of the same codes featuring an ID are negatively impacted, as well as the decoding complexity. The second goal of this work is therefore to find an appropriate balance between all these aspects.

Analysing the privacy policies of Wi-Fi trackers

Wi-Fi-based tracking systems have recently appeared. By collecting radio signals emitted by Wi-Fi enabled devices, those systems are able to track individuals. They basically rely on the MAC address to uniquely identify each individual. If retailers and business have high expectations for physical tracking, it is also a threat for citizens privacy. We analyse the privacy policies used by the current tracking companies then we show the pitfalls of hash-based anonymization. More particularly we demonstrate that the hash-based anonymization of MAC address used in many Wi-Fi tracking systems can be easily defeated using of-the-shelf software and hardware. Finally we discuss possible solutions for MAC address anonymization in Wi-Fi tracking systems.

Short paper: WifiLeaks: underestimated privacy implications of the access_wifi_state android permission

On Android, installing an application implies accepting the permissions it requests, and these permissions are then enforced at runtime. In this work, we focus on the privacy implications of the ACCESS_WIFI_STATE permission. For this purpose, we analyzed permissions of the 2700 most popular applications on Google Play and found that the ACCESS_WIFI_STATE permission is used by 41% of them. We then performed a static analysis of 998 applications requesting this permission and based on the results, chose 88 applications for dynamic analysis. Our analyses reveal that this permission is already used by some companies to collect user Personally Identifiable Information (PII). We also conducted an online survey to study users perception of the privacy risks associated with this permission. This survey shows that users largely underestimate the privacy implications of this permission. As this permission is very common, most users are therefore potentially at risk.