On 802.11 Access Point Locatability and Named Entity Recognition in Service Set Identifiers

Chernyshev, Maxim; Valli, Craig; Hannay, Peter

doi:10.1109/tifs.2015.2507542

Cited by 9 publications

(3 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The works by Chernyshev et al and Bonné et al [29,33] use SSIDs to map observed devices to a set of visited geolocations using databases such as https://wigle.net [13]. Vanhoef et al apply entropy clustering techniques to a selection of IEs and sequence numbers to identify a device but do not consider the bit-level entropy and assume a continuous observation of the tracked devices [35].…”

Section: Related Workmentioning

confidence: 99%

Noncooperative 802.11 MAC Layer Fingerprinting and Tracking of Mobile Devices

Robyns

Bonné

Quax

et al. 2017

Security and Communication Networks

View full text Add to dashboard Cite

We present two novel noncooperative MAC layer fingerprinting and tracking techniques for Wi-Fi (802.11) enabled mobile devices. Our first technique demonstrates how a per-bit entropy analysis of a single captured frame allows an adversary to construct a fingerprint of the transmitter that is 80.0 to 67.6 percent unique for 50 to 100 observed devices and 33.0 to 15.1 percent unique for 1,000 to 10,000 observed devices. We show how existing mitigation strategies such as MAC address randomization can be circumvented using only this fingerprint and temporal information. Our second technique leverages peer-to-peer 802.11u Generic Advertisement Service (GAS) requests and 802.11e Block Acknowledgement (BA) requests to instigate transmissions on demand from devices that support these protocols. We validate these techniques using two datasets, one of which was recorded at a music festival containing 28,048 unique devices and the other at our research lab containing 138 unique devices. Finally, we discuss a number of countermeasures that can be put in place by mobile device vendors in order to prevent noncooperative tracking through the discussed techniques.

show abstract

Section: Related Workmentioning

confidence: 99%

Noncooperative 802.11 MAC Layer Fingerprinting and Tracking of Mobile Devices

Robyns

Bonné

Quax

et al. 2017

Security and Communication Networks

View full text Add to dashboard Cite

show abstract

“…Chernyshev et al [16] look at information that can be extracted from the SSID strings contained in probe request messages. The assumption is that the entities of potential interest, such as locations and personal names contained within SSIDs, can be recognized in an automated fashion; the authors show that the attributes which can be extracted from the SSIDs can be used as a basis for inference attacks.…”

Section: De-anonymizationmentioning

confidence: 99%

Building up knowledge through passive WiFi probes

Redondi

Cesana

2018

Computer Communications

View full text Add to dashboard Cite

“…A number of papers discuss various threats to user's privacy based upon collected probe requests containing an Access Point's (AP) Service Set Identifier-SSID [7][8][9][10][11][12][13]. WiFi-enabled devices using Active Service Discovery broadcast these probe request frames aimed at the set of preferred APs to increase the connection speed.…”

Section: Introductionmentioning

confidence: 99%

SSID Oracle Attack on Undisclosed Wi‐Fi Preferred Network Lists

Dagelić

Perković

Vujatović

et al. 2018

Wireless Communications and Mobile Computing

View full text Add to dashboard Cite

User's location privacy concerns have been further raised by today's Wi-Fi technology omnipresence. Preferred Network Lists (PNLs) are a particularly interesting source of private location information, as devices are storing a list of previously used hotspots. Privacy implications of a disclosed PNL have been covered by numerous papers, mostly focusing on passive monitoring attacks. Nowadays, however, more and more devices no longer transmit their PNL in clear, thus mitigating passive attacks. Hidden PNLs are still vulnerable against active attacks whereby an attacker mounts a fake SSID hotspot set to one likely contained within targeted PNL. If the targeted device has this SSID in the corresponding PNL, it will automatically initiate a connection with the fake hotspot thus disclosing this information to the attacker. By iterating through different SSIDs (from a predefined dictionary) the attacker can eventually reveal a big part of the hidden PNL. Considering user mobility, executing active attacks usually has to be done within a short opportunity window, while targeting nontrivial SSIDs from user's PNL. The existing work on active attacks against hidden PNLs often neglects both of these challenges. In this paper we propose a simple mathematical model for analyzing active SSID dictionary attacks, allowing us to optimize the effectiveness of the attack under the above constraints (limited window of opportunity and targeting nontrivial SSIDs). Additionally, we showcase an example method for building an effective SSID dictionary using top-N recommender algorithm and validate our model through simulations and extensive real-life tests.

show abstract

On 802.11 Access Point Locatability and Named Entity Recognition in Service Set Identifiers

Cited by 9 publications

References 15 publications

Noncooperative 802.11 MAC Layer Fingerprinting and Tracking of Mobile Devices

Noncooperative 802.11 MAC Layer Fingerprinting and Tracking of Mobile Devices

Building up knowledge through passive WiFi probes

SSID Oracle Attack on Undisclosed Wi‐Fi Preferred Network Lists

Contact Info

Product

Resources

About