Probing for Passwords -- Privacy Implications of SSIDs in Probe Requests (2206.03745v2)

Abstract: Probe requests help mobile devices discover active Wi-Fi networks. They often contain a multitude of data that can be used to identify and track devices and thereby their users. The past years have been a cat-and-mouse game of improving fingerprinting and introducing countermeasures against fingerprinting. This paper analyses the content of probe requests sent by mobile devices and operating systems in a field experiment. In it, we discover that users (probably by accident) input a wealth of data into the SSID field and find passwords, e-mail addresses, names and holiday locations. With these findings we underline that probe requests should be considered sensitive data and be well protected. To preserve user privacy, we suggest and evaluate a privacy-friendly hash-based construction of probe requests and improved user controls.

• The paper reveals that 23.2% of probe requests include non-empty SSIDs that expose sensitive data such as passwords and location details.
• It uses a field experiment, capturing 252,242 probe requests, to highlight privacy vulnerabilities especially in older mobile operating systems.
• It proposes enhanced SSID hashing and improved user interface designs to mitigate risks and align with stronger privacy protection standards.

Privacy Implications of SSIDs in Wi-Fi Probe Requests

This paper presents an in-depth analysis of the privacy risks associated with probe requests used by mobile devices to discover Wi-Fi networks. The authors conducted a field experiment to paper the data contained in the probe requests, revealing that these requests often inadvertently include sensitive information such as passwords, email addresses, and personal location data, which are embedded in Service Set Identifier (SSID) fields. The research underscores the notion that probe requests should be tightly secured and advocates for technical and interface alterations to enhance user privacy.

The research provides several critical insights into the contemporary state of Wi-Fi tracking. In their experiment, the authors collected approximately 252,242 probe requests in a busy pedestrian zone, finding that 23.2% of these contained non-empty SSIDs. This phenomenon demonstrates a clear privacy issue, as SSIDs can be mapped to physical locations using services like WiGLE, potentially exposing personal residences or workplaces of the mobile device users. Furthermore, the paper articulates that probe requests can reveal intricate personal data, including numeric passwords and identifiable information, suggesting these signals could be used unintentionally to track and profile individuals.

The analysis also highlights notable discrepancies in the privacy protection measures across different operating systems and versions. For instance, devices running older operating systems are more likely to broadcast SSIDs without employing effective privacy protections like MAC address randomization, making them susceptible to tracking by passive network observers. This discrepancy in security measures indicates an ongoing need for improvements in mobile OS updates to ensure consistent privacy safeguards across platforms.

To address these vulnerabilities, the authors propose two primary solutions: an enhanced hashing mechanism for SSIDs in probe requests and user interface design improvements for better privacy management. The hashing approach suggests incorporating the device's MAC address and sequence number as a salt, thereby concealing the SSID content from unintended observers, and this method introduces a manageable computational overhead while preserving bandwidth considerations. Complementarily, user interface modifications are proposed to prevent accidental additions to the preferred network list (PNL) and provide clearer user controls over network entries, such as automatic connection controls and options to easily remove known SSIDs.

The broader implications of this research are significant. The findings advocate for a more robust legal protection of probe requests as sensitive personal data, aligning with privacy principles such as those outlined in GDPR. These insights have implications for technology manufacturers, policymakers, and privacy advocates, urging the need for improved privacy features and responsible user data management strategies.

Looking ahead, the paper suggests possibilities for implementing the proposed hashing mechanism in Wi-Fi protocols, potentially requiring cross-industry collaboration for standardization. Furthermore, it promotes the need for sustained updates and support for legacy devices to reduce the privacy risks posed by outdated security implementations.

In conclusion, this research underscores the importance of protecting user privacy in Wi-Fi network discovery protocols. It outlines actionable solutions to mitigate privacy risks and personal data leakage through Wi-Fi probe requests, proposing both technical advancements and strategic user-interface interventions to foster a more secure wireless ecosystem. As the technology landscape evolves, consistent data protection efforts remain crucial to safeguarding user privacy against evolving threats and exploitation.