WIFI ANALYTICS AND USER PRIVACY Ante Dagelić
Mario Čagalj
Toni Perković
Marin Bugarić
2
Outline of the talk •  IntroducAon •  Physical AnalyAcs •  AcAve & Passive aFack on PNL •  Invading user privacy •  Conclusion 3
IntroducAon -‐ About me •  joined 3 months ago •  2013 masters •  worked in private sector for 2 years •  developing for 8 years •  interested in security and informaAon analitycs •  LinkedIn 4
EvoluAon of Tracking Systems
•  Web-‐based services can easily monitor customer’s shopping web analy)cs •  There is a growing trend in physical analy)cs 5
EvoluAon of Tracking Systems •  Users act as portable beacons Sensing device #1 Time
MAC address
RSSI
10:05:01 40:a6:d9:ee:-‐-‐:-‐-‐ -‐50dBm 10:05:15 a0:6c:ec:2a:-‐-‐:-‐-‐ -‐45dBm 10:06:45 40:a6:d9:ee:-‐-‐:-‐-‐ -‐88dBm Sensing device #2 Time
MAC address
Sensing Device #1 RSSI
10:05:01 40:a6:d9:ee:-‐-‐:-‐-‐ -‐28dBm 10:05:15 a0:6c:ec:2a:-‐-‐:-‐-‐ -‐45dBm 10:06:45 40:a6:d9:ee:-‐-‐:-‐-‐ -‐30dBm •  Works even if users are not connected Sensing Device #2 6
Two approaches to WiFi tracing 1.  Finding out users previous whereabouts acAve •  passive • 
2.  Matching faces and MAC addresses • 
passive 7
Anonimity Issues •  What if we could learn a user’s Preferred Network List (PNL)? 8
WiFi Passive Service Discovery •  Devices monitor for Beacons frames from nearby APs -‐  devices associate either automaAcally with an AP from PNL or manually with an AP by the user’s choosing -‐  characterized by slow associaAon Ames AP
AP
idle
Scanning cycle
scan
Assoc re
Auth req
time
time
idle
resp
scan
sp
ns
Client
Auth re
Beaco
scan
Assoc
q
AP
scan
idle
scan
time
9
WiFi AcAve Service Discovery •  Devices acAvelly scan WiFi channels (send probe request packets) -‐  devices associate either automaAcally with an AP from PNL or manually with an AP by the user’s choosing AP
Scanning cycle
scan
Auth req
Assoc re
q
Probe re
idle
time
time
idle
resp
scan
Assoc
Client
sp
resp
scan
Auth re
Probe
q
AP
AP
scan
idle
scan
time
10
Captured Trace from AcAve Scanning •  Probe request frames are sent unencrypted: -‐ contain MAC addresses and SSIDs from PNL 11
Captured Trace from AcAve Scanning •  SSID names can be quite revealing 12
DicAonary AFack on PNL Transmission time T
...
...
...
SSID
ki
SSID
SSID
2i
SSID
1i
ki
SSID
SSID
2i
SSID
1i
ki
SSID
SSID
2i
1i
•  Break a large list of SSIDs in chunks •  Periodically transmit ith chunk Chunk size L
Transmission time T Transmission time T
Fake APs
Chunk i
Chunk i-1
Device
scan
idle
scan
idle
Chunk i+1
scan
idle
Scanning cycle
...
...
SSID
ki
SSID
SSID1
2i
iSSIDk
i
SSID2i
SSID1i
SSIDki
SSID2i
...
scan
time
scan
time
13
PotenAal implicaAons •  police evidence for tracking suspects •  ﬁnding out informaAon about your clients / compeAAon •  ﬁnding out if you are cheaAng / being cheated on J •  stalking (paparazzi / journalists) •  others... 14
Matching users and devices •  use triangulaAon to match users locaAon, based on RSSI •  de-‐anonymizing MAC addresses •  use stereo camera setup to enhance posiAoning and capture users face •  match users MAC address and face •  using all WiFi data •  match quality & performances Camera Sensing Device #1 Sensing Device #2 15
Tech setup •  4 raspberry PI Raspberry 1 RSSI: / •  stereo camera Raspberry 3 RSSI: -‐43dBm •  tshark based custom sniﬃng format •  Node.js server for data collecAon •  FESB hallway Raspberry 2 RSSI: -‐60dBm Raspberry 4 RSSI: -‐55dBm Stereo camera 16
Matching problems •  you can’t sniﬀ everything (performance, channels) •  get as many packages (~30k in 2 min) •  get as many matches (~85% for 2 RB, ~70% for 3RB) •  lightning issues for face recogniAon •  interference with mulAple users in the same area 17
PotenAal implicaAons •  tracking a user •  categorizing user groups •  markeAng •  behavior analysis 18
Concluding remarks •  Build a distributed system with mulAple sennsing devices based on Raspberry Pi plaiorm (only $40) •  Include passive and acAve dicAonary aFacks •  Match photos to MAC addresses •  Perform physical analyAcs Thank you