short-paper

Defeating MAC Address Randomization Through Timing Attacks

Authors:

Célestin Matte,

Mathieu Cunche,

Franck Rousseau,

Mathy VanhoefAuthors Info & Claims

WiSec '16: Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks

Pages 15 - 20

https://doi.org/10.1145/2939918.2939930

Published: 18 July 2016 Publication History

Get Access

Abstract

MAC address randomization is a common privacy protection measure deployed in major operating systems today. It is used to prevent user-tracking with probe requests that are transmitted during IEEE 802.11 network scans. We present an attack to defeat MAC address randomization through observation of the timings of the network scans with an off-the-shelf Wi-Fi interface. This attack relies on a signature based on inter-frame arrival times of probe requests, which is used to group together frames coming from the same device although they use distinct MAC addresses. We propose several distance metrics based on timing and use them together with an incremental learning algorithm in order to group frames. We show that these signatures are consistent over time and can be used as a pseudo-identifier to track devices. Our framework is able to correctly group frames using different MAC addresses but belonging to the same device in up to 75% of the cases. These results show that the timing of 802.11 probe frames can be abused to track individual devices and that address randomization alone is not always enough to protect users against tracking.

References

[1]

Android 6.0 changes. Retrieved from https://developer.android.com/about/versions/ marshmallow/android-6.0-changes.html, 2015.

Google Scholar

[2]

M. V. Barbera, A. Epasto, A. Mei, S. Kosta, V. C. Perta, and J. Stefa. CRAWDAD dataset sapienza/probe-requests (v. 2013-09-10). Retrieved 10 November, 2015, from, http://crawdad.org/sapienza/ probe-requests/20130910, Sept. 2013.

Google Scholar

[3]

J. Franklin, D. McCoy, P. Tabriz, V. Neagoe, J. V. Randwyk, and D. Sicker. Passive data link layer 802.11 wireless device driver ngerprinting. In Usenix Security, volume 6, 2006.

Digital Library

Google Scholar

[4]

J. Freudiger. How talkative is your mobile device?: an experimental study of Wi-Fi probe requests. In Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks. ACM, 2015.

Digital Library

Google Scholar

[5]

E. Grumbach. iwlwi: mvm: support random MAC address for scanning. Linux commit effd05ac479b.

Google Scholar

[6]

C. Huitema. Experience with mac address randomization in windows 10, 2015.

Google Scholar

[7]

B. Misra. ios8 mac randomization -- analyzed! http://blog.mojonetworks.com/ios8-mac- randomization-analyzed/, 2014.

Google Scholar

[8]

J. Pang, B. Greenstein, R. Gummadi, S. Seshan, and D. Wetherall. 802.11 user ngerprinting. In MobiCom, pages 99--110. ACM, 2007.

Digital Library

Google Scholar

[9]

K. Skinner and J. Novak. Privacy and your app. In Apple Worldwide Dev. Conf. (WWDC), June 2015.

Google Scholar

[10]

M. Vanhoef, C. Matte, M. Cunche, L. Cardoso, and F. Piessens. Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms. In AsiaCCS, May 2016.

Digital Library

Google Scholar

[11]

B. Wiedersheim, Z. Ma, F. Kargl, and P. Papadimitratos. Privacy in inter-vehicular networks: Why simple pseudonym change is not enough. In Wireless On-demand Network Systems and Services (WONS), pages 176--183. IEEE, 2010.

Digital Library

Google Scholar

Cited By

View all

Hao LHuang BJia BMao G(2024)Heterogeneous Dual-Attentional Network for WiFi and Video-Fused Multi-Modal Crowd CountingIEEE Transactions on Mobile Computing10.1109/TMC.2024.344446923:12(14233-14247)Online publication date: Dec-2024
https://doi.org/10.1109/TMC.2024.3444469
Hao LHuang BJia BMao G(2024)On the Fine-Grained Crowd Analysis via Passive WiFi SensingIEEE Transactions on Mobile Computing10.1109/TMC.2023.332433423:6(6697-6711)Online publication date: Jun-2024
https://doi.org/10.1109/TMC.2023.3324334
Rye ELevin D(2024)Surveilling the Masses with Wi-Fi-Based Positioning Systems2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00239(2831-2846)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00239
Show More Cited By

Index Terms

Defeating MAC Address Randomization Through Timing Attacks
1. Networks
  1. Network properties
    1. Network privacy and anonymity
2. Security and privacy
  1. Network security
    1. Mobile and wireless security

Recommendations

Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms
ASIA CCS '16: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security

We present several novel techniques to track (unassociated) mobile devices by abusing features of the Wi-Fi standard. This shows that using random MAC addresses, on its own, does not guarantee privacy. First, we show that information elements in probe ...
The Feasibility of Launching Reduction of Quality (RoQ) Attacks in 802.11 Wireless Networks
ICPADS '08: Proceedings of the 2008 14th IEEE International Conference on Parallel and Distributed Systems

In this paper, we discuss wireless Reduction of Quality (RoQ) attacks against the transmission control protocol (TCP). RoQ attacks can dramatically degrade the TCP performance with a less number of wireless jamming attacking packets, which makes them ...
Return address randomization scheme for annuling data-injection buffer overflow attacks
Inscrypt'06: Proceedings of the Second SKLOIS conference on Information Security and Cryptology

Buffer overflow(BOF) has been the most common form of vulnerability in software systems today, and many methods exist to defend software systems against BOF attacks. Among them, the instruction set randomization scheme, which makes attacker not to know ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

WiSec '16: Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks

July 2016

242 pages

ISBN:9781450342704

DOI:10.1145/2939918

General Chair:
Matthias Hollick
TU Darmstadt, Germany
,
Program Chairs:
Panos Papadimitratos
KTH, Sweden
,
William Enck
NC State University, USA

© 2016 Association for Computing Machinery. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of a national government. As such, the Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.

In-Cooperation

SIGMOBILE: ACM Special Interest Group on Mobility of Systems, Users, Data and Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 July 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Short-paper

Funding Sources

Région Rhône-Alpes

Conference

WiSec'16

Sponsor:

SIGSAC

WiSec'16: 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks

July 18 - 20, 2016

Darmstadt, Germany

Acceptance Rates

WiSec '16 Paper Acceptance Rate 13 of 51 submissions, 25%;

Overall Acceptance Rate 98 of 338 submissions, 29%

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

50
Total Citations
View Citations
668
Total Downloads

Downloads (Last 12 months)66
Downloads (Last 6 weeks)6

Reflects downloads up to 18 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Hao LHuang BJia BMao G(2024)Heterogeneous Dual-Attentional Network for WiFi and Video-Fused Multi-Modal Crowd CountingIEEE Transactions on Mobile Computing10.1109/TMC.2024.344446923:12(14233-14247)Online publication date: Dec-2024
https://doi.org/10.1109/TMC.2024.3444469
Hao LHuang BJia BMao G(2024)On the Fine-Grained Crowd Analysis via Passive WiFi SensingIEEE Transactions on Mobile Computing10.1109/TMC.2023.332433423:6(6697-6711)Online publication date: Jun-2024
https://doi.org/10.1109/TMC.2023.3324334
Rye ELevin D(2024)Surveilling the Masses with Wi-Fi-Based Positioning Systems2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00239(2831-2846)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00239
Givehchian HBhaskar NRedding AZhao HSchulman ABharadia D(2024)Practical Obfuscation of BLE Physical-Layer Fingerprints on Mobile Devices2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00073(2867-2885)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00073
Torkamandi PKärkkäinen LOtt J(2024)Privacy-Preserving Crowd Estimation Using Multiple Wi-Fi Sensors2024 IEEE 21st International Conference on Mobile Ad-Hoc and Smart Systems (MASS)10.1109/MASS62177.2024.00049(314-320)Online publication date: 23-Sep-2024
https://doi.org/10.1109/MASS62177.2024.00049
Ficara DGarroppo RHenry J(2024)A Tutorial on Privacy, RCM and Its Implications in WLANIEEE Communications Surveys & Tutorials10.1109/COMST.2023.334574626:2(1003-1040)Online publication date: Oct-2025
https://doi.org/10.1109/COMST.2023.3345746
McDougall JBrighente AKunstmann AZapatka NFederrath H(2024)Reduce to the MACs - Privacy Friendly Generic Probe RequestsICT Systems Security and Privacy Protection10.1007/978-3-031-65175-5_3(31-45)Online publication date: 26-Jul-2024
https://doi.org/10.1007/978-3-031-65175-5_3
Yang FAhriz IDenby B(2023)Tools for Ground-Truth-Free Passive Client Density Mapping in MAC-Randomized Outdoor WiFi NetworksSensors10.3390/s2313614223:13(6142)Online publication date: 4-Jul-2023
https://doi.org/10.3390/s23136142
Delzanno GCaputo LD’Agostino DGrosso DMustajab ABixio LRulli M(2023)Automatic Passenger Counting on the Edge via Unsupervised ClusteringSensors10.3390/s2311521023:11(5210)Online publication date: 30-May-2023
https://doi.org/10.3390/s23115210
Simončič AMohorčič MMohorčič MHrovat A(2023)Non-Intrusive Privacy-Preserving Approach for Presence Monitoring Based on WiFi Probe RequestsSensors10.3390/s2305258823:5(2588)Online publication date: 26-Feb-2023
https://doi.org/10.3390/s23052588
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms

The Feasibility of Launching Reduction of Quality (RoQ) Attacks in 802.11 Wireless Networks

Return address randomization scheme for annuling data-injection buffer overflow attacks