I work at Supernetworks where we're building secure by default Wi-Fi routers. Our software had the ability to assign MACs to interfaces for a little while now, and as a response to this study we've now also added MAC randomization, now in the dev branch, and generally available in our next release (https://github.com/spr-networks/super). Many cards which support WDS//AP-VLAN have no trouble with updating the BSSID.
For use as a travel router the UI makes it simple to randomize both the AP BSSID/MAC as well as interfaces working as WiFi client stations for internet uplink.
As of 2017 the authors of the paper above found MAC leaks in a shocking 96% of all android phones. And the remaining 4% aren't proven to be leak-free -- they simply hadn't noticed any leaks by the time they wrote the paper.
Unless you have fully open-source firmware on your baseband, like ath9k_htc, there's really no way to prevent this leakage. Or even be sure if it's happening.
With open source baseband firmware you can guarantee that the baseband never even has access to the hardware MAC address. You can even reflash the MAC address eeprom (on every boot if you like!)
In addition to RPi hardware, it would be helpful to support Rockchip RK3399 and RK3588 SoCs that have minimal binary blobs, since these can used with open-source Arm Trusted Firmware (TF-A) for secure boot, to ensure that only owner-authorized OS and firmware are running on the device.
> Many cards which support WDS//AP-VLAN have no trouble with updating the BSSID.
Do these M.2 WiFi cards support AP/VLAN and BSSID updates?
I’m not sure if I understand your project correctly, but can this fix the issue with tracking people by location from their phones? Either way it’s a cool project.
I’m Danish, I think the only way to really prevent mass surveillance through WiFi is through laws and legislation. It used to be legal to track people here, but thankfully it’s not anymore. I still remember when there was an outcry from smaller municipalities when they could no longer track people on their “walking streets”. I’m not sure if you have those in other countries but they are basically the “central” street with a lot of shops that are only for pedestrians. Virtually every Danish city has one, larger cities have multiple. Anyway, smaller cities used to track people to see which parts of those streets were popular and which weren’t.
Now they didn’t exactly do it for sinister reasons as such. Our smaller cities have issues with what is called “city death” where their “waking streets” lose shops because people go to larger malls. Then they might add a play ground or other cultural things, or even help shops with rents in order to increase an even popularity in their “waking streets”.
Despite their good intention it was still mass scale surveillance.
> Our software had the ability to assign MACs to interfaces for a little while now, and as a response to this study we've now also added MAC randomization, now in the dev branch […]
Will it follow what the IEEE is proposing?
* 802.11bh: Enhanced service with randomized MAC addresses
* 802.11bi: Enhanced service with Data Privacy Protection
This sounds very cool and IIUC could replace my EdgeRouterX($60) I currently use.
Suggestion, your site is not understandable to me. At the top it says you make routers. Under products it lists a a PI5 HAT. Is that a router? It sounds like it's a Wifi card for a Raspberry PI?? PI5 Pod, Is that a router? It says "bundled with PI5 Router" ??? "CM4 Capsule" is that a router?
Is this site only for people who already know these terms?
It also claims all this runs locally but then says you have a subscription... ?!
From your site: “ Why should your vacuum be able talk to your doorbell? Inadequate network isolation makes breaches worse.”
Just got to say- that would be awesome for my vacuum to stop making a loud noise when someone pushed the doorbell, so I wouldn’t miss the person! (But I do completely get the underlying sentiment)
Unfortunately wisp/biz/cafe net providers often seem to block randomised mac addresses on device side (I'm guessing the sign on portal they force people thru registers by mac).
On my Android 12 phone, I have the following things disabled:
- [ ] Location
- Improve location accuracy
[ ] Wi-Fi scanning
[ ] Bluetooth scanning
- [ ] Google location accuracy
- [ ] Google location history
- [ ] Google location sharing
- App-level permissions
- Allowed all the time: None
- Allowed only while using app: Maps, Lyft, Uber, Uber Eats
What's funny is when searching "location" in settings is that the "Google ..." ones aren't listed and have to be hunted down manually under Location/Location services.
I sometimes temporarily enable Location, but most often I'll just enter addresses manually into the apps and dismiss any requests for location access.
Of course anything with internet access can still guess location based on the public IP address used to connect to any server. Maybe a VPN could help, but then you have to trust that party too.
> anything with internet access can still guess location based on the public IP address used to connect to any server.
Not to mention Chrome & friends will gladly provide wifi-based location lookup to any site that asks for location. You can have GPS off, using a VPN, and still the website will know where you are. Turn it off, sure, then the site can block you.
Tried to get around my states online casino restrictions a few months back. Not a fun time.
To be fair, apple has a similar approach, you can't fully turn off Bluetooth or wifi if you press on their corresponding widgets (they only become inactive), you have to go to the settings to turn them off.
As for location, you can't even do so without going to the settings.
I've done the same. It is extremely annoying that there's no concept of graceful fallback in modern operating systems. For example, Google Pay on Android can work without location enabled but whenever you start the app, it is the first thing that it prompts you for (even before asking fingerprint or passcode unlock that you've set on it)
I was thinking recently about the inverse of this attack. I have many thieves coming to my warehouse, and was thinking I could broadcast bunch of local ssids to try to see which ones their phones try to autoconnect to.
I could then use that info to figure out where they are likely to hang out, and either give it to police or take matters into my own hands.
I think phones should have location-based wifi (and maybe bluetooth).
Meaning, if your location is home, turn on wifi, else turn it off.
Unfortunately apple/google/carriers have a vested interest in making our devices very promiscuous. (location services, advertising/surveillance, offload cellular, etc)
>Intelligent Wi-Fi provides four features that aim to improve consumers’ Wi-Fi experience:
Network Bearer Switching
Auto Wi-Fi
Suspicious Hotspot Detection
Enhanced Power Saving
>Intelligent Wi-Fi is the new brand name of the existing “Adaptive Wi-Fi” which had been applied to models older than Galaxy S10 (e.g. Galaxy S9 or older models). It has been improved by adding a new feature such as Suspicious Network Detection and also enhancing existing features such as Network Bearer Switching.
>Auto Wi-Fi
>People use Wi-Fi differently based on their location. In places where Wi-Fi is available, we turn on Wi-Fi to avoid being charged for mobile data. On the other hand, if Wi-Fi is always on, we are subjected to frequent, unwanted connections and higher power consumption. To solve this problem, we have introduced Auto Wi-Fi, which turns Wi-Fi on and off depending on your location. Auto Wi-Fi addresses these connectivity-related pain points.
>Auto Wi-Fi pays close attention to your connection patterns and remembers your favorite networks. It turns your Wi-Fi on when a favorite network is available. When you leave the area and the network becomes unavailable, Auto Wi-Fi will automatically turn off your Wi-Fi.
I find this paper's title "surveilling the masses ..." not fitting for the (nevertheless important) findings in this paper. While "mass surveillance" is an ambiguous term, it invokes images of "this method allows wiretapping/reading society's private conversations, and/or pinpointing everybody's precise location in real-time".
But actually, the findings are:
"this method can be leveraged as an additional statistical proxy for population movement and infrastructure outages/destruction;
By taking several assumptions (e.g. BSSID not spoofed; BSSID is seen by some smartphone; BSSID of to-be-surveilled target is known; BSSID is actually used by target and not sold/handed to someone else; target is close to BSSID; BSSID is on; etc.), an individual's historical and possibly current whereabouts may be revealed".
"The central goal of the attacker we consider is to gather location and movement
data about a large number of devices, either globally or pertaining to a specific region of interest."
On top of that, some networks like Spectrum already report all the MAC addresses that are connected to it remotely to the Spectrum database, instead of just on your network panel locally (because there isn't a Spectrum network panel anymore, only the app). This means that a nation state (USA) can see real time minute by minute who is on that network, and recent devices on that network because Spectrum designed this in their firmware.
You can check yourself from the app:
Services > Devices on Network > Manage
And it will show all of the MAC addresses connected, and recently connected. Even remotely if you are not logged into your network.
You also can see the *plaintext* password to your router from this app.
Services > Your WiFi Network
Which means a nation state also can remotely login to your network without you knowing, and otherwise is bad for security if passwords for millions of homes are plaintext.
---
Moral of the story is that even if Apple eventually fixes this, the other side of the tracking that nation states could do could be done at the ISP firmware level. To solve this kind of attack, either allowing open firmware or new legislation is the only to stop this. (Which when has privacy legislation ever happened... is another question for another day).
> In late March 2024, Apple quietly updated its website to note that anyone can opt out of having the location of their wireless access points collected and shared by Apple — by appending “_nomap” to the end of the Wi-Fi access point’s name (SSID). Adding “_nomap” to your Wi-Fi network name also blocks Google from indexing its location..
> "You may not have Apple products, but if you have an access point and someone near you owns an Apple device, your BSSID will be in [Apple’s] database,” he said. “What’s important to note here is that every access point is being tracked, without opting in, whether they run an Apple device or not.. Commonly used travel routers compound the potential privacy risks..
> The Google/Apple opt out (_nomap) needs to be at the end of SSID name. Whereas the Microsoft opt out (_optout) can be anywhere in the SSID name. Therefore, to opt out of both, it would be in this order: SSIDName_optout_nomap
That is a known fact and widely reported to have caused security issues. Even in the Ukraine conflict if the Russian army doesn't follow protocol of NOT BRINGING your phone to deployment they get targeted instantly by US missiles. SIGINT can map phone signals showing large group of people in certain areas just by having your phone on and all this privacy thing turned off.
Basically any sort of Android/iOS device by default will report back the location of nearby APs. Given how important phones are (eg. for entertainment or keeping in touch), it's basically impossible to ban them.
"Russia-Ukraine War First, we use Apple’s WPS to ana-
lyze device movements into and out of Ukraine and Russia,
gaining insights into their ongoing war that, to the best of
our knowledge, have yet to be made public. We find what
appear to be personal devices being brought by military
personnel into war zones, exposing pre-deployment sites and
military positions. Our results also show individuals who
have left Ukraine to a wide range of countries, validating
public reports of where Ukrainian refugees have resettled."
Why does every articl have to invent some acronym, and even worse in this case, an acronym that already exists in the wifi context (wifi protected setup - WPS).
Nitpick: Figure 2 should have been loglog, rather than semilog-y, I would love to see more details rather than the near vertical line (graph is Cumulative geo-located BSSIDs as a function of the number of API queries)
How does a faraday bag save battery? Normally I find that in areas of poor mobile signal, the phone ramps up the power to keep contacting towers and burns through the charge much quicker..
[+] [-] spr-alex|1 year ago|reply
For use as a travel router the UI makes it simple to randomize both the AP BSSID/MAC as well as interfaces working as WiFi client stations for internet uplink.
[+] [-] karma_pharmer|1 year ago|reply
https://news.ycombinator.com/item?id=13839540
As of 2017 the authors of the paper above found MAC leaks in a shocking 96% of all android phones. And the remaining 4% aren't proven to be leak-free -- they simply hadn't noticed any leaks by the time they wrote the paper.
Unless you have fully open-source firmware on your baseband, like ath9k_htc, there's really no way to prevent this leakage. Or even be sure if it's happening.
https://wiki.debian.org/ath9k_htc/open_firmware
With open source baseband firmware you can guarantee that the baseband never even has access to the hardware MAC address. You can even reflash the MAC address eeprom (on every boot if you like!)
[+] [-] transpute|1 year ago|reply
In addition to RPi hardware, it would be helpful to support Rockchip RK3399 and RK3588 SoCs that have minimal binary blobs, since these can used with open-source Arm Trusted Firmware (TF-A) for secure boot, to ensure that only owner-authorized OS and firmware are running on the device.
> Many cards which support WDS//AP-VLAN have no trouble with updating the BSSID.
Do these M.2 WiFi cards support AP/VLAN and BSSID updates?
[+] [-] devjab|1 year ago|reply
I’m Danish, I think the only way to really prevent mass surveillance through WiFi is through laws and legislation. It used to be legal to track people here, but thankfully it’s not anymore. I still remember when there was an outcry from smaller municipalities when they could no longer track people on their “walking streets”. I’m not sure if you have those in other countries but they are basically the “central” street with a lot of shops that are only for pedestrians. Virtually every Danish city has one, larger cities have multiple. Anyway, smaller cities used to track people to see which parts of those streets were popular and which weren’t.
Now they didn’t exactly do it for sinister reasons as such. Our smaller cities have issues with what is called “city death” where their “waking streets” lose shops because people go to larger malls. Then they might add a play ground or other cultural things, or even help shops with rents in order to increase an even popularity in their “waking streets”.
Despite their good intention it was still mass scale surveillance.
[+] [-] throw0101d|1 year ago|reply
Will it follow what the IEEE is proposing?
* 802.11bh: Enhanced service with randomized MAC addresses
* 802.11bi: Enhanced service with Data Privacy Protection
* https://standards.ieee.org/beyond-standards/data-privacy-and...
[+] [-] staplers|1 year ago|reply
As an average home user, I would love something like this (interface and features) but with a nicer looking hardware (wife tax).
[+] [-] canadiantim|1 year ago|reply
[+] [-] nox101|1 year ago|reply
Suggestion, your site is not understandable to me. At the top it says you make routers. Under products it lists a a PI5 HAT. Is that a router? It sounds like it's a Wifi card for a Raspberry PI?? PI5 Pod, Is that a router? It says "bundled with PI5 Router" ??? "CM4 Capsule" is that a router?
Is this site only for people who already know these terms?
It also claims all this runs locally but then says you have a subscription... ?!
[+] [-] yardstick|1 year ago|reply
Just got to say- that would be awesome for my vacuum to stop making a loud noise when someone pushed the doorbell, so I wouldn’t miss the person! (But I do completely get the underlying sentiment)
[+] [-] fennecfoxy|1 year ago|reply
[+] [-] karmakaze|1 year ago|reply
I sometimes temporarily enable Location, but most often I'll just enter addresses manually into the apps and dismiss any requests for location access.
Of course anything with internet access can still guess location based on the public IP address used to connect to any server. Maybe a VPN could help, but then you have to trust that party too.
[+] [-] kingnothing|1 year ago|reply
https://krebsonsecurity.com/2024/04/fcc-fines-major-u-s-wire...
[+] [-] pests|1 year ago|reply
Not to mention Chrome & friends will gladly provide wifi-based location lookup to any site that asks for location. You can have GPS off, using a VPN, and still the website will know where you are. Turn it off, sure, then the site can block you.
Tried to get around my states online casino restrictions a few months back. Not a fun time.
[+] [-] 3abiton|1 year ago|reply
[+] [-] unknown|1 year ago|reply
[deleted]
[+] [-] microflash|1 year ago|reply
[+] [-] unknown|1 year ago|reply
[deleted]
[+] [-] blueflow|1 year ago|reply
[+] [-] pontifier|1 year ago|reply
I could then use that info to figure out where they are likely to hang out, and either give it to police or take matters into my own hands.
[+] [-] m463|1 year ago|reply
Meaning, if your location is home, turn on wifi, else turn it off.
Unfortunately apple/google/carriers have a vested interest in making our devices very promiscuous. (location services, advertising/surveillance, offload cellular, etc)
[+] [-] hnburnsy|1 year ago|reply
https://docs.samsungknox.com/admin/knox-platform-for-enterpr...
>Intelligent Wi-Fi provides four features that aim to improve consumers’ Wi-Fi experience:
Network Bearer Switching
Auto Wi-Fi
Suspicious Hotspot Detection
Enhanced Power Saving
>Intelligent Wi-Fi is the new brand name of the existing “Adaptive Wi-Fi” which had been applied to models older than Galaxy S10 (e.g. Galaxy S9 or older models). It has been improved by adding a new feature such as Suspicious Network Detection and also enhancing existing features such as Network Bearer Switching.
>Auto Wi-Fi >People use Wi-Fi differently based on their location. In places where Wi-Fi is available, we turn on Wi-Fi to avoid being charged for mobile data. On the other hand, if Wi-Fi is always on, we are subjected to frequent, unwanted connections and higher power consumption. To solve this problem, we have introduced Auto Wi-Fi, which turns Wi-Fi on and off depending on your location. Auto Wi-Fi addresses these connectivity-related pain points.
>Auto Wi-Fi pays close attention to your connection patterns and remembers your favorite networks. It turns your Wi-Fi on when a favorite network is available. When you leave the area and the network becomes unavailable, Auto Wi-Fi will automatically turn off your Wi-Fi.
[+] [-] Eduard|1 year ago|reply
But actually, the findings are:
"this method can be leveraged as an additional statistical proxy for population movement and infrastructure outages/destruction;
By taking several assumptions (e.g. BSSID not spoofed; BSSID is seen by some smartphone; BSSID of to-be-surveilled target is known; BSSID is actually used by target and not sold/handed to someone else; target is close to BSSID; BSSID is on; etc.), an individual's historical and possibly current whereabouts may be revealed".
[+] [-] whatupmiked|1 year ago|reply
"The central goal of the attacker we consider is to gather location and movement data about a large number of devices, either globally or pertaining to a specific region of interest."
[+] [-] jessenaser|1 year ago|reply
You can check yourself from the app:
Services > Devices on Network > Manage
And it will show all of the MAC addresses connected, and recently connected. Even remotely if you are not logged into your network.
You also can see the *plaintext* password to your router from this app.
Services > Your WiFi Network
Which means a nation state also can remotely login to your network without you knowing, and otherwise is bad for security if passwords for millions of homes are plaintext.
---
Moral of the story is that even if Apple eventually fixes this, the other side of the tracking that nation states could do could be done at the ISP firmware level. To solve this kind of attack, either allowing open firmware or new legislation is the only to stop this. (Which when has privacy legislation ever happened... is another question for another day).
[+] [-] sandworm101|1 year ago|reply
Or just randomize every MAC at the client level, blinding everyone up the chain and no doubt causing many false reports as randomized macs collide.
[+] [-] calebm|1 year ago|reply
[+] [-] transpute|1 year ago|reply
> In late March 2024, Apple quietly updated its website to note that anyone can opt out of having the location of their wireless access points collected and shared by Apple — by appending “_nomap” to the end of the Wi-Fi access point’s name (SSID). Adding “_nomap” to your Wi-Fi network name also blocks Google from indexing its location..
> "You may not have Apple products, but if you have an access point and someone near you owns an Apple device, your BSSID will be in [Apple’s] database,” he said. “What’s important to note here is that every access point is being tracked, without opting in, whether they run an Apple device or not.. Commonly used travel routers compound the potential privacy risks..
> The Google/Apple opt out (_nomap) needs to be at the end of SSID name. Whereas the Microsoft opt out (_optout) can be anywhere in the SSID name. Therefore, to opt out of both, it would be in this order: SSIDName_optout_nomap
[+] [-] chevman|1 year ago|reply
[+] [-] canadiantim|1 year ago|reply
[+] [-] sambazi|1 year ago|reply
future you will thank you
[+] [-] _trampeltier|1 year ago|reply
https://www.wigle.net/
[+] [-] sambazi|1 year ago|reply
[+] [-] croes|1 year ago|reply
https://news.ycombinator.com/item?id=40454706
Related article
https://news.ycombinator.com/item?id=40464184
[+] [-] juunpp|1 year ago|reply
Is this verified? Does the military not ban Apple/Google personal trackers?
[+] [-] ezconnect|1 year ago|reply
[+] [-] lelandfe|1 year ago|reply
[+] [-] gruez|1 year ago|reply
[+] [-] yellow_postit|1 year ago|reply
[+] [-] unknown|1 year ago|reply
[deleted]
[+] [-] ACV001|1 year ago|reply
"Russia-Ukraine War First, we use Apple’s WPS to ana- lyze device movements into and out of Ukraine and Russia, gaining insights into their ongoing war that, to the best of our knowledge, have yet to be made public. We find what appear to be personal devices being brought by military personnel into war zones, exposing pre-deployment sites and military positions. Our results also show individuals who have left Ukraine to a wide range of countries, validating public reports of where Ukrainian refugees have resettled."
[+] [-] dirkmakerhafen|1 year ago|reply
I have been using apple geolocation api for the last 6-7 years to regularly download a snapshot of all access points in the world.
https://github.com/dirk-makerhafen/apple-bssid (the basic request code, not the mass downloader part)
[+] [-] IshKebab|1 year ago|reply
[+] [-] ipsum2|1 year ago|reply
[+] [-] unknown|1 year ago|reply
[deleted]
[+] [-] ajsnigrutin|1 year ago|reply
> Wi-Fi-based Positioning Systems (WPSes) are....
Why does every articl have to invent some acronym, and even worse in this case, an acronym that already exists in the wifi context (wifi protected setup - WPS).
[+] [-] datahack|1 year ago|reply
[+] [-] acheong08|1 year ago|reply
Found some interesting things and still working on recording more MITM from my iPhone to see what else is sent.
[+] [-] inasio|1 year ago|reply
[+] [-] nbzso|1 year ago|reply
[+] [-] clort|1 year ago|reply