WiFi tracking and how to avoid it

Forums › Off topic › WiFi tracking and how to avoid it

neb

11294 posts

Uber Geek
+1 received by user: 10018

Trusted

Lifetime subscriber

#299006 2-Aug-2022 19:30

Not sure which is the best forum for this but it's more a privacy issue than a tech one: There have been a pile of stories recently about retailers, and no doubt others, tracking people via the WiFi on their electronic leashes. Pretty much every mobile WiFi device uses active scanning where it broadcasts continuous probe requests, which makes them very easily traceable.

For Android devices, a simple countermeasure is to geofence your WiFi usage, so only turn WiFi on when you're at a location where you'll be using it. The app I use for this is WiFi Automatic by j4velin (be aware that there are several others under the same name), which has various options for selectively enabling WiFi, including a geofence one where it's only turned on when you're near an AP that you're actually using. With both Bluetooth and WiFi off it means only the government is left tracking you (via cellular data) rather than absolutely anyone who feels like it.

This probably extends battery life a bit as well since you're not constantly broadcasting probe requests when not connected.

RunningMan

9184 posts

Uber Geek
+1 received by user: 4834

#2949852 2-Aug-2022 19:46

iPhones since 5 use random MAC addresses for scanning, and for joining networks since iOS 14. https://support.apple.com/en-nz/guide/security/secb9cb3140c/web

neb

11294 posts

Uber Geek
+1 received by user: 10018

Trusted

Lifetime subscriber

#2949863 2-Aug-2022 20:14

RunningMan:
iPhones since 5 use random MAC addresses for scanning, and for joining networks since iOS 14. https://support.apple.com/en-nz/guide/security/secb9cb3140c/web

Android does that too, and the better trackers have already worked around it. It also breaks anything based on fixed MAC addresses, e.g. filtering for access control.

gzt

18678 posts

Uber Geek
+1 received by user: 7809

Lifetime subscriber

#2949867 2-Aug-2022 20:27

better trackers have already worked around it

how does that work?

insane

3324 posts

Uber Geek
+1 received by user: 1006

ID Verified

Trusted

2degrees

Subscriber

#2949896 2-Aug-2022 20:42

gzt:
better trackers have already worked around it

how does that work?

I can only imagine they might fingerprint the array of SSIDs the device searches for.

Otherwise I can't see how it would be done without having an active connection where the user agent, OS, patch levels, hardware versions etc are exposed.

W/less Lan controllers and NACs do get to see a surprising amount of device info.

michaelmurfy

meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator

ID Verified

Trusted

Lifetime subscriber

#2949899 2-Aug-2022 20:48

Basically, if you have a Smartphone then you're being tracked from much more than WiFi beacons. More common these days is actually via Bluetooth.

Also the only way of really turning off WiFi is via a hardware killswitch. Many devices these days actually keep the radio turned on as both the mobile radio and WiFi are used for location (Assisted GPS) commonly used where actual GPS signal is lost (eg, inside buildings). This is actually a battery saving method.

IMHO what you're doing is rather pointless especially on newer devices.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

neb

11294 posts

Uber Geek
+1 received by user: 10018

Trusted

Lifetime subscriber

#2949903 2-Aug-2022 20:55

gzt:
better trackers have already worked around it

how does that work?

One that I'm familiar with uses arrival times of probe requests to group probes from the same device even with the MAC address randomised. That one's purely passive, there are active techniques as well, e.g. setting up or listening in on APs that capture a device since the MAC address won't change as long as it's associated, or using active probing and seeing what comes back in the control frames, and other, proprietary techniques. It's likely that any organisation selling gear capable of tracking individuals down to the level of (approximately) which items they're browsing in a shop and how long they linger at each one is also capable of defeating MAC address randomisation.

"Best block not be there".

Dell

Shop now for Dell laptops and other devices (affiliate link).

insane

3324 posts

Uber Geek
+1 received by user: 1006

ID Verified

Trusted

2degrees

Subscriber

#2949964 2-Aug-2022 22:19

michaelmurfy:
Basically, if you have a Smartphone then you're being tracked from much more than WiFi beacons. More common these days is actually via Bluetooth....

That's a good point, pretty sure NZTA use that to track vehicle trips throughout Auckland to give data on AVG travel times and where people are commuting from and to etc.

Plenty of good uses for anonymous and aggregated data analytics that doesn't specifically impinge on anyone's privacy.

itxtme

2102 posts

Uber Geek
+1 received by user: 557

#2950011 3-Aug-2022 09:25

insane:
I can only imagine they might fingerprint the array of SSIDs the device searches for.

Out of interest when you say array are you meaning multiple probes or does a single probe contain all of the SSIDs in an array? If its the former you would think the differing mac addresses would then make it difficult to not see a person as multiple people given the random MACs

Daynger

444 posts

Ultimate Geek
+1 received by user: 313

#2950018 3-Aug-2022 09:41

If you are paranoid about being tracked you probably shouldnt have a mobile phone at all, especially a smart one.

concordnz

492 posts

Ultimate Geek
+1 received by user: 277

Trusted

EMT (R)

#2950136 3-Aug-2022 12:01

@neb
Ignore the people who say it's pointless,

Dont give up on your goal of protecting your privacy,
it is 'yours' until you stop protecting it....and let others take it from you...

& thank you for posting the app you use. 👍

wonderferret

141 posts

Master Geek
+1 received by user: 17

Lifetime subscriber

#2950174 3-Aug-2022 13:15

itxtme:
insane:
I can only imagine they might fingerprint the array of SSIDs the device searches for.

Out of interest when you say array are you meaning multiple probes or does a single probe contain all of the SSIDs in an array? If its the former you would think the differing mac addresses would then make it difficult to not see a person as multiple people given the random MACs

I did some a work a few years ago and the phones we tested blasted out a list of all the SSIDs in a single probe they were looking to connect to. It was very easy to fingerprint individuals driving past our building in the AM / PM commute and to see when the boss was pulling into the carpark. We didnt bother checking the mac addresses as there was no need

Apple TV

Stream your favourite shows now on Apple TV (affiliate link).

tripper1000

1648 posts

Uber Geek
+1 received by user: 1176

#2950288 3-Aug-2022 16:16

You can put your phone into flight mode or run fancy security apps, but that doesn't stop your car-stereo/headphones/mouse/hearing aid/watch/reversing camera/AirTag/selfie stick/go-pro/tablet/tire pressure sensors/sex-toy etc emitting on blue tooth. Auckland Transport, marketing people and the NSA don't care what the device is, it is moving with a person and they just track it.