For centuries, coffee shops have been a great place to people watch. Today, I don’t even need to look up from my laptop, nor take my headphones off to discover a lot about those around me. WiFi networks hold a lot more personal information than you may realize.
Smartphone manufactures are committed to pleasing their users, and those users have long been demanding battery life. To that end, the majority of smartphones use a different method to discover WiFi networks in comparison to laptops and other devices, where battery consumption isn’t at such a premium.
A laptop will spend some time listening for beacon packets from WiFi access points. These beacon packets contain the network name along with other information. This discovery method generally works well but you sometimes have to listen for a while to gather all the nearby WiFi networks and you’re never sure you have waited long enough to gather them all. If your smartphone were to constantly listen for WiFi networks as you go about your day, this would quickly drain your battery.
Because of this, smartphones use a different method known as a ‘probe request’ to save on battery consumption. Every once in a while, your smartphone will broadcast out a probe request for all the WiFi networks that it has been configured to join. On iPhones, this is known as a Preferred Network Offload (PNO). There’s no way for you to discover what your PNO contains by looking at your iPhone, but all the WiFi networks you have successfully joined are added to this list unless you have opted-out (and you can only opt-out when you are connected to that network and then only for open networks).
Let’s take this all in again. Every minute that your smartphone’s WiFi is enabled (but not connected), it is broadcasting to the nearby vicinity and all the WiFi networks you have previously joined. Regardless of whether that network has encryption or a hidden service set identification.
To demonstrate how easy it is for someone to glean this information, I wrote a small script that works on most Macs. This script will listen to any probes around you and print off how many devices are probing. It’s important to note that this is a completely passive scan. Nothing is being sent out from my Mac – I am only listening to the noise everyone else is broadcasting.
I felt it fair to run the experiment on myself and I was pretty amazed by what I found. Almost all of the WiFi networks I had joined in the previous two years were being broadcast from my iPhone, and thanks to keychain iCloud sharing, every network I had joined from my Mac too.
For years in IT security we’ve been advised and pressured into using unique and obscure names for user IDs, passwords etc. A lot of people are doing the same with their home and business WiFi Service Set Identifier (SSID). Personally, I had a globally unique WiFi SSID, and by using an open-source database of known WiFi networks such as wigle.net I was able to pinpoint my home address.
More recently, a team at the University of Hasselt in Belgium showed us how one could correlate this information with open databases of WiFi network geolocation and provided a mathematical equation to the likelihood that a smartphone has visited a particular city. Recently, Apple has added MAC address randomization (with limited success) but this doesn’t change during a probing session nor once you have connected to a WiFi network.
Industry colleagues have referred to the above information as ‘digital exhaust’. So how can you reduce your smartphone’s emissions?
- For overall protection against this type of snooping – turn off WiFi. Even when you are connected to a trusted network, a hacker could de-authorize you from this network and listen again to your phone’s probes
- Regularly reset your network settings and hence ‘forget’ your learnt networks
- Be aware of when your phone is connected to WiFi vs.cellular and do not trust open/free public networks
- For networks that you manage, always employ WPA2 encryption with a complex password and use a generic SSID name
- Consider using hidden/blind SSID names