Wi-Fi Hotspot Tracking

Free Wi-Fi hotspots can track your location, even if you don't connect to them. This is because your phone or computer broadcasts a unique MAC address.

What distinguishes location-based marketing hotspot providers like Zenreach and Euclid is that the personal information you enter in the captive portal­ -- like your email address, phone number, or social media profile­ -- can be linked to your laptop or smartphone's Media Access Control (MAC) address. That's the unique alphanumeric ID that devices broadcast when Wi-Fi is switched on.

As Euclid explains in its privacy policy, "...if you bring your mobile device to your favorite clothing store today that is a Location -- ­and then a popular local restaurant a few days later that is also a Location­ -- we may know that a mobile device was in both locations based on seeing the same MAC Address."

MAC addresses alone don't contain identifying information besides the make of a device, such as whether a smartphone is an iPhone or a Samsung Galaxy. But as long as a device's MAC address is linked to someone's profile, and the device's Wi-Fi is turned on, the movements of its owner can be followed by any hotspot from the same provider.

"After a user signs up, we associate their email address and other personal information with their device's MAC address and with any location history we may previously have gathered (or later gather) for that device's MAC address," according to Zenreach's privacy policy.

The defense is to turn Wi-Fi off on your phone when you're not using it.

EDITED TO ADD: Note that the article is from 2018. Not that I think anything is different today....

Posted on October 10, 2019 at 5:49 AM • 32 Comments

Comments

MikeOctober 10, 2019 6:14 AM

I naively thought this was addressed last time when this was news.
That time i read that they did add countermeasures in iPhones that generated a new id for every hotspot.

Flight mode it is.

johnfOctober 10, 2019 6:21 AM

Isn't this addressed with mac randomization?

As I understand it you would only be traceable if the operator used the same SSID at all locations and your phone connected to it.

Michael JosemOctober 10, 2019 6:30 AM

Bemusingly, many cheap/low-end devices do not have unique MAC addresses - the manufacturer fails to increment or change them from device to device. Maybe that's a way to limit this sort of tracking?

meOctober 10, 2019 6:36 AM

> even if you don't connect to them.

I may be wrong but the device should not broadcast always, just because it's turned on, as far as i know theslre is:
-passive probing (check networks available, no need to transmit so can't be detected)
-active probing (kind of please everyone send me your ssid)
-active probing for saved hidden networks (is x available? i'd like to connect)

Android 10 randomize the mac address if i remember correctly

Clive RobinsonOctober 10, 2019 6:38 AM

@ Bruce,

The defense is to turn Wi-Fi off on your phone when you're not using it.

Unfortunately this is an "unreliable option". As some "walled garden" mobile phone users have found WiFi auto-magically turns it's self on again after a quite short time.

Further some phones even though they say they have both WiFi and Bluetooth off, still push out signals in the ISM band...

meOctober 10, 2019 6:45 AM

Link to the difference:
https://www.wi-fi.org/knowledge-center/faq/what-are-passive-and-active-scanning

Also note that saved hidden network leak the name of the nerwork all the time, but sometimes not even hidden network: me and friend went at the sea in hotel, there was normal wifi not hodden. But month larer we opened airmon and his phone was broadcasting all the time the hotel ssid (and mac addres? I don't remember) so anyone could know that he has been there and with a wifi map also where the hotel was.

@clive
> push out signals in the ISM band
But you can't associate any profile with it, you can only know that someone visited both places

FrankOctober 10, 2019 7:02 AM

Wi-Fi Privacy Police
Prevent leaking sensitive data on WiFi
https://f-droid.org/en/packages/be.uhasselt.privacypolice/


WiFi Manager
Manages your device's WiFi based on your location Apache-2.0
https://f-droid.org/en/packages/org.secuso.privacyfriendlywifimanager

Also useful to put wifi on off switch widget on your phone and move it to your home page.

Would like an app that automatically switches off wifi, once the connection to chosen network is lost, like when leaving home or after leaving a coffee shop and will only log on to any network manually

FrankOctober 10, 2019 7:29 AM

To add, when using

WiFi Manager
Manages your device's WiFi based on your location Apache-2.0
https://f-droid.org/en/packages/org.secuso.privacyfriendlywifimanager

it highlights how a local medium sized supermarket has lots and lots of wifi access points/hotspots ("55 related MACs") so the phone can be much more closely tracked whilst moving around the shop. No doubt this tracking could be used to monitor shoppers with nefarious intent, allied to CCTV and staff free self-checkouts?

Joel MooreOctober 10, 2019 7:57 AM

What about MAC randomization? I see that Android was criticized a couple of years ago for doing it poorly but surely they must have improved things by now?

Isn't this sufficient mitigation for modern phones?

Joel MooreOctober 10, 2019 7:59 AM

(sorry. I should have refreshed between the time I read the article and commenting)

RealFakeNewsOctober 10, 2019 8:36 AM

WiFi and BT are always OFF on my devices when roaming.

I've seen public WiFi doing all kinds of things. I don't trust them at all.

Anon838October 10, 2019 9:23 AM

"Further some phones even though they say they have both WiFi and Bluetooth off, still push out signals in the ISM band..." -Clive Robinson

And what phones would that be?

meOctober 10, 2019 9:42 AM

@Frank
Thanks a lot for the two linked fdroid packages, they look promising! I'll test them for sure.
One aims to solve the problem described by my earlier comment

BillOctober 10, 2019 12:03 PM

If only there were an app to selectively enable/disable wifi based on geofencing or other techniques... For example, I could set it to turn on wifi near my home, or my friend's home, where I use wifi... and everywhere else it turns it off. Note that there's no need to broadcast a location anywhere to do this, it can be entirely self contained when merely passively reading gps satellite signals...

Now bluetooth might be harder to do this with since I might want it to be enabled in my car, and my car drives all over, so...

So here's a question: why doesn't every store just deploy multiple stingrays, or some less invasive device that can passively read/track the cell signals, and uniquely identify phones that way... then your only solution would be to leave your phone at home. You know, like how ancient dinosaurs used to have those things called "land lines" that were physically attached to their houses....

Bruce SchneierOctober 10, 2019 1:33 PM

I just noticed that the article is from 2018. I don't think anything is different today, so just FYI.

Clive RobinsonOctober 10, 2019 1:55 PM

@ Bruce,

I just noticed that the article is from 2018.

Sounds like your "reading pile" needs not just a spring clean but a pruning as well ;-)

That said, I've a backlog of something like sixty PDFs of papers I need to do more than skim read :-(

PseudonOctober 10, 2019 2:00 PM

@Bill
In iOS 13, you can kind of do this with Shortcuts detecting leaving or entering a geofence (of course that requires that you haven't turned Location off). It's not fully automatic at this point, but it will at least pop up a notification and you can click run.

Clive RobinsonOctober 10, 2019 2:04 PM

@ me,

But you can't associate any profile with it, you can only know that someone visited both places

That is a dangerous assumption on your behalf.

All I said is that they are putting out signals, not what the signals were or what authentication or other identification tags that might be contained in them.

As far as I was concerned seeing a smart phone push out ISM band signals --on a cheap SDR receiver-- when they should not have been was more than sufficient for me to say it's not behaving in a trustworthy fasion.

I did not need to test further to see what the signaling modulation format was, or work out what data it contained it was just sufficient to know it was "out of the box" not doing what it was supposed to do.

It was a more efficient use of my scant resources to move on to a different smart phone and test that instead.

Clive RobinsonOctober 10, 2019 3:06 PM

@ Anon838,

And what phones would that be?

Well what started it all was somebodies Apple phone in the RF Lab, I'd been asked to look into as a favour. The phone was causing problems during testing of a high gain receiver front end for the top end of the 2.3GHz - 2.45GHz band used for satellite communications (and is just below and overlapped by the 2.4-2.5 ISM band).

Other phones were then quickly tested, some of which that had issues were Chinese branded (ZTE manufacture) and also some "badge labled" Chinese low cost phones sold in small retail outlets. There was correlation with the versions of software used on the Chinese phones, that suggests the problem came from "up stream" of the actual hardware manufacturer. As not all phones from any given manufacturer exhibited the problem, it is more likely to be a bug in the User Interface software rather than some kind of implant or backdoor. But that's a hunch from a limited sample size rather than from a larger size to establish the actual bug.

This was because the tests were far from exhaustive as it was mainly phones on loan from staff at the lab, and a few that had be purchased for an earlier project. It was sufficient though to have a new rule of "No phones in the RF Lab or surrounding area" rather than the older "turn them off please" request.

The fact that there is such a problem points at there being a failure in software development test. The cost of tracking it down is not one that has any ROI on it for the lab, or I suspect any other commercial organisation.

Thus if someone else want's to carry out extensive tests and pay for the time required to do it then they can put their hand in their pocket or set up their own test facility etc.

Whilst the cost involved with obtaining the equipment to carry out the basic tests is quite minimal --laptop, SDR receiver, E field probe, desktop TEM cell, and LISN-- the labour cost is not. Further to take the tests to the level where you could publish the sort of results people want, requires considerably more skilled personnel at comensurately higher fees (unless they are doctoral students in a Uni lab).

Pays your money makes your choice.

lurkerOctober 10, 2019 4:17 PM

@Clive

Well what started it all was somebodies Apple phone in the RF lab,
Thanks for doing the measurements Clive. I have never been happy about tapping the little button and watching it change colour, just what is really happening behind the green curtain… I have relied on leaving wifi,blutooth and data off. Turn a service on when I want it and off again straight away. Battery consumption & behaviour of other devices using the phone as a hotspot, lead me to believe the off switch is telling the truth.

Years ago I worked with or had access to spectrum analysers and the like. It'd be interesting to look at what comes out of a typical mid-highend phone

Clive RobinsonOctober 10, 2019 6:17 PM

@ lurker,

It'd be interesting to look at what comes out of a typical mid-highend phone

Interesting is not quite the word I would use scary might be better ;-)

Battery consumption & behaviour of other devices using the phone as a hotspot, lead me to believe the off switch is telling the truth.

And for most phones it probably is, it was just some that we found, leading me to believe it was probably a User Interface software bug, rather than anything deliberate.

But for having a good look you don't actually need a multi-thousand dollar spectrum analyser these days. Rigol for instance make one that is not far of the price of a four channel 100MHz oscilloscope that is more than usable. But if you already have a suitably speced desktop or laptop or smart device, then a 10-30USD SDR dongle will with free software like GNUradio get you quite good results. There are other better SDR hardware units like "The Great Scott Gadgets" HackRFone and "LimeSDR" that do several including one that goes to 10GHz. The LimeSDR mini has been made into both Spectrum Analysers and Vector Network Analysers, as well as complex signal transcivers including making your own GSM 4G base station.

But if you are handy with a soldering iron you can make your own Spectrum Analyser or VNA with MiniCircuits mixers and mode amps as well as log amps and you can get Digital Oscilators on a single chip that are fairly easy to program. The problem is already built units from China are sometimes cheaper than individual devices you might get through the likes of DigiKey...

Petre Peter October 10, 2019 6:27 PM

This would explain why my phone's Wi-Fi gets turned on after I turned it off.

SushiOctober 11, 2019 2:54 PM

How does a user block display of a MAC address for a phone or computer? I have seen other tools for canvas, ad blocking or java scripting but don't know what to do about any MAC display.

David HOctober 12, 2019 4:39 AM

@Bill

If only there were an app to selectively enable/disable wifi based on geofencing or other techniques... For example, I could set it to turn on wifi near my home, or my friend's home, where I use wifi... and everywhere else it turns it off. Note that there's no need to broadcast a location anywhere to do this, it can be entirely self contained when merely passively reading gps satellite signals...

If you use Android, I recommend the paid "Tasker" app on the Google Play store that lets you automate quite a bit. There's a slight learning curve, and recent Android versions may have locked down some things. Instead of using GPS/Location Services (which uses a lot of battery), there's a rough location setting based off the nearest cell tower(s) to your home. In the past I set up a profile that turns off Wi-Fi when I leave my home (i.e. the signal gets too weak), then when I get within the vicinity of the cell tower by my home, it turns on Wi-Fi again, so when I actually approach my driveway, my phone is close enough to automatically connect.

----------
Re: the article, what's changed since it was written is that Apple iOS, Google Android, and Microsoft Windows 10 have implemented Wi-Fi MAC randomization, which I welcome, even if it's not without its flaws and vulnerabilities. It's a marked improvement in default security for the masses and mitigates some of the retail spying we see in public.

On another note, my longstanding gripe with the way many OS's implement the Wi-Fi stack is that they send out active probe request frames that leak out all of my saved, non-hidden networks! This should not ever happen. My phone or laptop should only passively listen for beacon frames from nearby Access Points, not send out active probe request frames, especially ones that say, "Hello world! My home network is _____."

EvilKiruOctober 13, 2019 4:02 PM

@Sushi: You can't. The best you can do is randomize your Mac address, provided such a tool is available for your device.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.