Embed Size (px)
Citation preview
WIFI ANALYTICS AND USER PRIVACY
Ante DagelićMario ČagaljToni PerkovićMarin Bugarić
Outline of the talk • IntroducAon • Physical AnalyAcs • AcAve & Passive aFack on PNL • Invading user privacy • Conclusion
2
IntroducAon -‐ About me • joined 3 months ago • 2013 masters • worked in private sector for 2 years • developing for 8 years • interested in security and informaAon analitycs • LinkedIn
3
EvoluAon of Tracking Systems • Web-‐based services can easily monitor customer’s shopping web analy)cs
• There is a growing trend in physical analy)cs
4
EvoluAon of Tracking Systems
Time MAC address RSSI
• Users act as portable beacons
Sensing Device #1
Sensing device #1
Time MAC address RSSI
Sensing device #2
Sensing Device #2
10:05:01 40:a6:d9:ee:-‐-‐:-‐-‐ -‐50dBm
10:05:15 a0:6c:ec:2a:-‐-‐:-‐-‐ -‐45dBm 10:06:45 40:a6:d9:ee:-‐-‐:-‐-‐ -‐88dBm
10:05:01 40:a6:d9:ee:-‐-‐:-‐-‐ -‐28dBm
10:05:15 a0:6c:ec:2a:-‐-‐:-‐-‐ -‐45dBm 10:06:45 40:a6:d9:ee:-‐-‐:-‐-‐ -‐30dBm
• Works even if users are not connected
5
Two approaches to WiFi tracing 1. Finding out users previous whereabouts
• acAve • passive
2. Matching faces and MAC addresses • passive
6
Anonimity Issues • What if we could learn a user’s Preferred Network List
(PNL)?
7
WiFi Passive Service Discovery
time scan idle scan idle scan idle scan
time
Beacons
scan
AP
Client
time
Auth
req Auth resp
AP
Asso
c re
q Assoc resp
Scanning cycle
AP
• Devices monitor for Beacons frames from nearby APs -‐ devices associate either automaAcally with an AP from PNL or
manually with an AP by the user’s choosing -‐ characterized by slow associaAon Ames
8
WiFi AcAve Service Discovery
time scan idle scan idle scan idle scan
time
Prob
e re
q Probe resp
scan
AP
Client
time
Auth
req Auth resp
AP
Asso
c re
q Assoc resp
Scanning cycle
AP
• Devices acAvelly scan WiFi channels (send probe request packets) -‐ devices associate either automaAcally with an AP from PNL or
manually with an AP by the user’s choosing
9
Captured Trace from AcAve Scanning • Probe request frames are sent unencrypted:
-‐ contain MAC addresses and SSIDs from PNL
10
Captured Trace from AcAve Scanning • SSID names can be quite revealing
11
DicAonary AFack on PNL
time scan idle scan idle scan idle scan
Scanning cycle
Device
SS
ID1i
SS
ID2i
SS
IDki ... ... ...
Chunk i Chunk i-1 Chunk i+1
SS
ID1i
SS
ID2i
SS
IDki ... S
SID
1i
SS
ID2i
SS
IDki ...
Transmission time T Transmission time T Transmission time T
Chunk size L
Fake APs
SS
ID2i
SS
IDki
...
time scan
SS
ID1i
SS
ID2i
SS
IDk
i ... S
SID
1i S
SID
2i
SS
IDki ...
• Break a large list of SSIDs in chunks • Periodically transmit ith chunk
12
PotenAal implicaAons • police evidence for tracking suspects • finding out informaAon about your clients / compeAAon
• finding out if you are cheaAng / being cheated on J
• stalking (paparazzi / journalists) • others...
13
Matching users and devices • use triangulaAon to match users locaAon, based on RSSI
• de-‐anonymizing MAC addresses
• use stereo camera setup to enhance posiAoning and capture users face
• match users MAC address and face
• using all WiFi data • match quality & performances
Sensing Device #1
Sensing Device #2
Camera
14
Tech setup • 4 raspberry PI • stereo camera • tshark based custom sniffing format
• Node.js server for data collecAon
• FESB hallway
Raspberry 1 Raspberry 3
Stereo camera
Raspberry 2 Raspberry 4
RSSI: /
RSSI: -‐60dBm RSSI: -‐55dBm
RSSI: -‐43dBm
15
Matching problems • you can’t sniff everything (performance, channels) • get as many packages (~30k in 2 min) • get as many matches (~85% for 2 RB, ~70% for 3RB)
• lightning issues for face recogniAon • interference with mulAple users in the same area
16
PotenAal implicaAons • tracking a user • categorizing user groups • markeAng • behavior analysis
17
• Build a distributed system with mulAple sennsing devices based on Raspberry Pi plaiorm (only $40)
• Include passive and acAve dicAonary aFacks • Match photos to MAC addresses • Perform physical analyAcs
Concluding remarks 18
Thank you
