A group of academic researchers from the University of Hamburg in Germany has discovered that mobile devices leak identifying information about their owners via Wi-Fi probe requests.
Mobile devices use these probe requests to receive information about nearby Wi-Fi access points and establish connections to them when a probe response is received.
Attackers that can sniff network traffic, the academics say, can use these probe requests to track and identify devices, and even pinpoint their location.
According to them, roughly a quarter of probe requests contain the Service Set Identifier (SSIDs) of networks the devices were previously connected to, which could be used to reveal home addresses or visited locations.
Furthermore, the probe requests can be used to “trilaterate the location of a device with an accuracy of up to 1.5 meters,” or to follow the movement of a device to essentially track their owner, the researchers note.
“This is in fact employed in 23% of the stores already. Companies and cities that conduct Wi-Fi tracking take the legal position that only the MAC address contained in probe requests is considered personal data according to GDPR Article 4(1), which protects personal data from unlawful collection and processing,” the researchers said in their paper.
The academics claim that evidence collected during a November 2021 experiment focused on the analysis of probe requests should be enough to consider these requests personal data, based on SSIDs stored in the devices’ preferred network lists (PNLs) alone.
As part of the experiment, the researchers went to a German city’s pedestrian area and recorded probe requests over a period of one hour, three times, using six off-the-shelf antennae. Of the 252,242 total requests recorded, 23.2% contained SSIDs.
The researchers also discovered that some of the transmitted probe requests containing SSIDs also leaked password information, and that roughly 20% of the transmitted SSIDs were likely typos of the actual SSID.
The analysis of the probe requests also revealed 106 distinct first and/or last names, three email addresses, the SSIDs of 92 distinct holiday homes or accommodations, and the name of a local hospital.
The academics say they ran all SSIDs through WiGLE’s geolocation lookup API, which helped them pinpoint the location of the actual networks to an approximate 1-kilometer radius.
“Considering the wealth of personal and sensitive information we observed in SSID fields, they can constitute identifying information and thus require due consideration,” the researchers point out. “We argue that at least for as long as there are still devices broadcasting SSIDs, probe requests should be considered personal data and not be used for monitoring without legal basis.”