We present several novel techniques to track (unassociated) mobile
devices by abusing features of the Wi-Fi standard. This shows that the
spreading standard protection of using random MAC addresses, on its own,
does not guarantee privacy.
First, we show that information elements in probe requests can be used
to fingerprint devices. We then combine these fingerprints with
incremental sequence numbers, to create a tracking algorithm that does
not rely on unique identifiers such as MAC addresses. Based on
real-world datasets, we demonstrate that our algorithm can correctly
track as much as 50% of devices for at least 20 minutes. We also show
that commodity Wi-Fi devices use predictable scrambler seeds. These can
be used to improve the performance of our tracking algorithm. Finally,
we present two attacks that reveal the real MAC address of a device,
even if MAC address randomization is used. In the first one, we create
fake hotspots to induce clients to connect using their real MAC address.
The second technique relies on the new 802.11u standard, commonly
referred to as Hotspot 2.0, where we show that Linux and Windows send
Access Network Query Protocol (ANQP) requests using their real MAC address.