3

I regularly connect to public wireless APs scattered around the city, offered by my carrier. I remember reading an article that a determined owner can track you between APs and thus know your location and routine. Now I found out that one can randomize one's MAC address, so I was wondering if that can prevent my identification and consequent tracking. If not, what other information can a determined AP owner acquire from a client that could identify him? Assuming all communication between the client and the outside world is encrypted end-to-end.

For instance I imagine the owner (or anyone on the network) could use nmap to get some info on me such as the OS I'm running, but is there anything that could uniquely identify me? A fingerprint, or even something like a hostname, which would be the same across all APs and presumably different from everyone else?

Alex
  • 819
  • 1
  • 7
  • 11
  • If you're concerned, the best solution is just to use a VPN. Sure your usage could be tracked, but they wouldn't have ANY idea what you're doing on their network. – Daisetsu Apr 23 '16 at 06:02
  • 1
    @Daisetsu that is a good suggestion, but I'm not worried about the data I'm sending/receiving being tracked. My only concern is with device identification across APs, and as I mentioned you can assume that all comm with the outside world is encrypted end-to-end and does not contain my information in it. – Alex Apr 23 '16 at 20:57

3 Answers3

3

When using a phone while logged in to your accounts, you're visible.

I remember reading an article that a determined owner can track you between APs and thus know your location and routine. Now I found out that one can randomize one's MAC address, so I was wondering if that can prevent my identification and consequent tracking.

Spoofing your MAC address is trivial. Encryption here is irrelevant. It doesn't matter if they can't tell what you're communicating, so as long as they can identify you and know where you are.

Even changing your IP address and using random proxies can be used to identify you easily. How? It's very simple. You may be logged in to multiple Google / Apple services. When you log into those services, they store every single IP address that was used to connect to that account. Here's more information on how you can be tracked online:

It doesn't change the fact that your social media may be still active and gathering information about you. Your MAC address is less relevant than the device you hold, and it's accompanying identification plus accounts.

Assuming all communication between the client and the outside world is encrypted end-to-end.

The encryption doesn't matter if you're sending encrypted data to advertisers which they can decrypt, such as your device ID, known accounts, etc. They don't really need to know what you're doing - just that you're there. That's all they need to really dig into your life.

Throwaway Smartphone without your normal accounts = stealthy

With this method, the only way you can be identified and tracked is in person, through cameras, or if you decide to log into your own account(s).

In some rare cases, your smartphone could be hacked and the camera could be used to spy on you, especially if you get the attention of the wrong people. However, this is very unlikely unless you're a criminal of sorts.

Using a Laptop correctly = stealthy

With this method, it's the same as a throwaway smartphone, but you need a different Operating System than Windows. Without logging in to your normal accounts, you'll greatly reduce your footprint.

You don't want your operating system keys / device IDs to point back to you. Windows Update/etc will send information to Microsoft about you, including the IP address you were connected to at the time. If you're using the same windows key / hardware every time, then it'll be very easy to put the pieces of the puzzle together.

So who exactly is using this information, and how are they doing it?

It doesn't matter if you're using encryption: they can still tell you were there. Not using encryption is just icing on the cake. When you connect to WiFi hotspots, you agree to the terms of service. They will collect information about your device, and sell that information to third parties.

Third parties will take that information and use data analysis to correlate your usage patterns, how you travel, where you connect, etc. Remember that advertisement companies want data on you, as they're able to sell it to those who are interested in it.

With a big enough data set, it's easy to show correlations between where you are, where you've been, and which accounts or IP addresses accessed that information. Using your unique device IDs, it's rather easy to tie multiple pieces of information together.

Even if the company claims that they don't sell personal information about you, it quickly becomes personal information through data aggregation, analysis, and correlation.

Remember, if something is free, you are the product.

Too Long, Didn't Read

It won't really help you. At best, randomizing or changing your MAC address will give you a small layer of "protection," so as long as you don't use any of your normal accounts, and don't leak your device IDs.

However, there are too many other things working against you at this time. In every single case, you should note that most public places have cameras, so you will be identified.

Do you really need that much opsec? Who's after you? >:|

Community
  • 1
Mark Buffalo
  • 22,508
  • 8
  • 74
  • 91
  • 1
    Thanks for the thoughtful answer. I'm using a notebook running Gentoo, not a cellphone or Windows device. I do not use any social network nor any website or background service that might be tracking me, nor am I interested in that aspect. All I'm interested in is the ability of the *AP owner* to identify me, allowing him to track my routine. No one's after me, it's just a privacy concern. From what I understand from your answer, in my case changing the MAC would be sufficient to prevent my device from being identified across APs? – Alex Apr 23 '16 at 20:50
  • 1
    Not sufficient, no. You'll also need to not save wireless access points. You broadcast what you're looking for. Use Mac spoofing and don't save wireless SSIDs – Mark Buffalo Apr 23 '16 at 20:53
3

The MAC address only identifies your network interface. That is all. It does nothing to change, alter, spoof or hide your device ID's such as OS and OS versions, services running on open ports, what websites you connect to, the IP address you are using, etc. All of these things are still visible.

There is a reason cybersecurity professionals advocate many layers (plural) in order to remain anonymous.

Layers can include but are not limited to:

1.) VPN (vpn service may log your traffic)
2.) Proxies (i.e. http proxy like JonDo)
3.) Tor (SOCKS5 proxy)
4.) Router proxies (custom flashed router firmware that uses proxy)
5.) Throw-away usb wifi adapters
6.) Throw-away laptops
7.) Not using any of your normal accounts on stealth devices
8.) Taking care to not use public wifi where there are cameras.

These are just some facets to privacy and personal information anonymity. There are more methods to remaining hidden on the web and hidden to local AP owners.

(EDIT)

Alternately, you can also perform a bit more technical method of user agent spoofing. This is where you alter the Operating system and it's version number in the browser so that APs and webservers are sent the incorrect OS and version numbers.

Aside from this, using a completely different browser when you want to be hidden will help hide a constant browser fingerprint. When using a different browser, refrain from accessing your normal online accounts as such use will allow you to br traced even when using a different browser.

Yokai
  • 795
  • 4
  • 7
1

Randomizing MAC address helps to control profiling to a great extent but not completely. Anyone sniffing the wifi frames can profile you because of the active discovery mechanism used in the mobile and portable devices in order to reduce the latency in connecting to APs.

Most of the mobile devices save the wireless networks after the first connection attempt in their preferred network list. In active discovery, the device sends the SSID of APs in its preferred network list at a fixed interval. These frames are not encrypted like the data frames. So the list of SSIDs could be used as a fingerprint apart from the MAC address provided that the list has enough personally identifiable wireless networks.

Jesvin George
  • 21
  • 1
  • 4
  • I might have given the wrong impression in the OP. I am not connecting using a cellphone, I'm using a notebook. I connect via `wpa_supplicant` + `dhclient`, I doubt there's any active discovery going on there. So... Apart from the MAC address, is there any other fingerprint that could identify my device across APs? – Alex Apr 23 '16 at 20:52
  • You can prevent network profiles from being saved automatically in linux. Also removing the internal wifi card and using a throwaway usb adapter will save you from having to spoof the mac address. However you will also have to configure logging in a way that it will not record activity on network devices and processes. Erasing as much hardware footprints as possible before hand is always a good practice to reduce tracking web use back to your device. – Yokai May 23 '16 at 08:53