According to researchers at the University of Hamburg, mobile devices reveal data about their owners through WLAN queries.
Over the years, many security breaches have put users of Wi-Fi compatible mobile devices at risk. For example, we remember KRACK in 2017, the major Wi-Fi security breach that compromised WPA2 security. Back then, many manufacturers urgently patched their devices to protect their customers, like Xiaomi.
In December 2021, another major vulnerability threatened billions of smartphones and PCs connected via Wi-Fi and Bluetooth. However, on Monday, June 13, 2022, several researchers from the University of Hamburg are warning users of a new risk.
A new danger for owners of mobile devices
In fact, they found it Mobile devices reveal information about their owners via survey queries (Probe Request) Wi-Fi: Simply put, each device makes this request to get accurate data about nearby Wi-Fi access points and establish preliminary connections to them when it receives a response.
In this case, Four important pieces of information are transmitted via these requests:
- frame control
- the destination address: the MAC address of the Wi-Fi terminal to which the packet will be sent
- the source address: the MAC address of your mobile device (smartphone, PC, tablet, etc.), essential for the access points to respond to the request
- the frame body: approximately twenty fields used to determine the capabilities of the Wi-Fi client
According to scientists, attackers who can see into network traffic can use these probing requests Track, identify, and even locate devices. As they explain, about a quarter of request probes contain the Service Set Identifier (SSID) of the networks to which the devices were previously connected.
Hackers can find your address using this technique
In other words, this data can be used reveal in particular the locations of regularly used WLAN access points, such as B. your home, your work or your favorite coffee shop, without forgetting certain information such as your name or email address. They also add that poll requests can be used to “determine the location of a device with an accuracy of up to 1.5 meters”.
“In fact, this method is already used in 23% of cases stores. Companies and cities that carry out WiFi tracking take the legal position that only the MAC address contained in survey requests counts as personal data within the meaning of Art. 4 (1) GDPR.” the researchers state in their report.
As part of their experiment, the researchers analyzed all survey requests that were made in a pedestrian zone in a major German city. They were able to get 106 unique first and last names, three full email addresses, and the SSIDs of 92 main houses or secondary and the name of a local hospital.