Device-to-identity linking attack using targeted wi-fi geolocation spoofing

Today, almost all mobile devices come equipped with Wi-Fi technology. Therefore, it is essential to thoroughly study the privacy risks associated with this technology. Recent works have shown that some Personally Identifiable Information (PII) can be obtained from the radio signals emitted by Wi-Fi equipped devices. However, most of the times, the identity of the subject of those pieces of information remains unknown and the Wi-Fi MAC address of the device is the only available identifier. In this paper, we show that it is possible for an attacker to get the identity of the subject. The attack presented in this paper leverages the geolocation information published on some geotagged services, such as Twitter, and exploits the fact that geolocation information obtained through Wi-Fi-based Positioning System (WPS) can be easily manipulated. We show that geolocation manipulation can be targeted to a single device, and in most cases, it is not necessary to jam real Wi-Fi access points (APs) to mount a successful attack on WPS.

[1]  A. B. M. Musa,et al.  Tracking unmodified smartphones using wi-fi monitors , 2012, SenSys '12.

[2]  Roksana Boreli,et al.  I know who you will meet this evening! Linking wireless devices using Wi-Fi probe requests , 2012, 2012 IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks (WoWMoM).

[3]  Srdjan Capkun,et al.  Attacks on public WLAN-based positioning systems , 2009, MobiSys '09.

[4]  Frank Piessens,et al.  Advanced Wi-Fi attacks using commodity hardware , 2014, ACSAC.

[5]  Mathieu Cunche,et al.  I know your MAC address: targeted tracking of individual using Wi-Fi , 2014, Journal of Computer Virology and Hacking Techniques.

[6]  Patrick Tague,et al.  IdentityLink: user-device linking through visual and RF-signal cues , 2014, UbiComp.

[7]  Matthew Smith,et al.  SnapMe if you can: privacy threats of other peoples' geo-tagged media and what we can do about it , 2013, WiSec '13.

[8]  Santosh Pandey,et al.  A survey on localization techniques for wireless networks , 2006 .

[9]  Yunhao Liu,et al.  Locating in fingerprint space: wireless indoor localization with little human intervention , 2012, Mobicom '12.

[10]  Srinivasan Seshan,et al.  Can Ferris Bueller Still Have His Day Off? Protecting Privacy in the Wireless Era , 2007, HotOS.

[11]  Michael Hicks,et al.  Deanonymizing mobility traces: using social network as a side-channel , 2012, CCS.

[12]  Yue Gao,et al.  Brand Data Gathering From Live Social Media Streams , 2014, ICMR.

[13]  Vincent Roca,et al.  Short paper: WifiLeaks: underestimated privacy implications of the access_wifi_state android permission , 2014, WiSec '14.