WIFIANALYTICS$AND$USER PRIVACY$ - FESB · WIFIANALYTICS$AND$USER PRIVACY$ Ante Dagelić Mario...
Transcript of WIFIANALYTICS$AND$USER PRIVACY$ - FESB · WIFIANALYTICS$AND$USER PRIVACY$ Ante Dagelić Mario...
![Page 1: WIFIANALYTICS$AND$USER PRIVACY$ - FESB · WIFIANALYTICS$AND$USER PRIVACY$ Ante Dagelić Mario Čagalj Toni Perković Marin Bugarić](https://reader033.fdocuments.in/reader033/viewer/2022050605/5fac532e90256c725763749a/html5/thumbnails/1.jpg)
WIFI ANALYTICS AND USER PRIVACY
Ante DagelićMario ČagaljToni PerkovićMarin Bugarić
![Page 2: WIFIANALYTICS$AND$USER PRIVACY$ - FESB · WIFIANALYTICS$AND$USER PRIVACY$ Ante Dagelić Mario Čagalj Toni Perković Marin Bugarić](https://reader033.fdocuments.in/reader033/viewer/2022050605/5fac532e90256c725763749a/html5/thumbnails/2.jpg)
Outline of the talk • IntroducAon • Physical AnalyAcs • AcAve & Passive aFack on PNL • Invading user privacy • Conclusion
2
![Page 3: WIFIANALYTICS$AND$USER PRIVACY$ - FESB · WIFIANALYTICS$AND$USER PRIVACY$ Ante Dagelić Mario Čagalj Toni Perković Marin Bugarić](https://reader033.fdocuments.in/reader033/viewer/2022050605/5fac532e90256c725763749a/html5/thumbnails/3.jpg)
IntroducAon -‐ About me • joined 3 months ago • 2013 masters • worked in private sector for 2 years • developing for 8 years • interested in security and informaAon analitycs • LinkedIn
3
![Page 4: WIFIANALYTICS$AND$USER PRIVACY$ - FESB · WIFIANALYTICS$AND$USER PRIVACY$ Ante Dagelić Mario Čagalj Toni Perković Marin Bugarić](https://reader033.fdocuments.in/reader033/viewer/2022050605/5fac532e90256c725763749a/html5/thumbnails/4.jpg)
EvoluAon of Tracking Systems • Web-‐based services can easily monitor customer’s shopping web analy)cs
• There is a growing trend in physical analy)cs
4
![Page 5: WIFIANALYTICS$AND$USER PRIVACY$ - FESB · WIFIANALYTICS$AND$USER PRIVACY$ Ante Dagelić Mario Čagalj Toni Perković Marin Bugarić](https://reader033.fdocuments.in/reader033/viewer/2022050605/5fac532e90256c725763749a/html5/thumbnails/5.jpg)
EvoluAon of Tracking Systems
Time MAC address RSSI
• Users act as portable beacons
Sensing Device #1
Sensing device #1
Time MAC address RSSI
Sensing device #2
Sensing Device #2
10:05:01 40:a6:d9:ee:-‐-‐:-‐-‐ -‐50dBm
10:05:15 a0:6c:ec:2a:-‐-‐:-‐-‐ -‐45dBm 10:06:45 40:a6:d9:ee:-‐-‐:-‐-‐ -‐88dBm
10:05:01 40:a6:d9:ee:-‐-‐:-‐-‐ -‐28dBm
10:05:15 a0:6c:ec:2a:-‐-‐:-‐-‐ -‐45dBm 10:06:45 40:a6:d9:ee:-‐-‐:-‐-‐ -‐30dBm
• Works even if users are not connected
5
![Page 6: WIFIANALYTICS$AND$USER PRIVACY$ - FESB · WIFIANALYTICS$AND$USER PRIVACY$ Ante Dagelić Mario Čagalj Toni Perković Marin Bugarić](https://reader033.fdocuments.in/reader033/viewer/2022050605/5fac532e90256c725763749a/html5/thumbnails/6.jpg)
Two approaches to WiFi tracing 1. Finding out users previous whereabouts
• acAve • passive
2. Matching faces and MAC addresses • passive
6
![Page 7: WIFIANALYTICS$AND$USER PRIVACY$ - FESB · WIFIANALYTICS$AND$USER PRIVACY$ Ante Dagelić Mario Čagalj Toni Perković Marin Bugarić](https://reader033.fdocuments.in/reader033/viewer/2022050605/5fac532e90256c725763749a/html5/thumbnails/7.jpg)
Anonimity Issues • What if we could learn a user’s Preferred Network List
(PNL)?
7
![Page 8: WIFIANALYTICS$AND$USER PRIVACY$ - FESB · WIFIANALYTICS$AND$USER PRIVACY$ Ante Dagelić Mario Čagalj Toni Perković Marin Bugarić](https://reader033.fdocuments.in/reader033/viewer/2022050605/5fac532e90256c725763749a/html5/thumbnails/8.jpg)
WiFi Passive Service Discovery
time scan idle scan idle scan idle scan
time
Beacons
scan
AP
Client
time
Auth
req Auth resp
AP
Asso
c re
q Assoc resp
Scanning cycle
AP
• Devices monitor for Beacons frames from nearby APs -‐ devices associate either automaAcally with an AP from PNL or
manually with an AP by the user’s choosing -‐ characterized by slow associaAon Ames
8
![Page 9: WIFIANALYTICS$AND$USER PRIVACY$ - FESB · WIFIANALYTICS$AND$USER PRIVACY$ Ante Dagelić Mario Čagalj Toni Perković Marin Bugarić](https://reader033.fdocuments.in/reader033/viewer/2022050605/5fac532e90256c725763749a/html5/thumbnails/9.jpg)
WiFi AcAve Service Discovery
time scan idle scan idle scan idle scan
time
Prob
e re
q Probe resp
scan
AP
Client
time
Auth
req Auth resp
AP
Asso
c re
q Assoc resp
Scanning cycle
AP
• Devices acAvelly scan WiFi channels (send probe request packets) -‐ devices associate either automaAcally with an AP from PNL or
manually with an AP by the user’s choosing
9
![Page 10: WIFIANALYTICS$AND$USER PRIVACY$ - FESB · WIFIANALYTICS$AND$USER PRIVACY$ Ante Dagelić Mario Čagalj Toni Perković Marin Bugarić](https://reader033.fdocuments.in/reader033/viewer/2022050605/5fac532e90256c725763749a/html5/thumbnails/10.jpg)
Captured Trace from AcAve Scanning • Probe request frames are sent unencrypted:
-‐ contain MAC addresses and SSIDs from PNL
10
![Page 11: WIFIANALYTICS$AND$USER PRIVACY$ - FESB · WIFIANALYTICS$AND$USER PRIVACY$ Ante Dagelić Mario Čagalj Toni Perković Marin Bugarić](https://reader033.fdocuments.in/reader033/viewer/2022050605/5fac532e90256c725763749a/html5/thumbnails/11.jpg)
Captured Trace from AcAve Scanning • SSID names can be quite revealing
11
![Page 12: WIFIANALYTICS$AND$USER PRIVACY$ - FESB · WIFIANALYTICS$AND$USER PRIVACY$ Ante Dagelić Mario Čagalj Toni Perković Marin Bugarić](https://reader033.fdocuments.in/reader033/viewer/2022050605/5fac532e90256c725763749a/html5/thumbnails/12.jpg)
DicAonary AFack on PNL
time scan idle scan idle scan idle scan
Scanning cycle
Device
SS
ID1i
SS
ID2i
SS
IDki ... ... ...
Chunk i Chunk i-1 Chunk i+1
SS
ID1i
SS
ID2i
SS
IDki ... S
SID
1i
SS
ID2i
SS
IDki ...
Transmission time T Transmission time T Transmission time T
Chunk size L
Fake APs
SS
ID2i
SS
IDki
...
time scan
SS
ID1i
SS
ID2i
SS
IDk
i ... S
SID
1i S
SID
2i
SS
IDki ...
• Break a large list of SSIDs in chunks • Periodically transmit ith chunk
12
![Page 13: WIFIANALYTICS$AND$USER PRIVACY$ - FESB · WIFIANALYTICS$AND$USER PRIVACY$ Ante Dagelić Mario Čagalj Toni Perković Marin Bugarić](https://reader033.fdocuments.in/reader033/viewer/2022050605/5fac532e90256c725763749a/html5/thumbnails/13.jpg)
PotenAal implicaAons • police evidence for tracking suspects • finding out informaAon about your clients / compeAAon
• finding out if you are cheaAng / being cheated on J
• stalking (paparazzi / journalists) • others...
13
![Page 14: WIFIANALYTICS$AND$USER PRIVACY$ - FESB · WIFIANALYTICS$AND$USER PRIVACY$ Ante Dagelić Mario Čagalj Toni Perković Marin Bugarić](https://reader033.fdocuments.in/reader033/viewer/2022050605/5fac532e90256c725763749a/html5/thumbnails/14.jpg)
Matching users and devices • use triangulaAon to match users locaAon, based on RSSI
• de-‐anonymizing MAC addresses
• use stereo camera setup to enhance posiAoning and capture users face
• match users MAC address and face
• using all WiFi data • match quality & performances
Sensing Device #1
Sensing Device #2
Camera
14
![Page 15: WIFIANALYTICS$AND$USER PRIVACY$ - FESB · WIFIANALYTICS$AND$USER PRIVACY$ Ante Dagelić Mario Čagalj Toni Perković Marin Bugarić](https://reader033.fdocuments.in/reader033/viewer/2022050605/5fac532e90256c725763749a/html5/thumbnails/15.jpg)
Tech setup • 4 raspberry PI • stereo camera • tshark based custom sniffing format
• Node.js server for data collecAon
• FESB hallway
Raspberry 1 Raspberry 3
Stereo camera
Raspberry 2 Raspberry 4
RSSI: /
RSSI: -‐60dBm RSSI: -‐55dBm
RSSI: -‐43dBm
15
![Page 16: WIFIANALYTICS$AND$USER PRIVACY$ - FESB · WIFIANALYTICS$AND$USER PRIVACY$ Ante Dagelić Mario Čagalj Toni Perković Marin Bugarić](https://reader033.fdocuments.in/reader033/viewer/2022050605/5fac532e90256c725763749a/html5/thumbnails/16.jpg)
Matching problems • you can’t sniff everything (performance, channels) • get as many packages (~30k in 2 min) • get as many matches (~85% for 2 RB, ~70% for 3RB)
• lightning issues for face recogniAon • interference with mulAple users in the same area
16
![Page 17: WIFIANALYTICS$AND$USER PRIVACY$ - FESB · WIFIANALYTICS$AND$USER PRIVACY$ Ante Dagelić Mario Čagalj Toni Perković Marin Bugarić](https://reader033.fdocuments.in/reader033/viewer/2022050605/5fac532e90256c725763749a/html5/thumbnails/17.jpg)
PotenAal implicaAons • tracking a user • categorizing user groups • markeAng • behavior analysis
17
![Page 18: WIFIANALYTICS$AND$USER PRIVACY$ - FESB · WIFIANALYTICS$AND$USER PRIVACY$ Ante Dagelić Mario Čagalj Toni Perković Marin Bugarić](https://reader033.fdocuments.in/reader033/viewer/2022050605/5fac532e90256c725763749a/html5/thumbnails/18.jpg)
• Build a distributed system with mulAple sennsing devices based on Raspberry Pi plaiorm (only $40)
• Include passive and acAve dicAonary aFacks • Match photos to MAC addresses • Perform physical analyAcs
Concluding remarks 18
![Page 19: WIFIANALYTICS$AND$USER PRIVACY$ - FESB · WIFIANALYTICS$AND$USER PRIVACY$ Ante Dagelić Mario Čagalj Toni Perković Marin Bugarić](https://reader033.fdocuments.in/reader033/viewer/2022050605/5fac532e90256c725763749a/html5/thumbnails/19.jpg)
Thank you