A team of academic researchers from the University of Hamburg in Germany discovered that Wi-Fi investigation requests from mobile devices expose identifiable information about their owners via Wi-Fi investigation requests.
When a probe response is received, mobile devices use it to obtain information about nearby Wi-Fi access points and connect to them.
According to the researchers, attackers who can sniff network traffic can use these probing requests to monitor and identify devices, as well as determine their position.
According to them, nearly a quarter of probe requests contain the Service Set Identifiers (SSIDs) of previously connected networks, which might be exploited to expose home addresses or visited places.
Furthermore, the researchers highlight that the probe requests may be used to trilaterate the position of a device with an accuracy of up to 1.5 metres or to "trace the movement of a device to effectively monitor its owner.
“This is in fact employed in 23% of the stores already. Companies and cities that conduct Wi-Fi tracking take the legal position that only the MAC address contained in probe requests is considered personal data according to GDPR Article 4(1), which protects personal data from unlawful collection and processing,” the researchers stated in their paper.
Experiment findings:
According to the academics, information gathered during a November 2021 experiment focusing on the analysis of probe requests should be sufficient to deem these queries personal data, based only on SSIDs recorded in the devices' preferred network lists (PNLs).
As part of the trial, the researchers travelled to a pedestrian area in a German city and recorded probe requests three times in one hour using six off-the-shelf antennas. SSIDs were found in 23.2 per cent of the 252,242 total requests.
The researchers also determined that some of the submitted probe requests with SSIDs revealed password data and that around 20% of the transmitted SSIDs were likely typos of the genuine SSID.
The probe requests also revealed 106 separate first and/or last names, three email addresses, the SSIDs of 92 distinct vacation houses or lodgings, and the name of a nearby hospital.
The academics claim that they ran all SSIDs using WiGLE's geolocation lookup API, which allowed them to determine the actual networks' locations within a 1-kilometre radius.
The researchers added, “Considering the wealth of personal and sensitive information we observed in SSID fields, they can constitute identifying information and thus require due consideration. We argue that at least for as long as there are still devices broadcasting SSIDs, probe requests should be considered personal data and not be used for monitoring without legal basis.”