According to researchers at the University of Hamburg, mobile devices leak data about their owners through Wi-Fi access Wi-Fi polling requests.
Over the years, many security breaches have endangered users of Wi-Fi compatible mobile devices. Recall, for example, KRACK in 2017, the huge Wi-Fi security breach that hit WPA2 security. At the time, many manufacturers had urgently patched their devices to protect their customers, such as Xiaomi.
In December 2021, another serious security breach threatened billions of smartphones and PCs connected via Wi-Fi and Bluetooth. However, on Monday 13 June 2022, several researchers from the University of Hamburg warn users of a new risk.
A new danger for owners of mobile devices
In fact, they found it mobile devices lose information about their owners via survey queries (Probe Request) Wi-Fi Simply put, each device makes this request to receive accurate data on nearby Wi-Fi access points and make preliminary connections with them when they receive a response.
In this case, four important pieces of information are conveyed through these requests:
- Checking the frame
- destination address: the MAC address of the Wi-Fi terminal to which the packet is sent
- the Source Address: the MAC address of your mobile device (smartphone, PC, tablet, etc.), which is essential for access points to respond to the request
- the Frame Body: about twenty fields used to determine the capabilities of the Wi-Fi client
According to academics, attackers who can peer into network traffic can use these investigation requests track and identify devices and even locate them. As they explain, about a quarter of the Request Probes contain the Service Set Identifier (SSID) of the networks to which the devices were previously connected.
Hackers can find your address using this technique
In other words, this data can be used for reveal in particular the locations of regularly used Wi-Fi access points, such as your home, your work or your favorite bar, without forgetting some information such as your name or your email address. They also add that survey requests can be used to “determine the position of a device with an accuracy of up to 1.5 meters ”.
“In fact, this method is already used in 23% of cases Stores. The companies and cities that carry out Wi-Fi monitoring consider it legal that only the MAC address contained in the survey queries is considered personal data, pursuant to Article 4, paragraph 1, of the GDPR “. specify the researchers in their report.
As part of their experiment, the researchers analyzed all inquiries made in a pedestrian area of a German city. They were able to get 106 distinct first and last names, three full email addresses, the SSIDs of 92 major houses or secondary and the name of a local hospital.