Slash Boxes

SoylentNews is people

posted by janrinok on Wednesday June 11 2014, @11:53AM   Printer-friendly
from the whats-in-it-for-them? dept.

Russell Brandom reports that a new feature in iOS 8 is set to cause havoc for location trackers, and score a major win for privacy: When iOS 8 devices look for a connection, iOS 8 will randomize their MAC address, effectively disguising any trace of the real device until it decides to connect to a network. Why are iPhones checking out Wi-Fi networks in disguise? Because there's an entire industry devoted to tracking customers through that signal. Shops from Nordstrom's to JC Penney have tried out a system that automatically logs any phone within Wi-Fi range, giving stores a complete record of who walked into the shop and when. But any phone using iOS 8 will be invisible to the process, potentially calling the whole system into question. "Now that Apple has embraced MAC spoofing, the practice of Wi-Fi sniffing may stop working entirely," says Brandom. "The result is a privacy win for Apple users and a major blow against data marketing and all it took was an automatic update."

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Interesting) by Urlax on Wednesday June 11 2014, @12:56PM

    by Urlax (3027) on Wednesday June 11 2014, @12:56PM (#54099)

    Can anybody explain how this tracking works?

    I can't fanthom why my phone should respond to ANY WiFi AP which is not known beforehand. AFAIK, the AP broadcasts a beacon message, (with or without SSID) and the phone responds to that if it's configured to do so.

    There was a bug in XP, creating an Ad-hoc network on pre-SP3 laptops, []

    but that doens't affect any phone out there. so can somebody shed some light on this?

    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  

    Total Score:   2  
  • (Score: 1, Informative) by Anonymous Coward on Wednesday June 11 2014, @01:03PM

    by Anonymous Coward on Wednesday June 11 2014, @01:03PM (#54102)

    What you describe is passive discovery of access points. But there's also active discovery: The phone basically sends a message "is there any access point around here?" and the access points answer with their SSIDs.

  • (Score: 5, Informative) by Foobar Bazbot on Wednesday June 11 2014, @02:33PM

    by Foobar Bazbot (37) on Wednesday June 11 2014, @02:33PM (#54151) Journal

    I think you get this, but for clarity's sake: each AP has a unique BSSID (Basic Service Set ID), which is just the MAC address of the AP. There's also the ESSID (Extended Service Set ID), which is an ASCII string up to 32 bytes. Multiple APs connected to the same wired backbone can form an ESS (extended service set) by having the same ESSID, in which case clients can roam amongst them. Note that while, technically, the ESSID of an isolated, non-ESS AP is called "SSID" rather than "ESSID", I find it more useful to call it "ESSID" in both cases, to avoid confusion with BSSID.

    I can't fanthom why my phone should respond to ANY WiFi AP which is not known beforehand. AFAIK, the AP broadcasts a beacon message, (with or without SSID) and the phone responds to that if it's configured to do so.

    What you seem to think happens is to remember BSSIDs, and passively discover known networks by looking at beacons for a known BSSID, instead of (or in addition to) a known ESSID. That certainly seems possible -- although it would break roaming on an ESS, this would work fine on non-ESS configurations, including most home WLANs, where hidden-SSID is most frequently found. However, this isn't how it's normally done, because by design one procedure works for both ESS and isolated configurations, until some idiot breaks it by not broadcasting an ESSID.

    Sadly, for years idiots (including some employed by manufacturers of home networking gear) have been advising people to hide ESSIDs to provide a measure of security. Not only does it provide no real security, it also breaks standard passive discovery, for which the universal solution is not bssid-based passive discovery, but active discovery by sending probes for each known ESSID (as described in a sibling post), which then becomes a privacy leak.

    The worst part is, because ESSID hiding is so common, because active discovery doesn't break anything with non-hidden SSIDs, and because the incentives for OS vendors favor making everything "just work" in spite of ESSID hiding, rather than discouraging SSID hiding, we get abominations like the old ad-hoc "Free Public Wifi" nuisance, and more recently Android's "helpful" assumption that any network configured by clicking the "Add Network" icon and manually entering an ESSID (as opposed to scanning, clicking the ESSID in the list, and entering other parameters as needed) must be a hidden-SSID WLAN, and thus triggers active discovery. For people like me who, on getting a new device, attempt to manually configure a bunch of networks not currently in range (parents, friends, etc.) from a list of ESSID/key pairs, this is a major annoyance -- suddenly my tablet was spamming probes to a bunch of networks for absolutely no reason, and if I wasn't in the habit of periodically airodump-nging, I might still not know about it.