Feeds

back to article Your Android phone is a SNITCH: Wi-Fi bug makes you easy to track

Your mobile device could be compromising your privacy by broadcasting your location history over the air, even when it is in sleep mode, according to new research by the Electronic Frontier Foundation. Of particular concern are newer Android gadgets, specifically those running Android 3.1 "Honeycomb" or later. That version of …

Install Pri-fi

Sure chainfire made this app for rooted phones only

Called Pri-fi

Random mac changer

1
0
Silver badge

Re: Install Pri-fi

Looks useful I will give it a try.

1
0
Bronze badge

Re: Install Pri-fi

*Yawn*, so I have to fall back on other methods of fingerprinting you.

I don't personally (obviously - or do I)? but someone who cares has ignored a MAC address as a sole source of uniquely identifying you for years. For starters, that may identify your computer but not you and if you share your computer then that's useless anyway {you != pc}.

"They" will give "you" a unique index eg a GUID and associate lots of data against it as it turns up via G+, FB, Twatter, affiliate sites etc etc ad nauseam. Each bit of data will also be assigned some form of probability or weight of being "you". It could work a bit like a spam scanner like Spamassassin in that the weights will be added up and tested against a threshold to say yep - this session is "you".

Have you any idea how much info your browser gives out in the headers, or emails? Even huge firms forget to remove internal Received: headers in their emails - have a look : it's hilarious how much of their internal network structure you can glean from that.

You'll need to think a lot more about personal security than messing your MAC addresses around. Me? I don't bother.

Cheers

Jon

PS My habit of signing forum posts as above will be in someone's database as will my habit of using post scriptums - oh well!

2
5
Bronze badge

Re: Install Pri-fi

You can't track someone at a website using their MAC address, how would you know their MAC address?

The only way it would even be possible would be to get the user to download a plugin or software during their browsing session and read it that way, but to what purpose?

If you want a unique ID you would normally just create one and put it in a cookie or get them to login to your site (which then also works cross device).

0
0
Silver badge

Re: Install Pri-fi

The article is about devices broadcasting a list of the last 15 wifi hotspots they've been connected to and how that can give people a good idea of who you are and where you've been. What's the relevance of this MAC address discussion?

3
0
Bronze badge

Re: Install Pri-fi

"What's the relevance of this MAC address discussion?"

I was replying on the above post who was talking about tracking via MAC addresses, this is another feature of Pri-Fi - to randomise the MAC address (as well as suppress AP broadcast).

0
0
Silver badge

Programmers really need to start taking privacy seriously

There is greater awareness of security these days. Not that things are anywhere near secure, but the situation is better than it was a decade ago, and much better than the completely security unaware 90s were. But privacy seems to be something few programmers take into account, if they can come up with an easy way to accomplish something they don't even think about stuff like this, apparently.

4
0
Bronze badge

Re: Programmers really need to start taking privacy seriously

You are not wrong there on many levels. One that immediately springs to mind is the mess that is web proxy support in many apps. A web proxy is quite handy in anonymizing a web session. Support is equally borked and complicated across all OSs. Some apps are good and some are bad. Try and get MS registration to work though a web proxy (can't remember which bits fail but some do, despite Negotiate support in the proxy).

Then there is the end user and the corporate policy. I work for and with many for whom security is paramount and yet certain bits of the puzzle remain off limits. Data leaks and the result is well ...

In my more Trevor Potts moments, I scream, then I stroke my pfSense firewalls, my mod_security web firewalls, my Squid n Dans Guardian proxies, my OpenVPN and IPSEC VPNs, my carefully controlled AV, my layer 2 controls, my n factor auth, my ... well you get the idea (and that's just at home - you should see how mental I am at work) and then quietly give up and go and have a lie down.

At least they keep most of the baddies away - I think.

Cheers

Jon

0
1
Anonymous Coward

Re: Programmers really need to start taking privacy seriously

Programmers? What the hell have they got to do with it?

Anything labelled "improves user experience" gets boosted to the top of the list, anything labelled "security risk" gets kicked to the bottom.

Instead of bitching about "programmers", send a stroppy tweet to your 'phone's manufacturer and reseller.

0
0
Anonymous Coward

Patch

Anyone know if the patch in question has also been submitted to Cyanogenmod?

1
0
Bronze badge

Re: Patch

I assume that as you are posting as AC that you take your security very seriously. However you have requested information to which the answer might send you blind or cause your hands to fall off their wrists.

These forums come under the heading of The Register and you are asking for information about something called "Cyanogenmod".

I'd go and have a chat on their forums if I was you. I'm sure it isn't too far away.

Cheers

Jon

0
8
Anonymous Coward

Re: Patch

> I assume that as you are posting as AC that you take your security very seriously.

I post as AC because I like it, no more and no less.

As for the rest of your post, did you intend to say anything useful?

3
0
Silver badge
Boffin

"this means your phone will fall back to the mobile data network while the screen is off...

"...which will increase mobile data usage and power consumption."

Err, unless (as I do) I keep mobile data switched off until *I* decide to switch it on and use it...

3
0
Anonymous Coward

Re: "this means your phone will fall back to the mobile data network while the screen is off...

"...and power consumption"

Pfft, unless (as I do) I keep my phone switched off until I need to use it. My battery has lasted 19 days so far.

2
0
Vic
Silver badge

Re: "this means your phone will fall back to the mobile data network while the screen is off...

Pfft, unless (as I do) I keep my phone switched off until I need to use it. My battery has lasted 19 days so far.

I keep the phone switched on, but BT/WiFi/Data switched off unless I'm using it.

I get about 8 or 9 days out of my Galaxy S2 :-)

Vic.

0
0
Silver badge

This article was awesome for introducing me to wigle, and the links to the interesting articles by Chainfire in the blog post. It's fascinating to see it's the wi-fi hardware itself doing this, and not the software.

Jesus Christ, nobody with a Linksys *ever* changes their default name, do they??

0
0
Bronze badge

Yeah, this doesn't sound completely overblown at all........

"Oh look this phone has recently been to Tesco, McDonalds, BT-Hub-2F6J, Wanadoo-978C, The Cloud and Starbucks" yup - that sounds incredibly identifiable, quick give me a pen and a map so I can draw the exact route this phone must of took......

Bollocks.

3
4
Bronze badge

"Oh look the CEO's phone is showing that he has recently been to company B and he was out all day yesterday, I wonder if those merger rumours are true after all?"

"Oh look Julie's phone is showing the Palma Resort, isn't that where Kevin went last week on holiday? I thought Kevin was married?"

"Hey boss, we went to that nightclub last night and Luis Suárez was there and his AP was showing Real Madrid, maybe he's in talks about transferring? Should we print it?"

...etc

3
0
Bronze badge

...convincing device makers to release patches for older phones could would be a lost cause.

FTFY

2
0
Silver badge

So this basically implies that anyone interested in the security of their mobile has to effectively buy a new phone pretty much every time a new privacy leak is discovered...? I have to hand it to the marketing guys: clever... fiendishly clever...

1
0
Anonymous Coward

Yep

And that's probably the business model for the Internet of Things too.

0
0
Bronze badge

Erm...

"...The idea is to conserve battery by allowing a phone to connect to known Wi-Fi networks even while in sleep mode, since Wi-Fi uses less power than the mobile data radio."

First, that is a well known *feature*, not a bug.

Second, only the most seriously mentally challenged cannot Google the result to turn off the "offending" service.

I did it a while ago, as it annoyed me that wifi kept trying to connect and worse, successfully drained the battery more quickly.

2
3
Bronze badge

Since the phone knows your location....

Why doesn't it remember the location of networks and only try and connect when it is in the correct area?

All it would then leak is whether you have been there before.

0
0
Bronze badge

Re: Since the phone knows your location....

If I understand what you're saying correctly I think someone may have already had this good idea...

https://play.google.com/store/apps/details?id=net.kismetwireless.android.smarterwifimanager

1
0
Anonymous Coward

Re: Since the phone knows your location....

That's not going to work too well if you are trying to connect to your car's Wifi, is it? Or the airline's, bus or train, or to Fon, or to McDonald's, ...

The last two assuming it goes only by ESSID rather than AP MAC.

0
0
Anonymous Coward

15 words or less

I noticed this while checking hotspot opperation on a router. As I have also spotted some WiFi sillyness at one location I was going to compose a message for kismet. My last SSID's comprising - stop watching lame hacking vids on YouTube and get a job you lazy bastard.

0
0
Bronze badge

Re: 15 words or less

The maximum SSID length is 32 characters - Makes twitter tweets at 140 characters look extravagant!

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon