The Problem

Today's Wi-Fi technology broadcasts the unique MAC address of devices in plaintext. These addresses are globally unique and static. This allows for constant tracking of devices which have a Wi-Fi interface enabled. Given devices such as cell phones use Wi-Fi and are usually unique to a person, tracking a MAC address can be roughly equivalent to tracking an individual. Commercial tracking technologies already exist that take advantage of this fact. These technologies are commonly used in shopping centers and event centers for tracking of patrons. The data is often used to detect the occupancy of an area and to track foot traffic patterns. This data is also often sold to advertisers for personalized advertising, allowing companies to target you based on your offline behaviours. This tracking is not limited to expensive commercial systems either. Tracking can be easily done with inexpensive Wi-Fi devices, such as Raspberry-Pi Zero W's for ~$20 each. This poses many privacy concerns for Wi-Fi users, as anyone could setup a network of these devices with relative ease.

Approach

Every Wi-Fi device has a generally unique MAC address that it uses to communicate with other Wi-Fi devices. These MAC addresses are static and transmitted in plaintext. When a device transmits data, this MAC address is visible to anyone in range of the Wi-Fi device. Since the addresses are unique and static, they can be used to track people’s devices. It is even relatively easy to associate a MAC address with an individual. MAC addresses can be used to track movements of devices, and with devices such as cellphones, this can essentially mean tracking individuals.

Our approach is to investigate different dynamic MAC addressing methods. The idea is that with an appropriate dynamic MAC address protocol, long term tracking will not be possible. This will make it impossible to do tracking that would be sold to advertisers. We still wish to allow for localized short term tracking for occupancy levels and short path tracking. These functions are very useful for a number of reasons, and can be done in a privacy conscious manner.

Additionally, we want to demonstrate a proof of concept of a simple array of Raspberry Pi devices that can be used for tracking. We want to demonstrate the ease at which this tracking can be done with three devices. We also want to demonstrate a concept of how tracking can be done in a privacy conscious manner with the current static MAC addressing. These tasks will be done using Kali Linux on Raspberry Pi Zero W devices. In the privacy conscious model, we will have processing be done between the devices locally so only a minimal amount of data is sent to a server. No personally identifiable information, especially MAC addresses, would be logged in any way.

Additional Work

• Investigate the Dynamic MAC address patent

• Develop a semi-working prototype of a tracking system

• Test prototype in a simulation environment

• Demonstrate the ease in which tracking can be done with inexpensive devices

Schedule

January 31st - Hand in proposal

February 14th - Outline

February 28th - More research

March 13th - Develop prototype

March 20th - Final test of prototype (quality assurance check)

March 27th - Final Presentation

April 6th - Project Report

References and Related Work

• Wottrich VM, Reijmersdal EA, Smit EG. App Users Unwittingly in the Spotlight: A Model of Privacy Protection in Mobile Apps. Journal of Consumer Affairs. 2019;53(3):1056-1083. doi:10.1111/joca.12218.

• M. Cunche, "I know your MAC address: targeted tracking of individual using Wi-Fi," Journal of Computer Virology and Hacking Techniques, vol. 10, no. 4, pp. 219-227, 2014.

• M. S. Jalali, J. P. Kaiser, M. Siegel and S. Madnick, "The Internet of Things Promises New Benefits and Risks: A Systematic Analysis of Adoption Dynamics of IoT Products," in IEEE Security & Privacy, vol. 17, no. 2, pp. 39-48, March-April 2019. doi: 10.1109/MSEC.2018.2888780

• http://iot-inspector.princeton.edu (Similar Project)