When MAC changing doesn't help ...
Posted on 2014-06-10, 21 comments, 173 +1's, imported from Google+/Chainfire

NOTICE: This content was originally posted to Google+, then imported here. Some formatting may be lost, links may be dead, and images may be missing.

I already wrote a bit about Pry-Fi itself yesterday ( https://plus.google.com/113517319477420052449/posts/Y4fjP6cH45v ), but this is not about the app itself.

Requests to implement this in Android itself as well as Firefox OS have popped up ( https://code.google.com/p/android/issues/detail?id=71084 and https://bugzilla.mozilla.org/show_bug.cgi?id=1022444 ).

I'm pretty sure I saw the wpa_supplicant maintainer stated wpa_supplicant wasn't the right place to fix this somewhere the past week, but I can't find it now - if anyone has that link, please do share it again.

There are different ways to scan for Wi-Fi networks. For this (terrible) analogy, we're leaving hidden SSIDs out of the equation.

Imagine a big dark room you (Alice) walk into - you can't see anything. There are other people in this room (Bob, Charlie, Eve, and John). These people are a tad on the narcissistic side, and occasionally call out their own name.

You are trying to find Eve, Henry, or Mark (only Eve is actually in the room). There are three options open to you:

(1) You wait for a potentially very long time, checking if Eve, Henry, or Mark calls out their own name. Nobody has to know you are there if this is what you do.

(2) You can shout "Hey, I'm Alice! Is anybody in here?", to which everyone will reply "Hey Alice! I'm <name>!". Now they know you're Alice, but if you would say a random name instead of Alice - you still get to know if Eve, Henry or Mark are in here, while they don't get to know you.

(3) You can shout "Hey, I'm Alice! Who is in here? I know Eve! I also know Henry! Oh, oh, I also know Mark! I don't know anybody else, though... Any of you guys here? Helloooooo?". Regardless of you shouting a random name for yourself, you laying bare your entire social network graph every time you go into a dark room, is giving away more than enough of a fingerprint for the people in that room to know you are the same nutjob who came in yesterday and gave away all that information.

So, changing the MAC address is shouting a different name than Alice. This doesn't necessarily break anything. The actual systems that are in place to track you via Wi-Fi will use the other information (the networks you know: Eve, Henry and Mark) to track you as well - or so I've been told.

What some have asked for - merely changing the MAC address - is not nearly a complete solution. You need to make sure you're not spewing out your entire connection history for all the world the see either.

During Pry-Fi development I learned something odd about this: even though some (Android) devices are setup to not normally broadcast this information actively, when you put the phone to sleep, the OS itself is no longer managing this. It'll tell the Wi-Fi chip a list of networks, and lets that chip do the work. The main CPU goes to sleep, while Wi-Fi will keep scanning, and wakes the main CPU when it finds something interesting.

The funny thing about that is that when the Wi-Fi chip is doing the work (most likely when you're walking around outside, running on battery power), it may still actively be broadcasting all that information, even though the OS itself wouldn't do this.

One obvious fix to that is simply not telling the Wi-Fi chip about the network list (which is why Pry-Fi clears the network list). It's an easy issue to overlook, as during on-device testing you're usually on AC power and the OS is (usually) in charge of scanning... 

Note that this may well be fixed in the latest Android versions, I just know there are devices in the wild that do this on stock firmwares.

I have no idea how this will be implemented in iOS 8, but from a quick test with my iPad running iOS 7, at least this specific iPad doesn't seem to be giving away any such information, which gives me good hope that iOS 8 will indeed actually be safe in this regard. I do believe Apple deserves a tip of the hat for that.


The state of Pry-Fi iOS 8 reportedly having MAC randomisation seems to have…

+1173
Matthew B. commented on 2014-06-10 at 12:46:

Great post and it explains why Pry-Fi keeps clearing my network list. I had wondered about that.

Matteo Panella commented on 2014-06-10 at 12:54:

The probe request with a list of known ESSIDs exists only for a single reason: APs configured in "hidden mode" won't send out beacons nor respond to "generic" probe requests. You have to send a probe request which specifically lists their ESSID before they tell you they're alive and well and the association process can begin.

This is a counter-intuitive consequence of setting up a hidden network: it's hidden as long as nobody is using it, but as soon you turn on a STA which has been connected to it it will happily broadcast the hidden network ESSID just to check if there's an AP within range.

Lucio Maciel commented on 2014-06-10 at 12:59:

But the chip not knowing the networks you know, will not wake the CPU, and will not connect to a previously known network when sleeping right?

Chainfire commented on 2014-06-10 at 13:47:

+Matteo Panella Unfortunately, some versions of the software/firmware send all the networks, including the non-hidden ones.

+Lucio Maciel If you need to use this work-around, then yes (a chip that would only scan for the hidden ones doesn't need this work-around).

Alternatively, if scan offloading isn't available, the device will wake up periodically and manually scan - this is less battery efficient, but certainly safer. 

Marius Gröger commented on 2014-06-10 at 18:04:

I do believe Apple deserves a tip of the hat for that.

Or they want to render existing Wifi trackers useless and push stores to use iBeacon instead.

Matteo Panella commented on 2014-06-10 at 18:48:

+Chainfire: it just dawned on me that some of them may try to be "smart" and try not to disclose which ESSID actually belongs to hidden networks, so they just broadcast them all. Which is bogus anyway, but it might explain why they're doing it.

Or they're just lazy :)

Fernando commented on 2014-06-10 at 23:49:

which is why Pry-Fi clears the network list

i wonder if this is any way why stock samsung roms on S4 and note 3 lose their network list from time to time

Jules Archinova commented on 2014-06-11 at 02:06:

How can we determine how the Wi-Fi chip behave and what is given to them? (and if it do something at all when the device sleep)

Gali Janach commented on 2014-06-11 at 06:47:

So does this Pry-fi already implemented in a Note 3? The wifi AP list on my Note 3 gets cleared on a regular basis.

Chainfire commented on 2014-06-11 at 07:32:

+Fernando Miguel +Gali Janach It's probably a combination of the list being cleared, and something going horribly wrong, resulting in full loss of the Wi-Fi AP list.

+Jules Archinova That's pretty complicated. It involves a computer running Wireshark in wireless monitor mode (a feature that is generally not available on Windows) and the knowledge to read what it captures...

Gali Janach commented on 2014-06-11 at 07:47:

+Chainfire any idea what is "going horribly wrong" with our devices clearing the saved AP list? It's been driving me insane lately

Jules Archinova commented on 2014-06-11 at 10:26:

+Chainfirethanks, would have been to easy to just need to read the chip official public documentation

David Hayes commented on 2014-06-12 at 21:53:

This is good to know. The more we know of how our information is getting out, the more we can do to stop it. Thank for the tutorial, Chainfire, and keep up with the apps. I use most of them.

SheemOn Private commented on 2014-06-18 at 13:43:

Me thinks Pri-Fi is one of those that need lots of customer education.  It also should be developed and maintained regardless of popularity.  I wish I could write Java code.  I would have "insisted" on helping.  Sadly my skills are frozen around passe' technologies, and I refuse to invest in exciting , modern development systems.

Halidou Sadou commented on 2014-08-28 at 08:32:

Hi

Patricia Lennon Mcmenemy commented on 2014-09-18 at 02:16:

Ur obsession cost the death of my sister. Het psychotic obsessed partner hacked all her devices going back 11 years. I witnessed it all & i wont rest till he pays for his crime, started off little things on a desktop ,its not finished as yhis is her last handset the 8th in 17 months, started with Samsung series 3, the wifi sync the vpn he set up appeared on her galaxy,tortuted mentally daily fpr the last 4 years, hiding behind a screen, ive spent days on your app every link i opened i identified woth something i witnessed on her devices the laotop & desktop then BOOM, followed you here this is not a coincidence,, not blaming you lot, he knew right from wrong, but people likw you startong off ypu want free software tp the traingle I KNOW its was your site he joined, everything he done to nentallt abuse her to take her mind & sanity for money he may inherit , he wont ill make sure of it. The scum hide behind a screen and manipulated & pre meditated & calculated every oppurtunity he or every day. He's been caught countless times by me while slowing torturing a beautful woman causing her. Death, its murder however you dress it up, the golden nugget the bastard is one of your named active hacker named on your site, your all dirty lowest scum of the earth as after what ive read its clear yous are all hackers, you dirty bastards, theres blood on all your hands, but like him yous are sick fucked up losers cowards hiding behind screens, the police will have no alternative now as i have over 2000pics , screenshots & pictures of the computers that now there will be no question hes reasponsible. You have a part played in this regardless.

Gali Janach commented on 2014-09-18 at 07:37:

Are you for real Patricia???? What the hell has that got to do with Chainfire? Linking him to your sister's death in any way shape or form is totally absurd. I don't know you and I am very sorry for your loss but you really need to think about what you say and stop accusing people for something they have nothing to with. Chainfire contribution to the Android platform is massive and greatly appreciated by millions of people.

Halidou Sadou commented on 2014-09-18 at 14:28:

Oh

perry israelson commented on 2015-02-21 at 01:53:

U mm I'm not sure how it happened but I really need some help I had pryfi on my phone (s5 sm-g900w8) was working fine when it some how got uninstalled from my phone and because it was set to have changed my mac address well it seems to have taken it with it cause I can no longer connect via WiFi

perry israelson commented on 2015-02-21 at 01:57:

Pls contact me by email if possible

aixio commented on 2015-04-19 at 06:19:

Always do (1) is the solution. 

This post is over a month old, commenting has been disabled.