privecsg Tracking of Link Layer Identifiers Date: [ ] Authors: NameAffiliationPhone Juan Carlos ZúñigaInterDigital Notice: This document does not represent the agreed view of the IEEE 802 EC Privacy Recommendation SG. It represents only the views of the participants listed in the ‘Authors:’ field above. It is offered as a basis for discussion. It is not binding on the contributor, who reserve the right to add, amend or withdraw material contained herein. Copyright policy: The contributor is familiar with the IEEE-SA Copyright Policy. Patent policy: The contributor is familiar with the IEEE-SA Patent Policy and Procedures: and. Abstract This document proposes some changes to the IAB draft Confidentiality Threat Model-04

privecsg Motivation The Privacy EC SG has concentrated its efforts on privacy issues related to MAC addresses There are many other privacy considerations regarding Link Layer technologies The current IAB Threat Model draft (04) mentions some issues related to MAC address tracking –However, there are other Link Layer identifiers that should also be considered, like (E)SSIDs, BSSIDs, etc. –Similarly, location and time can expose valuable information to an ideal attacker

privecsg Current text Tracking of MAC Addresses Moving back down the stack, technologies like Ethernet or Wi-Fi use MAC Addresses to identify link-level destinations. MAC Addresses assigned according to IEEE-802 standards are unique to the device. If the link is publicly accessible, an attacker can track it. For example, the attacker can track the wireless traffic at public Wi-Fi networks. Simple devices can monitor the traffic, and reveal which MAC Addresses are present. If the network does not use some form of Wi-Fi encryption, or if the attacker can access the decrypted traffic, the analysis will also provide the correlation between MAC Addresses and IP addresses. Additional monitoring using techniques exposed in the previous sections will reveal the correlation between MAC Addresses, IP Addresses, and user identity. Given that large-scale databases of the MAC addresses of wireless access points for geolocation purposes have been known to exist for some time, the attacker could easily build a database linking MAC Addresses and device or user identities, and use it to track the movement of devices and of their owners.

privecsg Proposed text Tracking of Link-Layer Identifiers Moving back down the stack, technologies like Ethernet or Wi-Fi use MAC Addresses to identify link- level destinations. MAC Addresses assigned according to IEEE-802 standards are globally-unique identifiers for the device. If the link is publicly accessible, an attacker can eavesdrop and perform tracking. For example, the attacker can track the wireless traffic at publicly accessible Wi-Fi networks. Simple devices can monitor the traffic, and reveal which MAC Addresses are present. Also, devices do not need to be connected to a network to expose identifiers. Active service discovery always discloses the MAC address of the user, and sometimes the SSID of previously visited networks. For instance, certain techniques such as the use of “hidden SSIDs” require the mobile device to broadcast the network identifier together with the device identifier. This combination can further expose the user to inference attacks, as more information can be derived from the combination of MAC address, SSID being probed, time and current location. For example, a user actively probing for a semi-unique SSID on a flight out of a certain city can imply that the user is no longer at the physical location of the corresponding AP. If the network does not use some form of Wi-Fi encryption, or if the attacker can access the decrypted traffic, the analysis will also provide the correlation between link-layer identifiers such as MAC Addresses and IP addresses. Additional monitoring using techniques exposed in the previous sections will reveal the correlation between MAC Addresses, IP Addresses, and user identity. Given that large-scale databases of the MAC addresses of wireless access points for geolocation purposes have been known to exist for some time, the attacker could easily build a database linking link-layer identifiers, time and device or user identities, and use it to track the movement of devices and of their owners.