For use as a travel router the UI makes it simple to randomize both the AP BSSID/MAC as well as interfaces working as WiFi client stations for internet uplink.

https://news.ycombinator.com/item?id=13839540

As of 2017 the authors of the paper above found MAC leaks in a shocking 96% of all android phones. And the remaining 4% aren't proven to be leak-free -- they simply hadn't noticed any leaks by the time they wrote the paper.

Unless you have fully open-source firmware on your baseband, like ath9k_htc, there's really no way to prevent this leakage. Or even be sure if it's happening.

https://wiki.debian.org/ath9k_htc/open_firmware

With open source baseband firmware you can guarantee that the baseband never even has access to the hardware MAC address. You can even reflash the MAC address eeprom (on every boot if you like!)

We've also reported mac leaks to vendors -- we found stations would transmit packets with their non randomized state in certain scenarios, we'll blog about it when vendors release their fixes.

But more importantly I also want to say that I do not expect the MAC leaks are happening in most beacons & probe responses, which is what Apple and Google and others collect for their positional database with wi-fi SSIDs and BSSIDs. There's still ways to fingerprint, from digital fingerprints, to signal fingerprints unique to the radio and antennas and board, where machine learning can cluster and classify devices that are going to be very hard to anonymize for privacy.

Projects like https://www.nzyme.org/ actually apply fingerprinting techniques for defense to detect Rogue APs that could manifest in an actively attacked environment. They can pick up wifi implants as well as the Rogue AP attacks.

For which baseband chip, specifically?

I mean this would be great, but I have a very hard time believing any baseband vendor gave you enough documentation to achieve that -- especially not without an OSS-prohibitive NDA. Would love to be wrong about that. It happened once, but that was back when Atheros was an independent company -- before they were Qualcommized.

Also, aren't all the wifi 6 baseband firmwares cryptographically signed? Best case it'll be as "open source" as Tivo was.

We've also reported mac leaks to vendors

That's good, but I don't think the whack-a-mole approach inspires much confidence. There have been so many of these problems that at this point we really need to take the car keys away from the drunkard and have the baseband chip and the MAC-bearing eeprom be separate devices which can only communicate via the CPU. Or just have the CPU derive the MAC from the CPU's own serial number. Or maybe just not have hardware MAC addresses at all.

So the randomization bugs we have reported are specifically about stations, namely: mobile smart phone devices failing to randomize their WiFi MAC address.

As for the study this thread's topic concerns, I do not have reason to believe that there are bugs with MAC randomization in cards running as APs that would make the randomization of BSSIDs fail.

The probe responses and beacon contents appear to consistently use their randomized MAC address in the cards we have tested. There could be underlying actively triggered bugs an active attacker could uncover, to get the non randomized address, but I do not expect such bugs would affect the BSSID + Positional databases of this study.

I’m Danish, I think the only way to really prevent mass surveillance through WiFi is through laws and legislation. It used to be legal to track people here, but thankfully it’s not anymore. I still remember when there was an outcry from smaller municipalities when they could no longer track people on their “walking streets”. I’m not sure if you have those in other countries but they are basically the “central” street with a lot of shops that are only for pedestrians. Virtually every Danish city has one, larger cities have multiple. Anyway, smaller cities used to track people to see which parts of those streets were popular and which weren’t.

Now they didn’t exactly do it for sinister reasons as such. Our smaller cities have issues with what is called “city death” where their “waking streets” lose shops because people go to larger malls. Then they might add a play ground or other cultural things, or even help shops with rents in order to increase an even popularity in their “waking streets”.

Despite their good intention it was still mass scale surveillance.

It not legal anymore, except when you are big enough or you are the one that decides what is legal or not.

In addition to RPi hardware, it would be helpful to support Rockchip RK3399 and RK3588 SoCs that have minimal binary blobs, since these can used with open-source Arm Trusted Firmware (TF-A) for secure boot, to ensure that only owner-authorized OS and firmware are running on the device.

> Many cards which support WDS//AP-VLAN have no trouble with updating the BSSID.

Do these M.2 WiFi cards support AP/VLAN and BSSID updates?

  Qualcomm Atheros QCA6174 Wi-Fi 5
  Qualcomm Atheros QCNFA765 Wi-Fi 6

Just so people don't get confused, there is a huge world of difference between these two chips. They are not in the same category.

Rockchip RK3399 is 100% blobless. You even control the EL3 Trustzone Secure World! This is True Root.

Rockchip RK3588 still needs blobs in EL3, the highest privilege level. We've been hearing rumors for years now about "oh they'll open source it next month for sure" and it.... just. never. happens. Please stop spreading this rumor. Source or GTFO, Rockchip.

  OSS TF-A at EL3 + OSS DDR training (RK3399)
  OSS TF-A at EL3 + closed DDR training (RK3588)
  OSS uboot + closed TF-A 
  closed uboot + closed TF-A 

Those who don't need the features of RK3588 can use the older and fully open RK3399.

That should be "blob which does stuff, including DDR training, at EL3".

That blob certainly does DDR training. Maybe it does other stuff. But all of it is done at EL3.

> In decreasing order of preference

"Warning! Diagram is not drawn to scale."

If someone wants to find out, they can load it in IDA/Ghidra?

Looks like Collabora is already monitoring the blob, so it's not entirely a mystery:

  At the moment of writing this article, we have identified a few differences from the binary blob previously used, which we can highlight as following:

  Binary BL31 contains some unknown code to get HDMI-RX PHY access working.
  The cpufreq support in binary BL31 is different from TF-A. 

  There could be more issues that are unknown at the moment and users should be aware of it.

It is absolutely a problem, but it's bounded by the ability to inspect and question code/behavior outside the officially claimed rationale. We can prefer open systems and also shine a bright light on the behavior of closed systems.

We are currently looking at banana pi over rockchip but we are very happy to assist if someone has this gear.

I don't have access to Qualcomm information but if you have those chips it will be under the output of 'iw dev'.

> Someone outside your home could potentially tell when it’s vacant, or see what you are doing inside. Consider all the reasons someone might want to secretly track someone else’s movements. Wi-Fi sensing has the potential to make many of those uses possible.. it could be used by corporations to monitor consumers, workers, and union organizers; by stalkers or domestic abusers to harass their victims; and by other nefarious actors to commit a variety of crimes. The fact that people cannot currently tell they are being monitored adds to the risk. “We need both legal and technical guardrails"..

> At least 30 million homes already have some kind of Wi-Fi sensing available.. When the new standard comes out in 2025, it will allow “every Wi-Fi device to easily and reliably extract the signal measurements".. With Wi-Fi 7.., “the sensing capability can improve by one order of magnitude”.. The committee did discuss privacy and security.. But they decided that while those concerns do need to be addressed, they are not within the committee’s mandate.. Wi-Fi sensing is more concerning than cameras, because it can be completely invisible.

IEEE standards are a minimum starting point for interoperability. Security and privacy improvements can be implemented in open-source code, to inform future revisions of IEEE standards.

Discussion is a good start. That section of the paper states:

  Although there are already various ways to improve security and privacy, IEEE 802.11bf is still discussing which solution to add.

> Of course Wifi sensing is already a thing with existing signals

Several orders of magnitude exist between researchers and commercial devices in the hands of millions of consumers.

Well, between nation state actors and consumers

Suggestion, your site is not understandable to me. At the top it says you make routers. Under products it lists a a PI5 HAT. Is that a router? It sounds like it's a Wifi card for a Raspberry PI?? PI5 Pod, Is that a router? It says "bundled with PI5 Router" ??? "CM4 Capsule" is that a router?

Is this site only for people who already know these terms?

It also claims all this runs locally but then says you have a subscription... ?!

Looks like the subscription is for those who want to help fund the project.

Not many functional differences, maybe those are handled in the config GUI?

Just got to say- that would be awesome for my vacuum to stop making a loud noise when someone pushed the doorbell, so I wouldn’t miss the person! (But I do completely get the underlying sentiment)

As an average home user, I would love something like this (interface and features) but with a nicer looking hardware (wife tax).

  - [ ] Location
    - Improve location accuracy
      [ ] Wi-Fi scanning
      [ ] Bluetooth scanning
  - [ ] Google location accuracy
  - [ ] Google location history
  - [ ] Google location sharing
  - App-level permissions
    - Allowed all the time: None
    - Allowed only while using app: Maps, Lyft, Uber, Uber Eats

I sometimes temporarily enable Location, but most often I'll just enter addresses manually into the apps and dismiss any requests for location access.

Of course anything with internet access can still guess location based on the public IP address used to connect to any server. Maybe a VPN could help, but then you have to trust that party too.

Not to mention Chrome & friends will gladly provide wifi-based location lookup to any site that asks for location. You can have GPS off, using a VPN, and still the website will know where you are. Turn it off, sure, then the site can block you.

Tried to get around my states online casino restrictions a few months back. Not a fun time.

Yes? Is this a problem?

> Tried to get around my states online casino restrictions a few months back. Not a fun time.

How is any casino both (A) following state restrictions and (B) not validating based on both your geo location and the address you must validate via some KYC document? Or are you also entering a fake address somehow?

Yes, because I am trying to use the site. If they block me, I can't use it.

They validate, usually via a backend SSN lookup or via an identity document like ID or passport, but only on registration. Sometimes they make you take a selfie with your ID. Sometimes you get flagged and have to identify again.

In Michigan you are allowed to use the site from any location, there are restricted actions which must be location verified. Sports wagering and any casino gambling obviously, but I think deposits or withdraws might be location limited as well.

The location verification is accomplished via both a dedicated program you must install on your device + giving location permission in the web browser, which uses GPS + Cellular + Wi-FI triangulation.

> Or are you also entering a fake address somehow?

You are allowed to use the online casino's with an out-of-state ID or address. You must simply be in the state for location verification. There is a little industry of people taking road or train trips to travel through all the online gambling states in order to sign up for the free promotion money.

This was on a laptop with no built-in GPS and no cellular.

Paid VPN - nope, they probably have a list of all the VPN providers IP addresses.

Self-VPN in cloud - no, again they probably have an IP list

Self-VPN in target state on residential IP - nope, something else causing the fail

Spoofing WiFi names & IDs in the environment of the residential IP above, both from online databases and having someone there do a scan - nope, I think the problem here was the networks in range of the laptop were lowering the confidence of the location check

Finding a browser that doesn't incorporate WIFI triangulation - none that I could find, including all the privacy-focused browsers like Brave. They let you turn off location, but none let you disable the wifi component.

At this point my thoughts were that I would have to find/write a custom driver or find some other way to get the wireless card to lie about which networks are nearby.... or find a way to crack the casino location service executable AND patch a browser not to rat on me.

There is no other sources of leaks from what I could tell. No other signals being detected by my laptop, no DNS or VPN leaks, it had to be the Wi-Fi triangulation.

I didn't want to do all that so instead just left a PC at home hooked up to a PiKVM and it worked perfectly.

edit: Forgot to mention you must have Wifi on the device or else it will block and ask you to enable it.

I did disable the driver and tried to make my laptop act as if it didnt have WIFI at all, but I don't see how they could protect a desktop from what I was attempted above without WiFi access.

might be caused by the VPN connection reducing the MTU, and the server detecting that.

As a tangent, I know there are googlers here, but I have always been curious to how low-level google and the rest of FAANG inspects connections.

There is ton's of data being leaked about which device or library or application or network you are using to connect to a service via these low level protocols and encryption schemes.

examplelib1.0 might reply to an ICMP before completing some other part of the state diagram while in 2.0 its reversed. Or maybe the 2.0 handshake takes 2x as long on average. Quirks they might be called elsewhere.

Most people and developers aren't going to care or research or profile this, but I can only imagine with enough resources and risk on the line - this becomes important information to stopping spam or fraud and abuse.

It’s weird to think that anyone would hold this up as an example of the good old days. Rose colored glasses in effect.

Notably, pay phones don’t exist anymore, so you couldn’t actually replicate the 90s era communication if you wanted to.

Where might we turn to?

I could then use that info to figure out where they are likely to hang out, and either give it to police or take matters into my own hands.

But actually, the findings are:

"this method can be leveraged as an additional statistical proxy for population movement and infrastructure outages/destruction;

By taking several assumptions (e.g. BSSID not spoofed; BSSID is seen by some smartphone; BSSID of to-be-surveilled target is known; BSSID is actually used by target and not sold/handed to someone else; target is close to BSSID; BSSID is on; etc.), an individual's historical and possibly current whereabouts may be revealed".

"The central goal of the attacker we consider is to gather location and movement data about a large number of devices, either globally or pertaining to a specific region of interest."

Understand it as a minor pet peeve on my side that I would prefer a less sensational, better disambiguated title in order for the paper to express its content and significance. After all, it's arxiv.org, and possibly a preprint open for feedback.

This is simply providing another way to say "humans who connect to WiFi networks exist here, here, and here, and move to here, here, and here." Without knowing who actually owns and uses each device, it's hard to see how you can really call this mass surveillance, which typically implies the leakage of information that people expected to be private. The fact that my residential address has a WiFi access point in it does not seem to me to be private information. I can readily guess with at least 99% accuracy that every residential and business address in existence with visible furnishing, decoration, regular cleaning, trash outside, or any other sign of human occupancy, has a WiFi access point attached to it.

The threat they mention of intimate partner abuse and stalking whereby an attacker knows a specific person's MAC address and is able to track them if they move but retain the same device is a more obviously real concern, but easily mitigated by simply not retaining the same WiFi access point when you move to a new residential address.

Meaning, if your location is home, turn on wifi, else turn it off.

Unfortunately apple/google/carriers have a vested interest in making our devices very promiscuous. (location services, advertising/surveillance, offload cellular, etc)

https://docs.samsungknox.com/admin/knox-platform-for-enterpr...

>Intelligent Wi-Fi provides four features that aim to improve consumers’ Wi-Fi experience:

Network Bearer Switching

Auto Wi-Fi

Suspicious Hotspot Detection

Enhanced Power Saving

>Intelligent Wi-Fi is the new brand name of the existing “Adaptive Wi-Fi” which had been applied to models older than Galaxy S10 (e.g. Galaxy S9 or older models). It has been improved by adding a new feature such as Suspicious Network Detection and also enhancing existing features such as Network Bearer Switching.

>Auto Wi-Fi >People use Wi-Fi differently based on their location. In places where Wi-Fi is available, we turn on Wi-Fi to avoid being charged for mobile data. On the other hand, if Wi-Fi is always on, we are subjected to frequent, unwanted connections and higher power consumption. To solve this problem, we have introduced Auto Wi-Fi, which turns Wi-Fi on and off depending on your location. Auto Wi-Fi addresses these connectivity-related pain points.

>Auto Wi-Fi pays close attention to your connection patterns and remembers your favorite networks. It turns your Wi-Fi on when a favorite network is available. When you leave the area and the network becomes unavailable, Auto Wi-Fi will automatically turn off your Wi-Fi.

>I think phones should have location-based wifi (and maybe bluetooth).

>Unfortunately apple/google/carriers have a vested interest in making our devices very promiscuous. (location services, [...]

You don't see the contradiction here? You want your phones to have location-aware features, but right afterwards say that you don't want it because it makes your device "very promiscuous".

> You don't see the contradiction here? You want your phones to have location-aware features, but right afterwards say that you don't want it because it makes your device "very promiscuous".

I don't think it's a contradiction. You can have a phone that knows its own location without telling Google/Apple where it is, and that uses that information to toggle features. (I'm kind of skipping the cell carriers because you do have to give them coarse location by virtue of how cell network work.) A device can get location by purely passive GPS without involving any external services, but that's a pretty sucky experience (slow lock, low precision)... I think you can do AGPS without telling anyone where you are, though. Anyways, my point is that there is a world of difference between you having your information/location and anyone else having it.

NFC avoids dependency on network-based location positioning.

You can check yourself from the app:

Services > Devices on Network > Manage

And it will show all of the MAC addresses connected, and recently connected. Even remotely if you are not logged into your network.

You also can see the *plaintext* password to your router from this app.

Services > Your WiFi Network

Which means a nation state also can remotely login to your network without you knowing, and otherwise is bad for security if passwords for millions of homes are plaintext.

---

Moral of the story is that even if Apple eventually fixes this, the other side of the tracking that nation states could do could be done at the ISP firmware level. To solve this kind of attack, either allowing open firmware or new legislation is the only to stop this. (Which when has privacy legislation ever happened... is another question for another day).

Or just randomize every MAC at the client level, blinding everyone up the chain and no doubt causing many false reports as randomized macs collide.

Also why is some devices don't support this randomization, or even if they do, the first connection is not supported. When you first activate an iPhone or use a Windows computer, it still does not expose all the settings to randomize the MAC address until you setup the device, so the first connection exposes the actual address to the network. Yet again we need deeper levels of change to fix this.

> In late March 2024, Apple quietly updated its website to note that anyone can opt out of having the location of their wireless access points collected and shared by Apple — by appending “_nomap” to the end of the Wi-Fi access point’s name (SSID). Adding “_nomap” to your Wi-Fi network name also blocks Google from indexing its location..

> "You may not have Apple products, but if you have an access point and someone near you owns an Apple device, your BSSID will be in [Apple’s] database,” he said. “What’s important to note here is that every access point is being tracked, without opting in, whether they run an Apple device or not.. Commonly used travel routers compound the potential privacy risks..

> The Google/Apple opt out (_nomap) needs to be at the end of SSID name. Whereas the Microsoft opt out (_optout) can be anywhere in the SSID name. Therefore, to opt out of both, it would be in this order: SSIDName_optout_nomap

The change we should be pushing for is tracking must be opt-in by default. The way God intended.

Thou shalt ask for consent before doing shit with another's boxen.

List of ssids in some popular location and then duplicate it, place-shifted.

I’ve been meaning to run this experiment for a while now… Can I broadcast a set of ssids that make, for instance, the mall of America appear on the Golden Gate Bridge?

It surprises me that so much investment and dependency is built on leveraging lists of ssids When they are so easily spoofed…

PS: you'd also have to spoof the mac addresses and get a lot of clients to report it, but it could cause some confusion

Because the flags are:

  (a) not honored by M/G/A for removal from public db?
  (b) ignored by other parties?
  (c) treated like telemarketing/spam opt-out lists?
  (d) ...?

"Russia-Ukraine War First, we use Apple’s WPS to ana- lyze device movements into and out of Ukraine and Russia, gaining insights into their ongoing war that, to the best of our knowledge, have yet to be made public. We find what appear to be personal devices being brought by military personnel into war zones, exposing pre-deployment sites and military positions. Our results also show individuals who have left Ukraine to a wide range of countries, validating public reports of where Ukrainian refugees have resettled."

Is this verified? Does the military not ban Apple/Google personal trackers?

Seems like Apple didn't get the message.

> Wi-Fi-based Positioning Systems (WPSes) are....

Why does every articl have to invent some acronym, and even worse in this case, an acronym that already exists in the wifi context (wifi protected setup - WPS).