IEEE study group recommends improvements in Wi-Fi security

An IEEE study group is suggesting that the Wi-Fi protocol be updated to use randomly generated addresses to improve security and privacy.

As it stands now, the 802.11 standards are designed so that each mobile device gets its own unique media access control (MAC) address, reports CSO. However, because MAC addresses, in most cases, are globally unique identifiers that can be associated with personal devices, they can become privacy risks by exposing users to unauthorized tracking, according to Juan Carlos Zuniga, principal engineer at InterDigital who serves as chair of the IEEE 802 Privacy Executive Committee Study Group.

Zuniga told FierceWirelessTech that IEEE is working with the Internet Engineering Task Force (IETF) and the Internet Architecture Board (IAB), representing different areas of interest, and they all decided to take a closer look at technical threats that expose or threaten privacy. When the 802 protocols were first written years ago, they did not envision the types of usage that are practiced today, with nearly everyone carrying smartphones and tablets with Wi-Fi built in.

While randomized MAC addresses might sound like a straightforward solution, there are implications. Zuniga noted that some commercial networks rely on the identifiers for other purposes, such as a hotel that uses it to identify a guest who has already paid for his or her 24-hour service. The hotel may tie that address to an account, so if the address is changed, the system will try to bill the guest a second time. "We don't want those things to happen," he said.

While VPN will encrypt the data that is being sent, with over-the-air Wi-Fi, the identifier is still being sent, "so people can track you," he said. They might not be able to see the data that is being sent or know that the end user is reading an email, but the moment the connection is made at home, the office or at the airport hotspot, "people can track you. Just the fact that you are sending that in the clear, it's like walking around with your name and address on the back of your shirt." They might not be able to hear what you're saying, but they can see where you've been or where you're going.

Several experiments already have been conducted at IEEE meetings. Three experimental trials were completed at the IEEE 802 plenary meeting in Berlin on March 8-14, at the IETF 92 meeting held March 22-27 in Dallas and the IETF 91 meeting held November 9-14, 2014, in Honolulu.

A couple of years ago, the city of London ordered its supplier of trash cans to cease using technology that collected data from mobile devices of people walking in the capital's Square Mile. People were unaware their information was being colletected.

Those are the types of things the IEEE study group wants to avoid by adding its recomendations in upcoming versions of the 802.11 standard. The down side to standards is they require consensus and could take years to finalize. In the meantime, the hope is that device makers could generate random identifiers for devices on their own, something that they could use as a commercial plus, so to speak, that consumers will see as a benefit.

"My hope is we don't have to wait for the full standards cycle. This is something people care about and we don't have to wait five years," Zuniga said.

For more:
- see this CSO article
- see this press release

Related articles:
Devicescape offers additional security layer to its virtual Wi-Fi network
Private WiFi aims to keep public, private connections secure
Comcast Wi-Fi ads raise security, net neutrality concerns