Smartphones' Wi-Fi network searches bleeding user info

By tracking smartphones' attempts to hook up with Wi-Fi networks, security researchers at Sensepost were able to profile the gadgets' users and subsequently link users' home addresses and other information to the devices.

The security loophole is enabled because smartphones are increasingly designed to maintain a list of previously accessed Wi-Fi base stations, which the gadgets are constantly seeking in order to enable quick and seamless Wi-Fi access. According to the SecurityG33k blog, researchers were able to pick out people's houses purely through analysis of the SSIDs their devices had logged.

The Sensepost researchers, Daniel Cuthbert and Glenn Wilkinson, exploited the loophole with a distributed data interception framework they called Snoopy. "We tested in numerous countries and during one rush-hour period in central London," Cuthbert told The Register. "We saw over 77,000 devices and as a result, were able to map device IDs to the last five APs (access points) they connected to. Then using geo-location, we were able to map them out to physical locations."

Apple (NASDAQ:AAPL) devices were the "noisiest" in the test. "Apple, Google (NASDAQ:GOOG) and so on do not have any documentation about how noisy their devices are," Cuthbert said.

The researchers, who discussed their project during the recent 44con conference in London, claim no UK laws were violated as they only passively tracked Wi-Fi network requests rather than completely intercepting them. Data was gathered via Wi-Fi access points they set up around London to collect the probe requests of wireless devices carried by passersby.

"We could work out the most common movement patterns using the SSID probes sent out from their mobile phones," said Cuthbert.

The researchers recommend that users disable Wi-Fi scanning in devices until they needed to actually access the Web.

However, as mobile operators increasingly seek options for offloading data from their cellular networks, many in the industry have pushed for default Wi-Fi scanning in smartphones that would be beyond user control. Software is already available that can direct a handset to switch on Wi-Fi functionality--even if a user has turned it off--and link automatically to any nearby Wi-Fi network that it has previously connected to without the user being aware of what's going on.

For more:
- see this SecurityG33k blog entry
- see this Register article

Related articles:
iPhone 5 to drive 4G adoption, Wi-Fi offloading
Smith Micro: 84% of smartphone users support automatic Wi-Fi offloading
Study: Easier Wi-Fi access could lure smartphones, tablet users
Wi-Fi offloading: Who controls your handset?
Smith Micro expanding the reach of its client-centric offloading solution