Traditionally, busy public places such as coffee shops were a great place to people watch, and nurse a drink for hours while watching the world go by. But nowadays, a person doesn’t need to look up from a laptop, or even take off their headphones off to discover a lot about those around the people around him or her. We may not yet realise it, but Wi-Fi can reveal a lot about our fellow humans, and therefore the businesses for which they work. This is especially true of smartphone WiFi.
Many laptops, and other devices where battery consumption isn’t at such a premium, spend time listening for beacons from Wi-Fi access points, which contain the network name along with other information. While this discovery method generally works well, the laptop sometimes has to ‘listen’ for a long period of time before it can be sure it’s gathered all the nearby Wi-Fi networks.
This drawn-out ‘listening’ on a smartphone would be a major drain on battery consumption. As a result the majority of smartphones use a different method for WiFi network discovery: a ‘probe request’.
Every once in a while, a smartphone will broadcast out a probe, seeking a response from every Wi-Fi network that it has been configured to join. Ever. On iPhones, this is known as a Preferred Network Offload (PNO), but we prefer the term ‘digital exhaust’ when referencing these particular smartphone emissions.
‘Digital exhaust’ means that every minute that an employee’s smartphone’s Wi-Fi is enabled (but not connected), it is broadcasting to the nearby vicinity every Wi-Fi network that particular phone has joined, regardless of whether that network has encryption or not.
And this information is alarmingly easy to access. A small script that works on most Macs can listen to probes sent out by any smartphones in a certain vicinity, and print off how many devices are probing.
It might be easy to say ‘so what?’, but when you consider how many Wi-Fi networks a typical employee’s smartphone has joined in the previous two years, that is an awful lot of information to broadcast to the public. Furthermore, keychain iCloud sharing means that every network joined by an associated Mac can be broadcast too.
To put this into context, a quick scan can reveal the following about a real user: He or she tends to visit W Hotels, they use inflight Wi-Fi and have recently been to San Francisco Airport, perhaps to Thailand. We can also see that that user frequently works out of a small local coffee shop. And that’s just the tip of the iceberg from a few minutes of digging. Needless to say that’s enough information to make you wonder, “Who’s watching our employees, and what is being discovered?”
Years of IT security advice to use unique and obscure names for user IDs and passwords means that a lot of people are doing the same with their home and business Wi-Fi SSID. But globally unique Wi-Fi SSID can create a real issue of easy discoverability, as physical addresses can then be pinpointed using an open-source database of known Wi-Fi networks such as wigle.net. In fact, a team at the University of Hasselt in Belgium recently demonstrated how one could correlate this Wi-Fi history information with open databases of Wi-Fi network geolocation and provided a mathematical equation to the likelihood that a person has visited a particular city. While Apple has added MAC address randomisation (with limited success), this does not change during a probing session, nor once a user has connected to a Wi-Fi network.
Surely there’s a way for enterprise IT teams to reduce digital exhaust, and avoid employees sending out so much information from a smartphone? The most basic level of overall protection against this type of snooping is to simply turn off the device’s Wi-Fi. Even though an employee may be connected to a trusted network, a hacker could de-authorise him or her from this network, and listen again to a phone’s probes. But this is perhaps impractical, so other ways to avoid digital exhaust include regularly resetting network settings, allowing the smartphone to ‘forget’ its learned networks.
In terms of managing networks, it’s important to always employ WPA2 encryption with a complex password, and to use a generic SSID name e.g. Office Network. Users should also consider using hidden/blind SSID names as geolocation gathering will be less likely to discover an SSID.
Ultimately, as with much of information security, a lot of protection comes with employee education. Employees need to be aware of and understand what their smartphones are doing, with or without permission and what information is being shared. Employees should also understand the difference between smartphones being connected to WiFi vs. cellular data, and should not always trust open and free public networks. This way, their seemingly harmless but potentially very revealing digital exhausts can be stemmed.