Reduce to the MACs -- Privacy Friendly Generic Probe Requests
Johanna Ansohn McDougall, Alessandro Brighente, Anne Kunstmann, Niklas Zapatka, Hannes Federrath
TL;DR
Active Wi‑Fi discovery via probe requests enables device tracking despite MAC address randomisation. The paper proposes generic probe requests that strip Information Elements (IEs) to the bare minimum while preserving the ability to receive probe responses, and evaluates effects on functionality and privacy. Findings show that the SSID and Supported Rates are sufficient for responses, and reducing to only Supported Rates yields $82.55\%$ of devices in a single anonymity set while keeping $TtT$ measurements meaningful; minimisation does not impede connection establishment. This privacy-friendly approach offers a practical, low-overhead enhancement for Wi‑Fi privacy and can complement existing countermeasures against IE-based fingerprinting.
Abstract
Abstract. Since the introduction of active discovery in Wi-Fi networks, users can be tracked via their probe requests. Although manufacturers typically try to conceal Media Access Control (MAC) addresses using MAC address randomisation, probe requests still contain Information Elements (IEs) that facilitate device identification. This paper introduces generic probe requests: By removing all unnecessary information from IEs, the requests become indistinguishable from one another, letting single devices disappear in the largest possible anonymity set. Conducting a comprehensive evaluation, we demonstrate that a large IE set contained within undirected probe requests does not necessarily imply fast connection establishment. Furthermore, we show that minimising IEs to nothing but Supported Rates would enable 82.55% of the devices to share the same anonymity set. Our contributions provide a significant advancement in the pursuit of robust privacy solutions for wireless networks, paving the way for more user anonymity and less surveillance in wireless communication ecosystems.