1. bookVolume 2022 (2022): Issue 2 (April 2022)
Journal Details
License
Format
Journal
eISSN
2299-0984
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
access type Open Access

Privacy-Preserving Positioning in Wi-Fi Fine Timing Measurement

Published Online: 03 Mar 2022
Page range: 325 - 343
Received: 31 Aug 2021
Accepted: 16 Dec 2021
Journal Details
License
Format
Journal
eISSN
2299-0984
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
Abstract

With the standardization of Wi-Fi Fine Timing Measurement (Wi-Fi FTM; IEEE 802.11mc), the IEEE introduced indoor positioning for Wi-Fi networks. To date, Wi-Fi FTM is the most widely supported Wi-Fi distance measurement and positioning system. In this paper, we perform the first privacy analysis of Wi-Fi FTM and evaluate devices from a wide variety of vendors. We find the protocol inherently leaks location-sensitive information. Most notably, we present techniques that allow any client to be localized and tracked by a solely passive adversary. We identify flaws inWi-Fi FTM MAC address randomization and present techniques to fingerprint stations with firmware-specific granularity further leaking client identity. We address these shortcomings and present a privacy-preserving passive positioning system that leverages existing Wi-Fi FTM infrastructure and requires no hardware changes. Due to the absence of any client-side transmission, our design hides the very existence of a client and as a side-effect improves overall scalability without compromising on accuracy. Finally, we present privacy-enhancing recommendations for the current and next-generation protocols such as Wi-Fi Next Generation Positioning (Wi-Fi NGP; IEEE 802.11az).

Keywords

[1] IEEE Std 802.11e. Amendment 8: Medium Access Control (MAC) Quality of Service Enhancements, 2005. Search in Google Scholar

[2] Wi-Fi Alliance. Wi-fi aware. https://www.wi-fi.org/discover-wi-fi/wi-fi-aware, 2020 (Accessed 3 December 2020). Search in Google Scholar

[3] Android. Privacy: Mac randomization. Accessed 03/04/2020 from https://source.android.com/devices/tech/connect/wifi-mac-randomization, 2020. Search in Google Scholar

[4] Android. Wi-fi location: ranging with rtt | android developers. https://developer.android.com/guide/topics/connectivity/wifi-rtt, 2020 (Accessed 18/06/2020). Search in Google Scholar

[5] Apple. Use private wi-fi addresses in ios 14, ipados 14, and watchos 7. Retrieved 1 December 2020 from https://support.apple.com/en-us/HT211227, 2020. Search in Google Scholar

[6] IEEE Standards Association et al. Ieee std 802.11-2012, ieee standard for local and metropolitan area networks—part 11: Wireless lan medium access control (mac) and physical layer (phy) specifications, 2012. Search in Google Scholar

[7] IEEE Standards Association et al. Ieee std 802.11-2016, ieee standard for local and metropolitan area networks—part 11: Wireless lan medium access control (mac) and physical layer (phy) specifications, 2016. Search in Google Scholar

[8] Leor Banin, Ofer Bar-Shalom, Nir Dvorecki, and Yuval Amizur. Scalable wi-fi client self-positioning using cooperative ftm-sensors. IEEE Transactions on Instrumentation and Measurement, 68(10):3686–3698, 2018.10.1109/TIM.2018.2880887 Search in Google Scholar

[9] Leor Banin, Ofer Bar-Shalom, Nir Dvorecki, and Yuval Amizur. High-accuracy indoor geolocation using collaborative time of arrival, 2019. Search in Google Scholar

[10] Leor Banin, Uri Schatzberg, and Yuval Amizur. Wifi ftm and map information fusion for accurate positioning. In 2016 International Conference on Indoor Positioning and Indoor Navigation (IPIN), 2016. Search in Google Scholar

[11] Markus Bullmann, Toni Fetzer, Frank Ebner, Markus Ebner, Frank Deinzer, and Marcin Grzegorzek. Comparison of 2.4 ghz wifi ftm-and rssi-based indoor positioning methods in realistic scenarios. Sensors, 20(16):4515, 2020.10.3390/s20164515 Search in Google Scholar

[12] Ellis Fenske, Dane Brown, Jeremy Martin, Travis Mayberry, Peter Ryan, and Erik Rye. Three years later: A study of mac address randomization in mobile devices and when it succeeds. Proceedings on Privacy Enhancing Technologies, 3:164–181, 2021. Search in Google Scholar

[13] Guangyi Guo, Ruizhi Chen, Feng Ye, Xuesheng Peng, Zuoya Liu, and Yuanjin Pan. Indoor smartphone localization: A hybrid wifi rtt-rss ranging approach. IEEE Access, 7:176767–176781, 2019. Search in Google Scholar

[14] Jérôme Henry and Nicolas Montavont. Fingerprinting using fine timing measurement. In Proceedings of the 17th ACM International Symposium on Mobility Management and Wireless Access, pages 49–56, 2019.10.1145/3345770.3356736 Search in Google Scholar

[15] Berthold KP Horn. Doubling the accuracy of indoor positioning: Frequency diversity. Sensors, 20(5):1489, 2020. Search in Google Scholar

[16] Mohamed Ibrahim, Hansi Liu, Minitha Jawahar, Viet Nguyen, Marco Gruteser, Richard Howard, Bo Yu, and Fan Bai. Verification: Accuracy evaluation of wifi fine time measurements on an open platform. In Proceedings of the 24th Annual International Conference on Mobile Computing and Networking. ACM, 2018.10.1145/3241539.3241555 Search in Google Scholar

[17] Mohamed Ibrahim, Ali Rostami, Bo Yu, Hansi Liu, Minitha Jawahar, Viet Nguyen, Marco Gruteser, Fan Bai, and Richard Howard. Wi-go: accurate and scalable vehicle positioning using wifi fine timing measurement. In Proceedings of the 18th International Conference on Mobile Systems, Applications, and Services, pages 312–324, 2020.10.1145/3386901.3388944 Search in Google Scholar

[18] IEEE. Ieee p802.11 - next generation positioning study group. Accessed 29/03/2020 from http://www.ieee802.org/11/Reports/tgaz_update.htm, 2020. Search in Google Scholar

[19] Shazal Irshad, Eric Rozner, Apurv Bhartia, and Bo Chen. Rethinking wireless network management through sensor-driven contextual analysis. In Proceedings of the 21st ACM HotMobile Workshop, pages 92–97, 2020.10.1145/3376897.3377863 Search in Google Scholar

[20] Nicolas Jathe, Michael Lütjen, and Michael Freitag. Indoor positioning in car parks by using wi-fi round-trip-time to support finished vehicle logistics on port terminals. IFAC-PapersOnLine, 52(13):857–862, 2019.10.1016/j.ifacol.2019.11.237 Search in Google Scholar

[21] Manikanta Kotaru, Kiran Joshi, Dinesh Bharadia, and Sachin Katti. Spotfi: Decimeter level localization using wifi. In ACM SIGCOMM computer communication review, volume 45, pages 269–282. ACM, 2015.10.1145/2829988.2787487 Search in Google Scholar

[22] Steven Lanzisera, David Zats, and Kristofer SJ Pister. Radio frequency time-of-flight distance measurement for low-cost wireless sensor localization. IEEE Sensors Journal, 11(3):837–845, 2011.10.1109/JSEN.2010.2072496 Search in Google Scholar

[23] Byung Moo Lee, Mayuresh Patil, Preston Hunt, and Imran Khan. An easy network onboarding scheme for internet of things networks. IEEE Access, 7:8763–8772, 2018.10.1109/ACCESS.2018.2890072 Search in Google Scholar

[24] Marc Llombart, Marc Ciurana, and Francisco Barcelo-Arroyo. On the scalability of a novel wlan positioning system based on time of arrival measurements. In 2008 5th Workshop on Positioning, Navigation and Communication, 2008.10.1109/WPNC.2008.4510352 Search in Google Scholar

[25] Ahmed Makki, Abubakr Siddig, Mohamed Saad, and Chris Bleakley. Survey of wifi positioning using time-based techniques. Computer Networks, 88, 2015.10.1016/j.comnet.2015.06.015 Search in Google Scholar

[26] Ahmed Makki, Abubakr Siddig, Mohamed Saad, Joseph R Cavallaro, and Chris J Bleakley. Indoor localization using 802.11 time differences of arrival. IEEE Transactions on Instrumentation and Measurement, 65(3):614–623, 2015.10.1109/TIM.2015.2506239 Search in Google Scholar

[27] Andreas Marcaletti, Maurizio Rea, Domenico Giustiniano, Vincent Lenders, and Aymen Fakhreddine. Filtering noisy 802.11 time-of-flight ranging measurements. In Proceedings of the 10th ACM International on Conference on emerging Networking Experiments and Technologies, pages 13–20. ACM, 2014.10.1145/2674005.2674998 Search in Google Scholar

[28] Jeremy Martin, Travis Mayberry, Collin Donahue, Lucas Foppe, Lamont Brown, Chadwick Riggins, Erik C Rye, and Dane Brown. A study of mac address randomization in mobile devices and when it fails. Proceedings on Privacy Enhancing Technologies, 2017(4):365–383, 2017.10.1515/popets-2017-0054 Search in Google Scholar

[29] Israel Martin-Escalona and Enrica Zola. Passive round-trip-time positioning in dense ieee 802.11 networks. Electronics, 9(8):1193, 2020.10.3390/electronics9081193 Search in Google Scholar

[30] JA Pierce. An introduction to loran. Proceedings of the IRE, 34(5), 1946.10.1109/JRPROC.1946.234564 Search in Google Scholar

[31] Google Play. Wifirttlocator app. https://play.google.com/store/apps/details?id=com.google.android.apps.location.rtt.wifirttlocator, Accessed 15/09/2021. Search in Google Scholar

[32] Google Play. Wifirttscan app. https://play.google.com/store/apps/details?id=com.google.android.apps.location.rtt.wifirttscan, Accessed 15/09/2021. Search in Google Scholar

[33] Google Play. Wifinanscan app. https://play.google.com/store/apps/details?id=com.google.android.apps.location.rtt.wifinanscan, Accessed 24/03/2021. Search in Google Scholar

[34] Kasper Bonne Rasmussen and Srdjan Čapkun. Location privacy of distance bounding protocols. In Proceedings of the 15th ACM conference on Computer and communications security, pages 149–160, 2008.10.1145/1455770.1455791 Search in Google Scholar

[35] Maurizio Rea, Traian Emanuel Abrudan, Domenico Giustiniano, Holger Claussen, and Veli-Matti Kolmonen. Smartphone positioning with radio measurements from a single wifi access point. In Proceedings of the 15th International Conference on Emerging Networking Experiments And Technologies, pages 200–206, 2019. Search in Google Scholar

[36] Pieter Robyns, Bram Bonné, Peter Quax, and Wim Lamotte. Noncooperative 802.11 mac layer fingerprinting and tracking of mobile devices. Security and Communication Networks, 2017, 2017.10.1155/2017/6235484 Search in Google Scholar

[37] Domien Schepers, Aanjhan Ranganathan, and Mathy Vanhoef. Let numbers tell the tale: measuring security trends in wi-fi networks and best practices. In Proceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks, pages 100–105, 2021.10.1145/3448300.3468286 Search in Google Scholar

[38] Domien Schepers, Mridula Singh, and Aanjhan Ranganathan. Here, there, and everywhere: security analysis of wi-fi fine timing measurement. In Proceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks, pages 78–89, 2021.10.1145/3448300.3467828 Search in Google Scholar

[39] Ian Sharp and Kegen Yu. Indoor toa error measurement, modeling, and analysis. IEEE Transactions on Instrumentation and Measurement, 63(9), 2014.10.1109/TIM.2014.2308995 Search in Google Scholar

[40] Reza Shokri, George Theodorakopoulos, Jean-Yves Le Boudec, and Jean-Pierre Hubaux. Quantifying location privacy. In 2011 IEEE symposium on security and privacy, pages 247–262. IEEE, 2011.10.1109/SP.2011.18 Search in Google Scholar

[41] Minghao Si, Yunjia Wang, Shenglei Xu, Meng Sun, and Hongji Cao. A wi-fi ftm-based indoor positioning method with los/nlos identification. Applied Sciences, 10(3):956, 2020.10.3390/app10030956 Search in Google Scholar

[42] Daniel Steinmetzer, Yimin Yuan, and Matthias Hollick. Beam-stealing: intercepting the sector sweep to launch man-in-the-middle attacks on wireless ieee 802.11 ad networks. In Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks, pages 12–22, 2018.10.1145/3212480.3212499 Search in Google Scholar

[43] Nils Ole Tippenhauer, Kasper Bonne Rasmussen, Christina Pöpper, and Srdjan Capkun. Attacks on public wlan-based positioning systems. In Proceedings of the 7th international conference on Mobile systems, applications, and services, 2009.10.1145/1555816.1555820 Search in Google Scholar

[44] O Ureten and Nur Serinken. Bayesian detection of wi-fi transmitter rf fingerprints. Electronics Letters, 41(6):373–374, 2005.10.1049/el:20057769 Search in Google Scholar

[45] Mathy Vanhoef, Prasant Adhikari, and Christina Pöpper. Protecting wi-fi beacons from outsider forgeries. In Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks, pages 155–160, 2020.10.1145/3395351.3399442 Search in Google Scholar

[46] Mathy Vanhoef, Nehru Bhandaru, Thomas Derham, Ido Ouzieli, and Frank Piessens. Operating channel validation: preventing multi-channel man-in-the-middle attacks against protected wi-fi networks. In Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks, pages 34–39, 2018.10.1145/3212480.3212493 Search in Google Scholar

[47] Mathy Vanhoef, Célestin Matte, Mathieu Cunche, Leonardo S Cardoso, and Frank Piessens. Why mac address randomization is not enough: An analysis of wi-fi network discovery mechanisms. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, pages 413–424, 2016.10.1145/2897845.2897883 Search in Google Scholar

[48] Mathy Vanhoef and Frank Piessens. Advanced wi-fi attacks using commodity hardware. In Proceedings of the 30th ACSAC Conference, pages 256–265, 2014.10.1145/2664243.2664260 Search in Google Scholar

[49] Deepak Vasisht, Swarun Kumar, and Dina Katabi. Decimeter-level localization with a single wifi access point. In 13th USENIX Symposium on Networked Systems Design and Implementation (NSDI 16), pages 165–178, 2016. Search in Google Scholar

[50] Tien Dang Vo-Huu, Triet Dang Vo-Huu, and Guevara Noubir. Fingerprinting wi-fi devices using software defined radios. In Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks, pages 3–14, 2016.10.1145/2939918.2939936 Search in Google Scholar

[51] Sigit Basuki Wibowo, Martin Klepal, and Dirk Pesch. Time of flight ranging using off-the-self ieee802. 11 wifi tags. In Proceedings of the International Conference on Positioning and Context-Awareness (PoCA’09), 2009. Search in Google Scholar

[52] Shihao Xu, Ruizhi Chen, Yue Yu, Guangyi Guo, and Lixiong Huang. Locating smartphones indoors using built-in sensors and wi-fi ranging with an enhanced particle filter. IEEE Access, 7:95140–95153, 2019.10.1109/ACCESS.2019.2927387 Search in Google Scholar

[53] Chouchang Yang and Huai-Rong Shao. Wifi-based indoor positioning. IEEE Communications Magazine, 53(3):150–157, 2015.10.1109/MCOM.2015.7060497 Search in Google Scholar

[54] Yue Yu, Ruizhi Chen, Liang Chen, Guangyi Guo, Feng Ye, and Zuoya Liu. A robust dead reckoning algorithm based on wi-fi ftm and multiple sensors. Remote Sensing, 11(5):504, 2019.10.3390/rs11050504 Search in Google Scholar

[55] HL Yuan and AQ Hu. Preamble-based detection of wi-fi transmitter rf fingerprints. Electronics letters, 46(16):1165–1167, 2010.10.1049/el.2010.1220 Search in Google Scholar

Recommended articles from Trend MD

Plan your remote conference with Sciendo