Buy it Now, Track Me Later: Attacking User Privacy via Wi-Fi AP Online Auctions

• URL: http://arxiv.org/abs/2506.13052v2
• Date: Sun, 22 Jun 2025 02:48:01 GMT
• Title: Buy it Now, Track Me Later: Attacking User Privacy via Wi-Fi AP Online Auctions
• Authors: Steven Su, Erik Rye, Dave Levin, Robert Beverly,
• Abstract summary: layer-two network identifiers present security vulnerabilities and endanger user privacy.<n>We introduce a new privacy attack against Wi-Fi access points listed on secondhand marketplaces.
• Score: 8.126374889755468
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: Static and hard-coded layer-two network identifiers are well known to present security vulnerabilities and endanger user privacy. In this work, we introduce a new privacy attack against Wi-Fi access points listed on secondhand marketplaces. Specifically, we demonstrate the ability to remotely gather a large quantity of layer-two Wi-Fi identifiers by programmatically querying the eBay marketplace and applying state-of-the-art computer vision techniques to extract IEEE 802.11 BSSIDs from the seller's posted images of the hardware. By leveraging data from a global Wi-Fi Positioning System (WPS) that geolocates BSSIDs, we obtain the physical locations of these devices both pre- and post-sale. In addition to validating the degree to which a seller's location matches the location of the device, we examine cases of device movement -- once the device is sold and then subsequently re-used in a new environment. Our work highlights a previously unrecognized privacy vulnerability and suggests, yet again, the strong need to protect layer-two network identifiers.

Related papers

• Privacy-Preserving Secure Neighbor Discovery for Wireless Networks [0.0]
  Traditional Neighbor Discovery (ND) and Secure Neighbor Discovery (SND) are key elements for network functionality.<n>We present a novel Privacy-Preserving Secure Neighbor Discovery (PP-SND) protocol, enabling devices to perform SND without revealing their actual identities and locations.
  arXiv  Detail & Related papers  (2025-03-28T08:27:47Z)
• Securing 5G Bootstrapping: A Two-Layer IBS Authentication Protocol [4.087348638056961]
  Lack of authentication during the initial bootstrapping phase between cellular devices and base stations allows attackers to send malicious messages to the devices.<n>We propose E2IBS, a novel and efficient two-layer identity-based signature scheme for seamless integration with existing cellular protocols.<n>Compared to the state-of-the-art Schnorr-HIBS, E2IBS reduces attack surfaces, enables fine-grained lawful interception, and achieves 2x speed in verification.
  arXiv  Detail & Related papers  (2025-02-07T13:32:48Z)
• Reverse Engineered MiniFS File System [1.2891210250935148]
  This paper addresses the vulnerabilities inherent in Wi-Fi APs using proprietary file systems like MiniFS found in TP-Link's AC1900 WiFi router. Through reverse engineering, we unravel the structure and operation of MiniFS, marking a significant advancement in our understanding of this previously opaque file system.
  arXiv  Detail & Related papers  (2024-07-06T12:49:37Z)
• Surveilling the Masses with Wi-Fi-Based Positioning Systems [7.1251088452879285]
  We show that Apple's WPS can be abused to create a privacy threat on a global scale. We present an attack that allows an unprivileged attacker to amass a worldwide snapshot of Wi-Fi BSSID geolocations. We present several case studies that demonstrate the types of attacks on privacy that Apple's WPS enables.
  arXiv  Detail & Related papers  (2024-05-23T18:22:12Z)
• Tamper-Evident Pairing [55.2480439325792]
  Tamper-Evident Pairing (TEP) is an improvement of the Push-Button configuration (PBC) standard. TEP relies on the Tamper-Evident Announcement (TEA), which guarantees that an adversary can neither tamper a transmitted message without being detected, nor hide the fact that the message has been sent. This paper provides a comprehensive overview of the TEP protocol, including all information needed to understand how it works.
  arXiv  Detail & Related papers  (2023-11-24T18:54:00Z)
• Surveillance Face Presentation Attack Detection Challenge [68.06719263243806]
  Face Anti-spoofing (FAS) is essential to secure face recognition systems from various physical attacks. We collect a large-scale Surveillance High-Fidelity Mask (SuHiFiMask) SuHiFiMask contains $10,195$ videos from $101$ subjects of different age groups, which are collected by $7$ mainstream surveillance cameras. We organize a face presentation attack detection challenge in surveillance scenarios.
  arXiv  Detail & Related papers  (2023-04-15T15:23:19Z)
• DensePose From WiFi [86.61881052177228]
  We develop a deep neural network that maps the phase and amplitude of WiFi signals to UV coordinates within 24 human regions. Our model can estimate the dense pose of multiple subjects, with comparable performance to image-based approaches.
  arXiv  Detail & Related papers  (2022-12-31T16:48:43Z)
• CAN-LOC: Spoofing Detection and Physical Intrusion Localization on an In-Vehicle CAN Bus Based on Deep Features of Voltage Signals [48.813942331065206]
  We propose a security hardening system for in-vehicle networks. The proposed system includes two mechanisms that process deep features extracted from voltage signals measured on the CAN bus.
  arXiv  Detail & Related papers  (2021-06-15T06:12:33Z)
• The Dark (and Bright) Side of IoT: Attacks and Countermeasures for Identifying Smart Home Devices and Services [4.568911586155096]
  We build up a model describing the traffic patterns characterizing three popular IoT smart home devices. We prove that it is possible to detect and identify with overwhelming probability their presence and the services running by the aforementioned devices.
  arXiv  Detail & Related papers  (2020-09-16T13:28:59Z)
• Smart Home, security concerns of IoT [91.3755431537592]
  The IoT (Internet of Things) has become widely popular in the domestic environments. People are renewing their homes into smart homes; however, the privacy concerns of owning many Internet connected devices with always-on environmental sensors remain insufficiently addressed. Default and weak passwords, cheap materials and hardware, and unencrypted communication are identified as the principal threats and vulnerabilities of IoT devices.
  arXiv  Detail & Related papers  (2020-07-06T10:36:11Z)
• Mind the GAP: Security & Privacy Risks of Contact Tracing Apps [75.7995398006171]
  Google and Apple have jointly provided an API for exposure notification in order to implement decentralized contract tracing apps using Bluetooth Low Energy. We demonstrate that in real-world scenarios the GAP design is vulnerable to (i) profiling and possibly de-anonymizing persons, and (ii) relay-based wormhole attacks that basically can generate fake contacts.
  arXiv  Detail & Related papers  (2020-06-10T16:05:05Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.