Your Smartphone Is Always Talking To People

October 20, 2013

Apparently WiFi probing leaks your device's MAC address and stores are starting to take notice. Of you.

Much of the technology is covered in Cisco's Meraki WhitePaper-PDF. Interesting read.

Basically what they can glean from you walking by or into a store using this technology is that you are there, and keep track of your being there again in the future. Of course this doesn't identify who you are, just the presence of your phone. If your WiFi radio is off then you are effectively invisible. It's also possible with a jailbroken phone or other OS tweak you could monkey with the MAC address or change the rate at which WiFi probes.

Is this a terrible thing? Maybe and maybe not. Unless the store can somehow tie your identity and match the MAC address all they have is a record. Meraki apparently hashes the Mac address before they give it to the customer (like a store) so the assumption is you can't correlate the data with another Meraki customer. I can imagine however someone like a government having no such compassion.

How would a store combine the MAC hash identifier with you? I assume point of sale terminals could see who is nearby at the moment of purchase but that would seem to be inexact. The WiFi probe does not allow anyone to see the phone number or other information from the subscriber. Under iOS7 but not previous iOS releases an app can no longer obtain the MAC address from the device so a store app can't do that any more (such as a promotional app or something the store gives away that supports e-commerce). I have no idea how a store can do this but if it's possible I am sure a product exists. Meraki doesn't provide this.

The government angle is of course more problematic. What could a government do with a map of phone's moving around given that they probably can obtain a MAC-identity database easily enough. It's another bit of data they could use to track movement but it's not the only one.

I wonder if advertising the MAC address can be suppressed in a WiFi implementation. I don't know enough about WiFi to know if it is required. If you can not leak it maybe Apple and Google should put that feature in.

LTE is pretty fast these days and I usually leave the WiFi off on my iPhone unless I need it. So, no, that wasn't me at the store today.