2016
Modifying WiFi Firmware to Track Wireless Devices
For my Bachelor鈥檚 thesis, I demonstrated a severe privacy vulnerability that affected most modern smartphones at the time, allowing for tracking and inferring location history of a user. I developed an Android app that can passively track wireless devices based on the WiFi probe requests they broadcast, showing tracking results in real-time.
The tracking data comes directly from the Broadcom WiFi chip, because I modified its firmware using the Nexmon reverse engineering framework (created by my thesis supervisor). Probe requests are special WiFi frames that are usually not accessible from user space. The tracking code therefore runs on a separate ARM chip instead of the host CPU, allowing continous tracking in the background without affecting normal smartphone usage and with minimal impact on battery usage.
Using this tracking system, I ran a measurement campaign to study the impact of this vulnerability by analyzing the probing behaviour of different smartphone models. Most devices were vulnerable and regularly sent probe requests, some even containing SSIDs of recently connected networks. As a response to such tracking approaches, Android and iOS nowadays randomize the MAC address to protect user privacy, but this was uncommon back when I evaluated this.