The blog is trying to mask wifi probe requests. Active scan and connect modes are disabled on iOS and most modern smartphones from my knowledge. Back in the golden days, we use to track people around based on their wifi signals, we also developed a machine learning system to determine where a person was based on their RSSI over time (we used time warping networks).
I believe recent versions of IOS still do this in some form, but they use random MAC addresses. But even if recent devices don't send out probe requests anymore, there are still many older devices or devices with out-of-date OSes to make this work.
While testing I didn't really have a way see what percentage of devices around me sent probe request, but the absolute amount of devices is still high.
The best ideas are the ones you could have come up with yourself but didn't someone else made the cool white box. Nice work simple and a little creepy hardware design mocking our lack of privacy best practices.
The second paragraph tries to explain what this device is supposed to do or what real problems it solves. Again, how keeping a collection of 'signals' helps with privacy?
So does my iPhone "yell" those wifi names? How and what exactly does it yell?
Won't this linger device make me a unique and traceable fingerprint? Is this about privacy?
I believe the idea is to make it so this technique isn't useful for analytics anymore (edit: because your MAC mining data would be telling the user is in 100+ places at once). If it would work is an entirely different story because since the devices are stationary and not moving (like a device in your hand or pocket would) would it be easily detectable that it was a "faking" device.
It is not so much about your device being at many places at the same time (though it is a nice side-effect) as it is about polluting tracking databases. If you normally have 10 people in an area, and all of a sudden there are 2000, you know something is wrong. But there is no telling which of these 2000 devices is the real one, meaning you have to accept false metrics, or remove all of them from your system (including the real device).
Pollution is essentially what I meant apologies for my poor phrasing.
However detection of these devices could become easy considering they probably wouldn't move a lot, meaning you'd have to either (a) move the device frequently and randomly or (b) the antenna that reproduces the signal would need to add a bit of weakness to the signal to adjust and make the user look like he is moving.
(e.g. If the signal strength stays the same constantly then it might be easy to tell the user isn't moving ever and therefore likely not a spot they are at currently, or even if everyone shares a very similar signal strength).
According to the description on GitHub the system only adjusts the sequence numbers.
I absolutely love how simple and clever this is, from a security/privacy perspective. The display of the number of folks in your "group" is pure fun. =)
I kind of wish this could be an app. Anyway to replicate the effect on iOS or Android? Or do they not expose the necessary APIs?
One of the things you'll need is a network card with the ability to go into monitor mode, which allows it to see all traffic instead of only traffic meant for your device. I don't think there are a lot of mobile phones that have such a card (the Nokia N900 did).
Depends on the phone and if they use passive or active probing [1]. I also do not see a way to disable it globally yet as it's currently in the Google Issue Tracker [2]. Some say it's meant to be passive by default however Android documentation doesn't specifically state this [3].
"The existence of an hidden function to start an active scan (reported here) suggests that the normal scanning function is indeed passive. This is to be taken with a grain of salt, though, as the Android documentation doesn't explicitly tell if the function WifiManager.startScan() is passive or not." [3]
edit
Looks like iOS randomizes the MAC address while scanning for WiFI networks since iOS 8 (should be noted that it says "may not always be the device's real (universal) address" [4].
edit2
After some more reading supposed Android 6.0 solves this issue by randomizing the mac address as well, however the user in this blog tested it and was able to still get the original MAC address [5].
edit3
After even more reading it's kind of hard to tell what devices are affected and who isn't (Some say Google phones aren't affected and it's just OEM phones, however others claim that some Google phones are still affected by this issue). The only way to get this fixed globally is to have a security push to all supported versions that by default disables it globally then a user can enable it by choice. Considering the spaghetti mess of who is using it by default and who is not.
edit4
I agree with many on that the MAC randomization isn't really a good idea because some networks assign IPs based on the MAC address and to address that issue only the probing/scanning packets have the spoofed MAC address. All a hacker would have to do is create a network with the spoofed SSID and get the user to connect with the real MAC address thereby circumventing the randomization technique.
As you found out, this whole things is pretty unclear and it really depends on the phone/vendor (or combination vendor and software version) . While testing I've noticed some phones use their own MAC address every time (like my Nexus 5), while others change their MAC address.
Changing the MAC address doesn't really help if they send the full probe request though, as you can still use the combination of ESSIDs a device is looking for as a way of fingerprinting them (the chances of someone else asking for the exact same list are quite small).
Also, in one of the cases where I noticed a device using different MAC addresses, it only changed the last part of the address, keeping the vendor ID the same, making identifying a device easier.
Thanks for taking note the entire thing was being presented as irrational. I determined my phone was not leaking this data, so decided to say as much. I appreciate puddintane's work in collecting this information for us. Unfortunately, I decided to not assume to unknown amount of work for myself which would be required for determining a rational outcome for the rest of us. Their work here helped with that immensely.