25/03/2022 - 10:00 Mathieu Cunche (INSA Lyon / Inria) IMAG 106
A growing number of devices carried by users are equipped with wireless technologies such as Bluetooth and Wi-Fi which allow the seamless exchange of information between devices and the network infrastructure. Because they routinely emit wireless messages carrying identifiers and other technical artifacts in cleartext, these technologies expose users to privacy issues. Focusing on the data included in advertising messages, we identify and analyze the leakage of personal data, and study potential and existing countermeasures. More specifically, we try to answer the following questions: what are the privacy threats associated with wireless networks? Which solutions can be deployed to protect users against these threats? How efficient are current privacy protection implementations? We start by an analysis of privacy features of the two major wireless network standards: Wi-Fi and Bluetooth-Low-Energy. We focus our study on address randomization mechanisms, a recently adopted anti-tracking measure, and identify several issues related to implementation as well as standard specifications. To illustrate the diversity and complexity of the issues affecting these technologies, we present two representative cases of personal data leakage in wireless networks. First, leveraging the reverse-engineering of Continuity, a BLE-based protocol developed by Apple, we uncover a collection of personal data leakages impacting billions of devices worldwide. Finally, we present an abuse of Android Wi-Fi permission that can be used to bypass permissions and to infer personal data such as the location of the device. When confronted with those privacy issues, it becomes necessary to increase user protection by developing privacy-preserving mechanisms, but most importantly by correctly implementing existing ones. Furthermore, it appears that standard specifications are key elements of a better protection, and it is thus of utmost importance to promote the integration of privacy protection in these standards.