On Wed, 14 Sep 2016 00:24:59 -0000 (UTC), William Unruh wrote:

If you know the MAC address of your equipment (e.g., automotive WiFi
beacons), and the MAC address of someone else's equipment, how can you look
up *where* your phone currently is?

You cannot. There is no necessary relationship between IP addresses and
location. Now often there is some rough correlation, but that is all you
can do.

I realize you're trying to help, so I will just try to be gentle at the
same time I'm trying to be blunt (you can do the same with me).

Nobody said anything about IP addresses.
And the *location* is inside of Google's database.

What I'm trying to understand is how the system works.
And then I'm trying to see if there is a *vulnerability* in the system.

I'm not a hacker (as a hacker would have far more technical acumen and a
hacker wouldn't be asking about a vulnerability on the net like this).

What I see is a *vulnerability* but you're *never* gonna see that
vulnerability if you keep talking about IP addresses!

I know that a public free easily accessible Google API maintains that
information, where if you know the MAC address of the person you're trying
to track, you can find out instantly if two MAC addresses are near each
other from anywhere in the world:
https://developers.google.com/maps/d...location/intro

Nope.

I realize you're trying to help, but just saying "Nope" wastes *everyone's*
time, including yours and mine - but mostly other people have to read me
responding to you, which, if all you say is "Nope" means you don't have a
clue what you're talking about.

It's a *fact* that you can query Google's database to find the *location*
of a BSSID. Google implemented a (IMHO weak) "security" system by requiring
*two* BSSIDs.

It's this weak security that I'm searching for the vulnerability of.

It's a *fact* that you only need three things to get a GPS location out of
the Google database:
1. BSSID 1
2. BSSID 2 (added as a weak security feature!)
3. Signal Strength

Do you dispute *that* fact?

For the Google lookup, the only *mandatory* parameters a
1. MAC ADDRESS #1
2. MAC ADDRESS #2
3. A fabricated signal-strength value

Except for fun, I would not rely on it.

That's not at all the point!
I am probing a perceived privacy vulnerability in the Google system.
I am doing this not to take advantage of that perceived vulnerability, but
to better *understand* that privacy vulnerability.

Specifically, with the facts known, "if" your cellphone does broadcast an
SSID, then your cellphone *can* be tracked.

Do you dispute that statement (which I have backed up in gory detail
already)?

Why or why not?

As a trivial example, lets say I run a VPN from Vancouver to Italy.

*[Where is Jeff LIebermann when we need him?]*


What on earth does this question have to do with IP addresses?

I realize you're trying to help - but what you're doing is *jumping* to
conclusions that *nobody* else is talking about.

VPN has *nothing* whatsoever to do with this problem.
The entire Internet has (almost) nothing whatsoever to do with this
problem.

The *only* way the Internet is even involved is that your neighbor's
cellphone is *sending* your SSID & MAC & GPS location & Signal Strength
(etc) of your router *over* the Internet to Google.

So the IP address (and VPN) is completely irrelevant to this question.

My
IP will probably be an Italian one as far as the world is concerned. My
computer however is in Vancouver.

This question has absolutely nothing to do with IP addresses and VPNs.
Where did you get the idea that the question had *anything* to do with the
Internet?
I'm sorry if I'm being too blunt, but I'm focused on getting the answer to
a *simple* question.

Q: When does an Android cellphone broadcast an SSID?

NOTE: The SSID has nothing to do with the question but people get all hung
up if I ask the question this way:

Q: When does an Android cellphone broadcast a BSSID?

This question has absolutely nothing to do with IP addresses and VPNs.
Where did you get the idea that the question had *anything* to do with the
Internet?
I'm sorry if I'm being too blunt, but I'm focused on getting the answer to
a *simple* question.

Q: When does an Android cellphone broadcast an SSID?

NOTE: The SSID has nothing to do with the question but people get all hung
up if I ask the question this way:

Q: When does an Android cellphone broadcast a BSSID?

Oh, what the hell. I'll give it a try.

In the following I tend to intersperse WAN and LAN as well as BSSID and
MAC. The basic underlying concepts work in both environments (with some
fudging).

SSID has nothing to do with cellphones. It has to do with wifi only.
The same is true for BSSID.

SSID is just a name. There could be thousands of wifi access points
around the world with the same SSID.

A wifi access point consists of one or more radios to create a WAN.
Each radio is a BSS with a BSSID, which is also known as a MAC. Each
network device/radio has (by design, but not always in fact) a unique
value for the MAC.

A device wishing to connect to a wifi access point looks for a broadcast
wifi packet with a particular SSID in the data field of the packet. The
header to the packet contains the BSSID/MAC of the access point in
source field. To connect to the access point the device sends a packet
back to the sender of the broadcast by putting the access point's BSSID
in the destination field of the packet and its own MAC in the source
field. The rest of the connection protocol is left as an exercise for
the reader.

Until things get handed over to (presumably) DHCP there is no way to
communicate other than the use of MAC addresses in the appropriate
fields of the LAN packets. Strictly speaking, even after an IP address
is assigned to the device, all communications on the LAN/WAN is still
through the use of BSSID/MAC. It is only after a packet is recieved by
the router that higher levels of network communications kick in and a
packet will be repackaged with the necessary outer packet to make its
way to the internet.

So, "Q: When does an Android cellphone broadcast an SSID?"

A: Keying on the use of the word "broadcast" and ignoring the use of the
word "cellphone" because it doesn't apply, only when it is acting as
its own access point/hot-spot for other devices. After all, an SSID
is only a name.

And, "Q: When does an Android cellphone broadcast a BSSID?"

A: Again, keying on the use of the word "broadcast" and ignoring the
word "cellphone" the answer is the same as for the previous question.
However, as mentioned earlier, the MAC/BSSID is used in every packet
that is sent back and forth with the access point, but is strictly
usable only within the geographic area that the radio signals reach,
which is pretty much limited to line of sight communications and for
which walls are only semi-transparent at those frequencies.

Now, with all that said, there is in theory nothing to stop any program
running as part of the wifi access point or within the connecting device
to query its own networking internals to grab its own MAC address or the
MAC address of devices it is communicating with and send that info out
onto the internet to some recipient along with info from its own GPS, if
available.

So, while it is not part of the normal protocols to reveal that
information it is not inconceivable that some user level program could
be doing the nasty deed.

Furthermore, all of this is at best fleeting information because a
network device's MAC address is held in ROM on the device. The network
software in a device reads the ROM to get the MAC, but is in no way
required to use that address when constructing packets that will go out
the device. The device itself *DOES NOT* insert the address into the
outgoing packets. That is all handled by software. Therefore it is
trivial for the software to use whatever MAC address it wants for its
outgoing packets. This is in fact how DECnet used to work, the two high
order bytes of the MAC were changed to reflect the fact that a packet
was a DECnet packet.

As was said before, just flip a few bits and you could suddenly appear
to be on the other side of the planet.

Whew!

Now, what has been left out? Oh yes, the cellphone network. How data
is sent over the cellphone network is probably off topic for most of the
newsgroups listed above. Therefore, I suggest you redirect your
queries/confusions to more appropriate groups.

Bruce .

--

On Wed, 14 Sep 2016 18:41:22 -0400, bruce wrote:

Oh, what the hell. I'll give it a try.

Thanks Bruce. I'm always nice if someone is sincerely trying to answer the
question, and, I do realize that most people don't even *understand* the
question.

In the following I tend to intersperse WAN and LAN as well as BSSID and
MAC. The basic underlying concepts work in both environments (with some
fudging).

All we care about, for *this* discussion, is the MAC address of the 5GHz
and 2.4GHz radios in the iOS or Android cellphones we are trying to track.

That MAC address is also called a BSSID.

Google also logs the SSID, the signal strength, and the GPS location, but
they are not of importance for *this* discussion.

Only the MAC address (aka BSSID) is important for *this* discussion.

SSID has nothing to do with cellphones. It has to do with wifi only.
The same is true for BSSID.

This is not true that "SSID has nothing to do with cellphones".

As Jeff and I just discussed, if an Android or iOS cellphone acts as an
Access Point, then that cellphone will broadcast an SSID.

If that iOS or Android cellphone broadcasts an SSID, it also broadcasts a
BSSID, which is unique to that cellphone. In fact, it broadcasts *two*
BSSIDs, one for each radio (5Ghz and 2.4Ghz).

It's *those* unique BSSIDs which are captured by poorly configured Android
devices and uploaded multiple times a day to the Google Public Database,
along with the GPS location of the poorly configured Android device and the
SSID and Signal Strength of the access point.

Notice this allows such iOS or Android cellphones to be tracked!

SSID is just a name. There could be thousands of wifi access points
around the world with the same SSID.

I agree. SSID is "just a name". If the name ends with "_nomac", Google
promises to *drop* that SSID from its' public database.

However, you must realize that the Google Public Database contains *more*
than the SSID! It contains the *unique* BSSID associated with that SSID,
and furthermore, it contains the Signal Strength of that access point at a
specific GPS location of the poorly configured Android device that is near
that access point.

Anyone who doesn't *understand* that paragraph above can't possibly
understand the topic of this thread - so it's critical that the paragraph
above be *understood*.

A wifi access point consists of one or more radios to create a WAN.
Each radio is a BSS with a BSSID, which is also known as a MAC. Each
network device/radio has (by design, but not always in fact) a unique
value for the MAC.

I agree. Specifically, if an iOS or ANdroid cellphone is acting as an
access point, then its 5GHz and 2.4Ghz radio will broadcast the following:
a. The cellphone AP SSID
b. The cellphone AP BSSID

What you must understand to understand the question, is that poorly
configured Android devices will *send* to Google not only that information
above, but *more* information!

Poorly configured Android devices will send to Google:
a. Your cellphone AP SSID
b. Your cellphone AP BSSID (aka MAC address)
c. Your AP signal strength seen by the poorly configured Android cellphone
d. The GPS location of the poorly configured Android cellpone

A device wishing to connect to a wifi access point looks for a broadcast
wifi packet with a particular SSID in the data field of the packet. The
header to the packet contains the BSSID/MAC of the access point in
source field. To connect to the access point the device sends a packet
back to the sender of the broadcast by putting the access point's BSSID
in the destination field of the packet and its own MAC in the source
field. The rest of the connection protocol is left as an exercise for
the reader.

This part is understood that the BSSID of the 5Ghz and 2.4GHz radios in
both iOS and Android devices is sent in the clear in packets whenever those
cellphones connect to an access point.

But I'm not talking about that.

I'm only talking about when an iOS or Android cellphone has the following
four bits of information *sent* to the Google database by poorly configured
Android devices:
a. Your cellphone AP SSID
b. Your cellphone AP BSSID (aka MAC address)
c. Your AP signal strength seen by the poorly configured Android cellphone
d. The GPS location of the poorly configured Android cellpone

Now, with all that said, there is in theory nothing to stop any program
running as part of the wifi access point or within the connecting device
to query its own networking internals to grab its own MAC address or the
MAC address of devices it is communicating with and send that info out
onto the internet to some recipient along with info from its own GPS, if
available.

Yes. You are correct that there are *other* methods, other than the Google
Public Database, to obtain MAC addresses of devices.

For example, this web site from wardriving softwa
https://wigle.net/

But *this* question is complex enough for most people (almost nobody
understood the question) if I simply stick to the Google mechanism.

Lord knows how complex this question gets if I bring in the Wigle
wardriving mechanism (which even I don't understand).

So, while it is not part of the normal protocols to reveal that
information it is not inconceivable that some user level program could
be doing the nasty deed.

Yep. Wardrivign software.
Or anything from Marius Milner (e.g., netstumbler).

Furthermore, all of this is at best fleeting information because a
network device's MAC address is held in ROM on the device. The network
software in a device reads the ROM to get the MAC, but is in no way
required to use that address when constructing packets that will go out
the device. The device itself *DOES NOT* insert the address into the
outgoing packets. That is all handled by software. Therefore it is
trivial for the software to use whatever MAC address it wants for its
outgoing packets. This is in fact how DECnet used to work, the two high
order bytes of the MAC were changed to reflect the fact that a packet
was a DECnet packet.

This is not true.
Jeff Liebermann explained in the past why it would take an heroic effort to
clone the MAC address of the radio that is sending out the packets.

The cloning is on a different MAC address, which is not the MAC address of
concern here.

Too bad, becuase if it were easy to change the Access Point MAC address,
then I would change mine daily.

As was said before, just flip a few bits and you could suddenly appear
to be on the other side of the planet.

Not true.
You're confusing the easily cloned MAC address with the one that would take
desoldering to change.

Horace Algier writes:

I purposely kept my earlier post at a fairly high level, mostly because
from your other posts I was left with the opinion that you weren't
handling the information you were presented with very well. I attempted
to provide some background for the discussion so that we could at least
agree on the meaning of various terms and the concepts that use those
terms.

While your reply was cordial, for the most part, you did with me as you
have done with others, namely rejected statements which are easily
verified as true.

On Wed, 14 Sep 2016 18:41:22 -0400, bruce wrote:

Oh, what the hell. I'll give it a try.

Thanks Bruce. I'm always nice if someone is sincerely trying to answer
the question, and, I do realize that most people don't even
*understand* the question.

In the following I tend to intersperse WAN and LAN as well as BSSID
and MAC. The basic underlying concepts work in both environments
(with some fudging).

Again, here I was attepting to lay a background.


All we care about, for *this* discussion, is the MAC address of the
5GHz and 2.4GHz radios in the iOS or Android cellphones we are trying
to track.

That MAC address is also called a BSSID.

Google also logs the SSID, the signal strength, and the GPS location,
but they are not of importance for *this* discussion.

Only the MAC address (aka BSSID) is important for *this* discussion.

And here you are trying to bore down to a lower level prematurely, IMHO.

SSID has nothing to do with cellphones. It has to do with wifi only.
The same is true for BSSID.

This is not true that "SSID has nothing to do with cellphones".

Yes, I'm afraid it is true. To reject it implies that you believe that
all cellphones do wifi. I have two on the shelf in this room that do
not do and never did do wifi.

As Jeff and I just discussed, if an Android or iOS cellphone acts as
an Access Point, then that cellphone will broadcast an SSID.

This is consistent with what I wrote above and what I wrote below. This
action has nothing to do with it being a cellphone but to do with it
acting at this point as a wifi device.

If that iOS or Android cellphone broadcasts an SSID, it also
broadcasts a BSSID, which is unique to that cellphone.

Not necessarily. The protocols allow the creation of a BSSID on the
fly. It only has to be unique within the (very short) range of the
radios in use.

In fact, it
broadcasts *two* BSSIDs, one for each radio (5Ghz and 2.4Ghz).

Actually, any wifi device acting as a BSS can identify itself as up to
32 BSSIDs and 1 or more SSIDs per radio. So, yes, a single radio can
simultaneously be using 32 different BSSIDs/MACs.

It's *those* unique BSSIDs which are captured by poorly configured
Android devices and uploaded multiple times a day to the Google Public
Database, along with the GPS location of the poorly configured Android
device and the SSID and Signal Strength of the access point.

As I said below, poorly configured has nothing to do with it when any
user level program running on the BSS or within the cellphone can access
the very same wifi information and pass it on to whomever it wishes.

Notice this allows such iOS or Android cellphones to be tracked!

Did I ever say anything to contradict this? I merely pointed out that
cellphone configuration, if done "properly" (whatever that means) won't
cure the problem when user level code running on the equipment can
accomplish the same thing. In fact, it might be through user level code
that it is being accomplished right now.

SSID is just a name. There could be thousands of wifi access points
around the world with the same SSID.

I agree. SSID is "just a name". If the name ends with "_nomac", Google
promises to *drop* that SSID from its' public database.

While Google might honor the use of the suffix (for now) it doesn't mean
that anybody else will.

However, you must realize that the Google Public Database contains
*more* than the SSID! It contains the *unique* BSSID associated with
that SSID, and furthermore, it contains the Signal Strength of that
access point at a specific GPS location of the poorly configured
Android device that is near that access point.

Anyone who doesn't *understand* that paragraph above can't possibly
understand the topic of this thread - so it's critical that the paragraph
above be *understood*.

That "paragraph above" means absolutely nothing until one understands
that even in a "properly configured" phone user level code could be
gathering the same information (or more) and sending it to agents
unknown.

A wifi access point consists of one or more radios to create a WAN.
Each radio is a BSS with a BSSID, which is also known as a MAC. Each
network device/radio has (by design, but not always in fact) a unique
value for the MAC.

I agree. Specifically, if an iOS or ANdroid cellphone is acting as an
access point, then its 5GHz and 2.4Ghz radio will broadcast the following:
a. The cellphone AP SSID
b. The cellphone AP BSSID

What you must understand to understand the question, is that poorly
configured Android devices will *send* to Google not only that information
above, but *more* information!

Poorly configured Android devices will send to Google:
a. Your cellphone AP SSID
b. Your cellphone AP BSSID (aka MAC address)
c. Your AP signal strength seen by the poorly configured Android cellphone
d. The GPS location of the poorly configured Android cellpone

As stated above, poorly configured is not the problem, and Google might
not be the only recipient.

A device wishing to connect to a wifi access point looks for a
broadcast wifi packet with a particular SSID in the data field of the
packet. The header to the packet contains the BSSID/MAC of the
access point in source field. To connect to the access point the
device sends a packet back to the sender of the broadcast by putting
the access point's BSSID in the destination field of the packet and
its own MAC in the source field. The rest of the connection protocol
is left as an exercise for the reader.

This part is understood that the BSSID of the 5Ghz and 2.4GHz radios
in both iOS and Android devices is sent in the clear in packets
whenever those cellphones connect to an access point.

But I'm not talking about that.

I'm only talking about when an iOS or Android cellphone has the
following four bits of information *sent* to the Google database by
poorly configured
Android devices:
a. Your cellphone AP SSID
b. Your cellphone AP BSSID (aka MAC address)
c. Your AP signal strength seen by the poorly configured Android
cellphone
d. The GPS location of the poorly configured Android cellpone

Get off this poorly configured fixation you have. A perfect config-
uration with any amount of user-level programs has potentially the same
nasty possibilities.

Now, with all that said, there is in theory nothing to stop any
program running as part of the wifi access point or within the
connecting device to query its own networking internals to grab its
own MAC address or the MAC address of devices it is communicating
with and send that info out onto the internet to some recipient along
with info from its own GPS, if available.

Yes. You are correct that there are *other* methods, other than the
Google Public Database, to obtain MAC addresses of devices.

For example, this web site from wardriving softwa
https://wigle.net/

But *this* question is complex enough for most people (almost nobody
understood the question) if I simply stick to the Google mechanism.

Lord knows how complex this question gets if I bring in the Wigle
wardriving mechanism (which even I don't understand).

So, while it is not part of the normal protocols to reveal that
information it is not inconceivable that some user level program
could be doing the nasty deed.

Yep. Wardrivign software.
Or anything from Marius Milner (e.g., netstumbler).

Or maybe even "Angry Birds" does this too!

Furthermore, all of this is at best fleeting information because a
network device's MAC address is held in ROM on the device. The
network software in a device reads the ROM to get the MAC, but is in
no way required to use that address when constructing packets that
will go out the device. The device itself *DOES NOT* insert the
address into the outgoing packets. That is all handled by software.
Therefore it is trivial for the software to use whatever MAC address
it wants for its outgoing packets. This is in fact how DECnet used
to work, the two high order bytes of the MAC were changed to reflect
the fact that a packet was a DECnet packet.

This is not true.

Actually, you are partially correct. DECnet changes the leading four
octets (notice, the proper term is octets, not bytes; I was too casual
in the above paragraph) to "AA 00 04 00". The remaining 2 octets make
up the node within a DECnet network. How do I know this? I'm an
ex-DECie. (Actually, I'm still a DECie but they don't pay me anymore.)
If you want a reference on this a brief desctiption may be found at
https://en.wikipedia.org/wiki/DECnet which contains the following:

"The Ethernet implementation was unusual in that the software
changed the physical address of the Ethernet interface on the
network to AA-00-04-00-xx-yy where xx-yy reflected the DECnet
network address of the host. This allowed ARP-less LAN operation
because the LAN address could be deduced from the DECnet address."

I've avoided making any references to 802 so far here. And my DECnet
references mostly concern(ed) 802.3, 802.whatever all have the same
underpinnings. DEC was one of three companies that colaboratively
"invented" ethernet (at least the hardware specs, that is). The origin
of ethernet comes from the amateur radio two meter band protocols used
in Hawaii, which was called "Aloha Net".

Jeff Liebermann explained in the past why it would take an heroic
effort to clone the MAC address of the radio that is sending out the
packets.

Without reference I can not comment on this, but what I'm talking about
for MAC has nothing to do with cloning.

The cloning is on a different MAC address, which is not the MAC
address of concern here.

Huh?

Too bad, becuase if it were easy to change the Access Point MAC
address, then I would change mine daily.

You might want to look into this then.

As was said before, just flip a few bits and you could suddenly
appear to be on the other side of the planet.

Not true.
You're confusing the easily cloned MAC address with the one that would
take desoldering to change.

That statement is most definately true. I can assure you that when a
VAX computer was moved from one location to another nobody went running
for a soldering iron.

If changing the MAC address (also called the hardware address) was so
difficult, why do you suppose the capability exist in ifconfig(8) to
change it?

Bruce .

--

On Sat, 17 Sep 2016 16:12:40 -0400, bruce wrote:

This is not true that "SSID has nothing to do with cellphones".

Yes, I'm afraid it is true. To reject it implies that you believe that
all cellphones do wifi. I have two on the shelf in this room that do
not do and never did do wifi.

OK. You found a corner case, where not all cellphones do WiFi.
Since I also have iOS equipoment, all my iOS equipment has WiFi also.

While I am sure they exist, I personally have never seen a cellphone that
doesn't do WiFi; but I also have a limit on cellphones of 16GB minimum,
1GHz minimum, 1GB RAM minimum, etc., where the cost is never below $200 so,
the cellphones "I" have bought *all* have WiFi.

I did goof with the wife's $200 Moto G, which only has 2.4GHz WiFi, since I
simply *assumed* that all of the WiFi cellphones had *both* 2.4GHz and 5GHz
WiFi ... so I agree with you on the wide range of what Android phones do.

As Jeff and I just discussed, if an Android or iOS cellphone acts as
an Access Point, then that cellphone will broadcast an SSID.

This is consistent with what I wrote above and what I wrote below. This
action has nothing to do with it being a cellphone but to do with it
acting at this point as a wifi device.

I think here is where we get mired in conflicting details, which are better
discussed in person, because the mere fact that the BSSID is encapsulated
in the clear in the WiFi packet is *absolutely meaningless* for the purpose
of this discussion *if* all those poorly configured Android devices don't
*upload* that BSSID to the Google Public Database.

The *only* BSSID that matters for this discussion is the BSSID which is
*uploaded* to the Google Public Database by all those poorly configured
Android devices.

If that iOS or Android cellphone broadcasts an SSID, it also
broadcasts a BSSID, which is unique to that cellphone.

Not necessarily. The protocols allow the creation of a BSSID on the
fly. It only has to be unique within the (very short) range of the
radios in use.

I'm completely and intimately familiar with the fact that the BSSID only
has to be unique on the subnet, e.g., you can use DE:AD:BE:EF:CA:FE on your
own network and it won't matter, as long as only a single device on your
network has that BSSID.

Up until Jeff's later responses, I had thought that the BSSID that matters
(which is the one *uploaded* to the Google database by poorly configured
Android devices!) was hard to change, and it is, for a typical
factory-software router.

But Jeff explained that certain firmware will enable that all-important
BSSID (which is the one that is *uploaded* to the Google database by poorly
configured Android devices) *can* be changed on a router.

In addition, Jeff noted that, for Android devices which are *rooted*, that
all-important BSSID (which is the one *uploaded* to the Google publid
database by poorly configured Android devices) *can* be changed.

Unfortunately, a quick search on Google shows a history of Apple *breaking*
any jailbroken device's ability to change that specific BSSID with each new
OS version - so we can effectively say it can't easily be done on iOS
(which is another reason why iOS has less privacy than Android in certain
situtations).

In fact, it
broadcasts *two* BSSIDs, one for each radio (5Ghz and 2.4Ghz).

Actually, any wifi device acting as a BSS can identify itself as up to
32 BSSIDs and 1 or more SSIDs per radio. So, yes, a single radio can
simultaneously be using 32 different BSSIDs/MACs.

Are you saying that you have 32 different access points in "a single
radio"?

It's possible - but remember, the *only BSSID that matters* for this
conversation is the one that is *uploaded* to the Google Public Database by
poorly configured Android devices.

All other BSSIDs are meaningless for the purpose of this discussion.

Given that, are you saying that you have *32* different SSIDs which are
being uploaded, as we speak, to the Google Public Database by all poorly
configured Android devices in your vicinity?

It's *those* unique BSSIDs which are captured by poorly configured
Android devices and uploaded multiple times a day to the Google Public
Database, along with the GPS location of the poorly configured Android
device and the SSID and Signal Strength of the access point.

As I said below, poorly configured has nothing to do with it when any
user level program running on the BSS or within the cellphone can access
the very same wifi information and pass it on to whomever it wishes.

I see why you are frustrated in this conversation.

Jeff already noted that there are *plenty* of situations where a BSSID is
found, in the clear, in the context of WiFi communications.

Since *this* discussion is *only* about exploring privacy flaws in the
Google Public Database, the only BSSID that matters for this discussion is
the BSSID that is *uploaded* to the Google Public Database by all poorly
configured Android devices in your vicinity.

In article , Horace Algier
wrote:

This is not true that "SSID has nothing to do with cellphones".

Yes, I'm afraid it is true. To reject it implies that you believe that
all cellphones do wifi. I have two on the shelf in this room that do
not do and never did do wifi.

OK. You found a corner case, where not all cellphones do WiFi.
Since I also have iOS equipoment, all my iOS equipment has WiFi also.

While I am sure they exist, I personally have never seen a cellphone that
doesn't do WiFi;

this one doesn't:
https://admin.mashable.com/wp-conten...orola-dynatac-
8000x1.jpg

On Sat, 17 Sep 2016 16:12:40 -0400, bruce wrote:

Notice this allows such iOS or Android cellphones to be tracked!

Did I ever say anything to contradict this? I merely pointed out that
cellphone configuration, if done "properly" (whatever that means) won't
cure the problem when user level code running on the equipment can
accomplish the same thing. In fact, it might be through user level code
that it is being accomplished right now.

Since *this* discussion is *only* about exploring privacy flaws in the
Google Public Database, the only BSSID that matters for this discussion is
the BSSID that is *uploaded* to the Google Public Database by all poorly
configured Android devices in your vicinity.

SSID is just a name. There could be thousands of wifi access points
around the world with the same SSID.

I agree. SSID is "just a name". If the name ends with "_nomac", Google
promises to *drop* that SSID from its' public database.

While Google might honor the use of the suffix (for now) it doesn't mean
that anybody else will.

It's even worse than that.
1. While we all know that *hiding* the SSID is futile, it's actually
*useful* to hide your SSID in that the poorly configured Android devices
apparently do *not* upload "hidden" SSIDs to the Google Public Database.

2. However, most of us don't "hide" our SSID from being broadcast (since
there is almost zero security value in hiding the SSID broadcast).

3. Hence, our SSIDs are being *uploaded* to the Google Public Database by
poorly configured Android devices whether or not we have "_nomac" at the
end of the SSID.

4. What's worse, the *unique* BSSID of the radio is also uploaded at the
same time (along with the signal strength of the SSID and the current GPS
location of the poorly configured Android device).

Therefore, the SSID is the *least* of our privacy worries (unless we're
dumb enough to name our SSID after our first and last name or something
similarly identifiable).

The privacy concern is the association of the *hard-to-change* unique MAC
address with its GPS location.

These two critical pieces of metadata are *uploaded* to the Google Public
Database by poorly configured Android devices, whether or not you put
"_nomac" on the SSID.

However, you must realize that the Google Public Database contains
*more* than the SSID! It contains the *unique* BSSID associated with
that SSID, and furthermore, it contains the Signal Strength of that
access point at a specific GPS location of the poorly configured
Android device that is near that access point.

Anyone who doesn't *understand* that paragraph above can't possibly
understand the topic of this thread - so it's critical that the paragraph
above be *understood*.

That "paragraph above" means absolutely nothing until one understands
that even in a "properly configured" phone user level code could be
gathering the same information (or more) and sending it to agents
unknown.

Bruce .... you're trying to argue that the world contains a lot of
parameters, and nobody (not even me!) is disagreeing with you.

You may as well tell me that every radio has a MAC address or that every
radio has an antenna or that every computer on the net has an IP address or
that the BSSID is in every packet, etc.

Nobody is disputing what you're saying - but what you're saying has
*nothing* whatsoever to do with the topic at hand!

The topic at hand is *only* about the BSSIDs that are *uploaded* to the
Google Public Database by poorly configured Android devices.

The two related questions a
a. Under what circumstances is your phone's BSSID uploaded to the Google
Public Database?
b. How would an attacker *exploit* that public database to track the
*location* of the phone?

If you want a *different* topic, then just say so - but *that* is the topic
here that "I" am trying to find out more about.

A wifi access point consists of one or more radios to create a WAN.
Each radio is a BSS with a BSSID, which is also known as a MAC. Each
network device/radio has (by design, but not always in fact) a unique
value for the MAC.

I agree. Specifically, if an iOS or ANdroid cellphone is acting as an
access point, then its 5GHz and 2.4Ghz radio will broadcast the following:
a. The cellphone AP SSID
b. The cellphone AP BSSID

What you must understand to understand the question, is that poorly
configured Android devices will *send* to Google not only that information
above, but *more* information!

Poorly configured Android devices will send to Google:
a. Your cellphone AP SSID
b. Your cellphone AP BSSID (aka MAC address)
c. Your AP signal strength seen by the poorly configured Android cellphone
d. The GPS location of the poorly configured Android cellpone

As stated above, poorly configured is not the problem, and Google might
not be the only recipient.

The two related questions a
a. Under what circumstances is your phone's BSSID uploaded to the Google
Public Database?
b. How would an attacker *exploit* that public database to track the
*location* of the phone?

If you want a *different* topic, then just say so - but *that* is the topic
here that "I" am trying to find out more about.


A device wishing to connect to a wifi access point looks for a
broadcast wifi packet with a particular SSID in the data field of the
packet. The header to the packet contains the BSSID/MAC of the
access point in source field. To connect to the access point the
device sends a packet back to the sender of the broadcast by putting
the access point's BSSID in the destination field of the packet and
its own MAC in the source field. The rest of the connection protocol
is left as an exercise for the reader.

This part is understood that the BSSID of the 5Ghz and 2.4GHz radios
in both iOS and Android devices is sent in the clear in packets
whenever those cellphones connect to an access point.

But I'm not talking about that.

I'm only talking about when an iOS or Android cellphone has the
following four bits of information *sent* to the Google database by
poorly configured
Android devices:
a. Your cellphone AP SSID
b. Your cellphone AP BSSID (aka MAC address)
c. Your AP signal strength seen by the poorly configured Android
cellphone
d. The GPS location of the poorly configured Android cellpone

Get off this poorly configured fixation you have. A perfect config-
uration with any amount of user-level programs has potentially the same
nasty possibilities.

The two related questions a
a. Under what circumstances is your phone's BSSID uploaded to the Google
Public Database?
b. How would an attacker *exploit* that public database to track the
*location* of the phone?

If you want a *different* topic, then just say so - but *that* is the topic
here that "I" am trying to find out more about.