• General
  • Question about WIFI intelligence gathering by Google/Apple through phones

I've speculated on this long enough and want to put speculation to rest and get a definitive answer on this if possible.

We know that regular android phones that run google components gather wifi data constantly and send it. This includes SSID information of all nearby routers and (I guess) their MAC addresses.

  1. What I want to know is, can they also pick up the wifi signature (MAC, or maybe other identifiers) of other devices (phones) that are nearby as well? What can they pick up?

    I want to know for example if my phone has its wifi on and is talking to my home router, do the "normie phones" nearby pickup information about my phone too and report it?

  2. Also I'm curious, when I have my wifi on with GOS, but I'm not connected to any wifi, is my phone broadcasting any information without being connected to a wifi? Given the fact that GOS has mac randomization per network (or per connection) brings the question, what is it broadcasting when its not connected to any wifi? Can it be detected at all? If yes what can other devices see about it? Can it be requested to respond? What does it respond with?

Thanks in advance.

    1. Do they? idk. Can they? ↓

    2. It'll at the very least broadcast a list of saved SSIDs, because the phone is constantly looking for them so it can auto-connect once they are in range. I don't know if a mac address is included in that list, but it'll most certainly be sending one if it does attempt to connect.

    Mac address randomization per-network is not going to help here because you will be track-able based on your list of saved networks. They'll be able to tell it's the same phone as long as it keeps sending the same info every time. To avoid this, delete every saved network after using them, or if you don't need wifi outside of home, enable the option to auto-disable wifi when not in use (15 sec is the minimum.)

      Ammako It'll at the very least broadcast a list of saved SSIDs,

      I thought that would only be the case for saved hidden SSIDs, not normal SSID. Is it not true?

        evalda

        2) Only hidden SSID's are sent out in beacon frames. Other saved networks won't broadcast what they're looking for. The AP is the one that broadcasts the SSID in that case.
        It's a common recommendation though to unsave popular SSIDs such as from public WiFi, as some attackers waterhole them to get clients to connect or at least attempt to.

        1) Only Wi-Fi adapters that are in monitor mode should be able to parse out client devices. It's kind of like promiscuous mode for network adapters. In monitor mode, every frame is available, even ones not meant for broadcast or connecting to the AP (such as other clients connected to other APs).
        Normally, a Wi-Fi adapter is strict about what information it uses. It's normally looking only for access points, unless it's in ad-hoc mode. Many wireless adapters need special firmware for monitor mode as well. I'm not sure about Pixel devices though.

          Graphite
          Cool thanks.

          I'd appreciate if someone like @GrapheneOS or @strcat or one of the other staff members with technical knowledge about this could also comment. If possible.

          Thank you.

            User2288
            Would be nice to hear from them. But this isn't GrapheneOS specific. Not even unique to Pixels. They don't alter the behavior of network stack.

            7 days later

            User2288

            Also I'm curious, when I have my wifi on with GOS, but I'm not connected to any wifi, is my phone broadcasting any information without being connected to a wifi? Given the fact that GOS has mac randomization per network (or per connection) brings the question, what is it broadcasting when its not connected to any wifi? Can it be detected at all? If yes what can other devices see about it? Can it be requested to respond? What does it respond with?

            Please read https://grapheneos.org/usage#wifi-privacy. Avoid using hidden APs as recommended there. MAC randomization alone is not enough and Pixels combined with GrapheneOS address the other issues including probe sequence number randomization, minimal probe requests, minimal DHCP information, per-connection MAC randomization by default (GrapheneOS only), fresh DHCP state when using a fresh MAC (GrapheneOS-only), etc.

            Ammako

            It'll at the very least broadcast a list of saved SSIDs, because the phone is constantly looking for them so it can auto-connect once they are in range. I don't know if a mac address is included in that list, but it'll most certainly be sending one if it does attempt to connect.

            That's not correct. Saved SSIDs are only broadcast for hidden SSIDs. Hidden SSIDs are an anti-privacy legacy feature and are almost never used except by misguided power users harming their privacy with it. They do not hide the existence of the access point when any devices are connected and each device using it will broadcast probes looking for it, reducing the privacy of each device using it. It heavily reduces rather than increasing privacy. A wireless access point which doesn't move is simply a static landmark comparable to a tree as long as you don't include private information in the name. On the other hand, most devices using Wi-Fi are mobile devices and using hidden SSIDs allows tracking them.

            evalda It's not true. Only hidden SSIDs get broadcast. Hidden SSIDs are a privacy anti-feature and shouldn't be used.

            • [deleted]

            I hope you will forgive me this off topic comment and you're welcome to delete it but from this familiar authoritative undertone I sense, I feel like DM is still with us. But that is not at all a bad thing :)