Mitigation

As far as I know, there are two mitigation techniques:

  • Don’t use probe requests at all. It is by far the most efficient way not to leak any piece of information. As said earlier, it is not necessary to rely on probe requests to get the list of the nearby access points since they broadcast their name by themselves.

  • Randomise the source MAC address of each probe request sent. This way, it’s no longer possible for a third party to link probe requests to a specific device based on the Wi-Fi data collected. However, using a Software-Defined Radio to capture RF metadata such as the frequency offset, it would be possible to fingerprint each Wi-Fi packet and so each Wi-Fi device, regardless of their source MAC address (this technique will be implemented in ProbeQuest).

Android

Some Android-based operating systems, like GrapheneOS, randomise the source MAC address natively. Otherwise, you can install Wi-Fi Privacy Police from F-Droid or the Play Store to prevent your Android devices from leaking their PNL.

_images/wifi_privacy_police_main_screen.png

Once installed, the Privacy protection option should be switched on.

iOS

On iOS, the source MAC address is randomised since iOS 8.