Voir en

français

Computer Security: I know what you did last summer

|

Just in time for the end of the holiday season and with reference to a famous film of the 90s, we set out to study where you’ve been and what you did this (last) summer… without infringing on your privacy as you’re actually already publishing this information freely.

Or, rather, your smartphone is. As discussed in another Bulletin article about the “symbiosis of your life”, most of us carry this kind of beacon with us. This beacon memorises where we’ve been in a number of ways. The most obvious is the GPS location or IP address information your smartphone shares with the Googles and Facebooks of this world and with your local internet service provider (ISP), respectively. While the former use this for marketing and advertising purposes (“if it’s gratis, you pay with your [location] data”) or share it with your favourite sports app (like “Strava”, anyone?) to track your running route, hiking trail or cycling path, the latter is solely for internal purposes and to meet legal obligations. Like ISPs, CERN, for example, keeps a log of which wireless access point your device has been connected to at any moment while using the CERN network (Android and iOS have introduced so-called “MAC address randomisation”, which makes easy correlation more difficult or even impossible). But there are some other easy ways to know what you did last summer without being an ISP or a Facebook-alike. Enter “SSIDs”.

An SSID is the non-unique name of a wireless network, like “CERN”, “eduroam”, “FREE WIFI GVA” or “Livebox-XB4X”. This is the name and description of the wireless network your device connects to. Manually, if you enter it the first time; automatically, if it’s already known to your device. And to make it extra convenient, your device stores all the SSIDs it has ever connected to. On an iPhone, just go to “Settings” -> “Wi-Fi” -> “Edit”; on an Android phone it’s in “Saved networks”. Now you know what you did last summer. And before. All your SSIDs are there. And by their names you can easily figure out where you’ve been… But we’re not done yet. Because third parties can figure it out, too.

If Wi-Fi is enabled, your smartphone is always trying to connect to a wireless network. That makes your life convenient. Internet everywhere. Coming to CERN, prompt Wi-Fi connectivity. Returning home, immediate internet access. When travelling, “eduroam” signs you in automagically and gets you swiftly connected to the internet without further ado. To do so, however, your smartphone needs to advertise itself to the network, to ask whether anyone has “seen” a particular SSID, broadcasting the list of your saved SSIDs one by one. And this is where you lose your privacy. Letting everyone know what you did last summer, and even before (as this SSID information does not come with any time stamps).

This is what we did, without attributing any SSID to a particular device: we just collected all the SSIDs that the smartphones around Building 31 were advertising at a specific moment in time. Airports. Hotels. Institutes. Conferences. Restaurants. Bars. Museums. Shops.: Prague Airport Wifi Free, #StarbucksWifi, *Louvre_WiFi_Gratuit, .La Jolla Village Guest WiFi, ATLAS WEEK, AirFranceCONNECT, Airport-Frankfurt, AlohaHostel, Alpen Resort Public WiFi, Ambleside Tavern, BEAURIVAGE, BESTWESTERN, BMW Public, BostonPublicLibrary, Brussels Airport free Wi-Fi, Camping Zermatt Public WiFi, DESY guest legacy, Dunkin' Donuts Guest, ESA-wireless, Foyer Schumann, GELATERIA ITALIANA, GenuaWifi, Glasgow, Gran Hotel Santiago, Grand Elysee, GrandCentral_FreeWiFi, Helsinki Airport Free Wi-Fi, Hilton Honors, Hotel de Ville, INTERMARCHE, ITER-Guest, Incanto-Ristorante, Jiva Hill free access, KFC Hotspot, MIGROS WiFi, MarriottBonvoy_Guest, McDonald's Free WiFi, MonacoWifi, Pneus Claude Wifi Clients, Porsche HotSpot, Pret-a-Manger, Public WiFi Interlaken, Radisson_Guest, Raiffeisen Bank - Free WiFi, Regiojet - zluty, Room#507, Starbucks WiFi, Styles Hotel, THE BARISTA LAB public, The Bowling Balexert, Val Thoiry - WiFi Gratuit, VertigoJazzClub, VorstadtBistroSolothurn, Wirtshaus Franz, Wyndham Public, ZurichAirport, _Free JFK WiFi, _SNCF gare-gratuit, easyJet onboard, esa-conference, etc., etc. Indeed, we know what you (all) did last summer.

So, be aware of what your smartphone shares with the world. The SSIDs it has connected to, the SSIDs where you’ve been. And if you want to regain control, go into your Wi-Fi settings and either delete all the SSIDs you do no longer want to be associated with or disable automatic connections in general (note that you’ll need to re-register if you want to connect to a particular network again). Otherwise, everybody will know what you did last summer…   

Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.