The MAC address is stable once a device is authenticated (connected) to the network. With the trend of providing 'free' wifi access within stores, making sure that users connect to that network is enough to continue tracking them.
> The MAC address is stable once a device is authenticated (connected) to the network.
That is necessary to keep the gateway from having to issue a thousand ARP requests (one for every packet you send from a different MAC), but there is no reason why the MAC chosen to connect to the network couldn't change every time you disconnect and reconnect. That would at least prevent you from being tracked between visits to the store [using this tracking method], even if you actually use the network.
True but wouldn't the landing pages of most of these services be able to document the OS, browser, resolution, type of device(tablet vs laptop and IOS vs android) and likely a lot of other stuff.
I can narrow down a huge list to a very short list using above information along with the probes being sent out co-related to the signal strength. Timing of each probe can also be leveraged in uniquely identifying,most probes are sent in interval from each device. Those probes that come in equal intervals are likely from the same source, leveraged against signal strength you can likely identify a small crowd. To take it even further you can calculate the signal as absorbed through the store to signal congestion and possibly other metrics.
Hence the "using this tracking method" caveat. Now you have to do something much more complicated just to get less specific data. And it's a cat and mouse game: You put up a useless landing page, device makers set their browsers to require TLS for any page previously found to support it, preventing you from redirecting requests to the majority of popular sites. Or they could just detect the ARP misuse that makes captive portals work and patch that particular vulnerability, because screw captive portals entirely.
It's a 48-bit space, so you'd need around 16M people connected with random IDs to have a high chance of collision.
Even by sticking to a certain subsets of OUIs, it's still probably fine. On top of that, listening to traffic (even after picking an in-use MAC) would allow you to determine if someone else is using that address.
By making sure your steel-reinforced concrete mall walls are thick enough to block proper 3G/4G reception (no, really, reception is pretty bad in a lot of indoor places).
But still, I agree, it would be very hard to have everyone connect to your wifi.
it's hard to get everybody, but it's easy to get a significant sample. just set up an open network called Starbucks WiFi and watch all the iPhones connect to it
But the device is still visible on wifi even if it does not connect. Some phones tend will try to connect to known networks pro-actively and will leak the SSID of those networks.
I wonder if this explains why a lot of these 'free' Wifi networks let you connect with no issues then ask you to login or whatever when you try to do anything. I figured it was probably just to offer a better login screen (than the Wifi settings on whatever device) but stabilising devices for tracking would make sense too if others do this.
Or, it's to force you to read and accept terms and conditions, to force you to type in your email, to force you to type in a one time use code to connect, to force you to pay money to connect, ...
