Your assumption is incorrect - Probe requests do not contain the MAC of the AP, only the SSID. Wifi clients usually only save the name and security type/PSK of previously joined networks. In many situations, the same SSID is broadcast by multiple different APs with different MAC addresses in the same area so it wouldn't make sense to remember a specific SSID/MAC pair.
If the same client (iPhone) probes for a list of SSIDs with one random MAC and then probes for the same list again a short while later with a different randomised MAC, you could still track that individual based on the list of networks they probe for.
If the client MAC is randomised for every single new 802.11 probe that makes it harder but you could still track based on a single unique SSID probed for (i.e. something more unique than NETGEAR).
I'm going to look into this and possibly update my tool iSniff GPS.
The randomized MAC address doesn't help here. If two probe requests have different MAC addresses but the same SSID list, then the tracker can guess that they are the same device.
Each device sends beacons out at an interval. By sorting all the probes by these intervals (10Hz or what ever) each will likely be slightly different from each other. So my device sends probes out at 0s another will send it out at 0.5s. Also by co-relating these beacons by signal strength well the random MAC doesn't really matter.
This only occurs for 'hidden' networks. If you do not have any hidden networks in your known network list than you will not be broadcasting SSIDs. This is yet another reason to avoid setting your AP to hidden.
Do you have a source for this? Is there any documentation of this in the 802.11 spec? I'm also wondering if devices send a single probe per SSID they're looking for, or one probe with a list of SSIDs?
If the same client (iPhone) probes for a list of SSIDs with one random MAC and then probes for the same list again a short while later with a different randomised MAC, you could still track that individual based on the list of networks they probe for.
If the client MAC is randomised for every single new 802.11 probe that makes it harder but you could still track based on a single unique SSID probed for (i.e. something more unique than NETGEAR).
I'm going to look into this and possibly update my tool iSniff GPS.