Nordstrom tracking customer movement via smartphones' WiFi sniffing

Nordstrom tracking customer movement via smartphones' WiFi sniffing:

http://nakedsecurity.sophos.com/2013/05/09/nordstrom-tracking-customer-smartphones-wifi-sniffing/

 

Good article, thanks. I don't have the 'Notify About Open Access Points' checked, but like the article said, it's still looking for your 'Home' access point.

I have an app that turns off WiFi, but I may switch to NFC.

Nordstrom fails to mention that the MAC Address (uh oh, here's another case of MACs ) is broadcast as well. Crazy Global Actor Scenario = MAC> MFG> Phone it went into> Serial Number> Who bought it.

I have yet to find a reliable Android app that changes the MAC...still looking.

I may change my home D-Link router, to say "Linksys"...pretty common

PD

 

Using a solution provided by Euclid: http://euclidanalytics.com/

I wonder if this "capture and forward to the cloud" operation applies to just broadcast probe requests or whether it also applies to directed probe requests and the SSIDs that were probed for. Were the later "previously connected to" SSIDs captured and a geolocation database queried, that could reveal information about where people are from. Which I suspect many stores would love to know.

Note that MAC Addresses are only 48-bits which makes for only 281,474,976,710,656 possible combinations. Do you think they used salting/rounds in order to prevent themselves from acquiring, or calculating for themselves, a table of hashes for all MAC Addresses?

They offer a "opt out and delete any existing data from our service" form on their website where you enter just your MAC Address. Which suggests they aren't using a different hashing mechanism for each retailer or if they are they can undo the uniqueness. IOW, it seems they can track you across participating stores and other places where the system is used.

They actually advertise the ability to track "walkbys", so although we'd expect non-customers to be affected by this it sounds as though they'd probably encourage setting up the system so that it does a good job of affecting those outside the store. There is an interesting "sample of Euclid's analytics" graphic at http://news.cnet.com/8301-1023_3-20...ake-euclid-helps-merchants-follow-your-moves/ down on the right. Which shows an overview for 09/18/2011-09/19/2011, identifying 11,182 "people outside" and 849 "shoppers inside". The chart below that summary seems to suggest that at times it was counting over 15,000 "people outside". I'm not sure how they compute that but I think it demonstrates the huge numbers of NON-customers that could be affected by this type of system.

I've heard it said there is an app for everything. Is there an app that generates many probe requests with spoofed MAC Addresses just to bugger up evil systems like this?

 

Dang! Nice investigation. If you can opt out or remove, doesn't that mean that true MACs are retained somewhere? +1 on the app. I'm getting closer and closer to wanting to learn Android programming Maybe The Guardian Project or Moxie will take this up?

PD

 

Almost makes me want to get a mobile device Seriously though, since the probe requests are broadcast there is the potential to create load in the APs operated by nearby innocent/ethical stores. So even if one were OK with jamming the enemy's electronic warfare technique, there could be collateral damage and that ain't cool. There would be ways to try to filter it out as well. Plus, you'd have to spoof MAC Addresses that don't belong to you and that too seems unethical. A thoroughly amusing thought though

 

Was just checking the thread and noticed I overlooked this question, sorry...

The ability to "delete existing data" suggests they keep data, plus one of the advertised points was the ability to identify repeat visitors. So yeah, they must be retaining data about where your MAC Address has appeared. They could, as some words suggest, send hashes of MAC Addresses to their cloud rather than the actual MAC Addresses. In which case their records would contain hashed MAC Addresses along with whatever else was collected. Then to find the records for an actual MAC Address, say one that someone enters to "opt out and delete", they would apply the same hashing algorithm to the actual MAC Address they enter.