In this Chapter, we introduce the current research of location privacy, and focus on these works which provide the protection of location privacy at the physical/link layer. Due to previous works possess the inherited property, i.e.
most of the later works will take the previous works as necessary components.
Thus, in section 2.1 we briefly introduce the details of each work by proposed time-order. Finally, we will compare these works in section 2.2.
2.1 Overview
According to the main feature of previous works, we classify them into four classes:
Dynamic-based scheme, Unlinkable scheme, Mitigating network overhead scheme and User-Centric scheme. In addition, we introduce them in proposed time-order.
2.1.1 Dynamic-based Schemes [2003, 2006]
According to the pool size of MAC address, the dynamic-based schemes can be further divided into two subclasses as follows.
Disposable approach [1]
The scheme enhances the location privacy through shorted-lived, disposable MAC addresses and the disposable address is generated by a MD5 hash chain on a random seed. In other words, the new MAC address is randomly chosen from the pool of 248 MAC addresses. And this scheme enables mobile stations to update their MAC addresses only at specific time instances (e.g. before associating with access points). Besides, they assume that an attacker has already compromised some
8
access points, and tracks a user’s movement only through the association log of each access point. Thus, the threat-level of location privacy is only within the coverage of some access point. If an attacker tracks a user through RSSI/TOA-based tracking methods, the scheme will not resist the attack effectively. However, we should take into account such more accurate tracking method.
SWAP approach [5]
The SWAP approach enables the nodes to exchange their MAC addresses. Thus, the pool size of SWAP approach is far smaller than Disposable approach. SWAP approach has the following advantages. First, the approach does not need all the nodes to update their MAC addresses at the same time. Compared with Disposable approach, the SWAP approach could achieve the same ambiguous effect with fewer nodes participated in this update. Finally, the SWAP approach does not need any MAC address collision detection, but the approach takes many efforts for the communication of exchange identity.
2.1.2 Unlinkable Scheme [2005]
Basically, the unlinkable scheme utilizes Silent Period to decrease the opportunities that an adversary links the new MAC address to old one [2]. The Silent Period is a variable length transition period in which a user is not allowed to disclose either the old pseudonym or the new one. Due to the adoption of silent period, the possibility of both the spatial and temporal correlation attack can be reduced. Because the unlinkable scheme makes the attacker eavesdrop nothing during silent period, the attacker has no idea about the exact movement of target. Basically, the temporal attack occurs, while an adversary links the new MAC address to old one through observing the average duration of update-time. For example, if an attacker is tracking
9
two nodes (A and B). In addition, the average durations of update-time are 2 seconds and 3 seconds for node A and B respectively. Assume that the two nodes update their MAC address at the same time, and then the adversary can break this update through the difference A’s average duration of update-time and B’s (i.e. 1 second).
The spatial correlation attack occurs, while an adversary link the new MAC address to old one through analyzing the past velocity and direction. Although this scheme provides more protection than disposable scheme, it also makes the user unable to access the WLAN for longer time. Therefore, it is the tradeoff between location privacy and performance.
2.1.3 Mitigating Network-Overhead Scheme [2006]
The mitigating network-overhead scheme [3] attempts to minimize the network disruption as a result of adopting disposable MAC addresses. Defrawy et al. claim that the re-association process with the AP may take up to 2.5 seconds, and this process degrades the user’s throughput. Therefore, the scheme takes the advantage of features derived from Mobile IP and utilizes a trusted centralized server to mapping the incoming and outgoing packets to the mobile station by the NAT-like approach. Through the cooperation between the centralized server and mobile stations, these mobile stations can effectively mitigate the overhead of re-association process for each MAC address update. However, the tracking attack which the scheme can resist is the same as Disposal scheme, i.e. both of them cannot effectively resist the RSSI/TOA-based tracking methods.
2.1.4 User-Centric Scheme [2006]
Mingyan et al. claim that each user may need privacy at different locations and times [5]. Therefore, the user-centric scheme was proposed to enable the nodes to
10
independently determine where/when to update their identifiers. The scheme assumes that each mobile station has GPS capability and can self-determine its location when needed on pre-loaded digital geographic maps, and is also capable of predicting any change in its velocity. So each station updates its MAC address only when its velocity or direction changes. However, the assumption mentioned above heightens the threshold of improving location privacy because of requiring additional hardware cost, i.e. GPS. In addition, it might be not so reasonable and convenient to request a pedestrian to input the destination for each move.
2.2 Comparison
In this section, we use Table 2-1 to summarize the previous works briefly. Basically, all the previous schemes assume the access point is semi-trusted, i.e. forward packes as expected but can disclose information to an adversary. In addition, Both the Disposal Scheme and Mitigating Network-Overhead Scheme only resist such attack with single observing node. In other word, they can not effectively resist triangulation-based tracking. However, the Unlikable Scheme and User-Centric Scheme can effectively resist location tracking with triangulation-based techniques.
Table 2-1 summarizes the previous works
Scheme Assumption Resistible Attack Note
Disposable Scheme Semi-trusted AP Single observing node Unlinkable Scheme Semi-trusted AP Triangulation
Mitigating Network- Overhead Scheme
Semi-trusted AP, Trusted Server
Single observing node
User-Centric Scheme Semi-trusted AP Triangulation needs GPS
11