Allow single key wifi lookups when combined with nearby cell about ichnaea HOT 6 CLOSED

Having proposed this, I do need to list possible problems. If we are trying to mitigate the "Evil Dude is tracking his ex-wife" scenario, and Evil Dude knows the ESSID and MAC of her router, and that she's moved e.g. "somewhere in California", our public data will give him a list of cells in California. Can he then simply send enough requests to brute force the location info out?

from ichnaea.

@gerv Yes, but if we don't prevent brute-forcing, he could also brute force all known mac addresses and check against them all.

There's a balance to strike here between offering a good service and making it harder to abuse it. I think the "evil dude" scenario is highly unlikely, so I'd be willing to ignore it, if we can offer a better service to most users instead.

from ichnaea.

I think it's pretty unlikely too. But brute-forcing all known MAC addresses is a bit more of an effort - it's a 48-bit address space. And anyway, that wouldn't work unless he also correctly guessed the ESSID of the nearby access point, because of our hashing scheme.

from ichnaea.

Oh, we dropped the hashing scheme and any use of the ESSID. After the discussion on dev-security, we concluded that it doesn't actually buy as much. And it prevents us from sharing data with the other projects, as almost none of them record and store the ssid.

from ichnaea.

The API documentary should be updated regarding this issue
-> it says you need at least THREE wifi aps for a correct guess which isn't the actual state (at least 2) anymore as you have said (@hannosch)

from ichnaea.

We are about to publish the cell database, which makes it rather easy to do a search for the couple of large GSM cells covering a wide area + a single WiFi key you are interested in.

I think this is too much risk to try this novel approach here, which none of the other players in this space are using. At this stage of the project we are only aiming to do city / city block accuracies, so I'm not too interested in spending time on WiFi use-cases yet. We can revisit this later.

from ichnaea.