The Scrambler Attack

One of the main advantages of Software Defined Radio (SDR) is that we can access all data and information of the physical layer. A good example for data that is easy to access with an SDR but not available from normal WiFi cards is the scrambler seed. These seeds should be random according to the standard. Looking at the seeds with our SDR, we found that this is usually not the case.

This is a privacy problem, especially in Vehicular Networks, where a huge effort was made to hide the identity of vehicles. But it is not only about vehicles, also other privacy preserving mechanisms like MAC address randomization during active scanning are useless if cards can be identified based on their scrambler seeds.

Scrambler Algorithm


In our paper, we present the Scrambler Attack and show that many WiFi cards are vulnerable. Furthermore, we study the impact of the attack on the location privacy in Vehicular Networks.

Bastian Bloessl, Christoph Sommer, Falko Dressler and David Eckhoff, "The Scrambler Attack: A Robust Physical Layer Attack on Location Privacy in Vehicular Networks," Proceedings of 4th IEEE International Conference on Computing, Networking and Communications (ICNC 2015), CNC Workshop, Anaheim, CA, February 2015, pp. 395-400. [DOI, BibTeX, PDF and Details...]

Publications by Others

We are happy that our work gained some interest by the research community. While our work focused mainly on Vehicular Networks, Mathy Vanhoef put it into the larger context of WiFi:

Mathy Vanhoef, Célestin Matte, Mathieu Cunche, Leonardo S. Cardoso and Frank Piessens, "Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms," Proceedings of 11th ACM Asia Conference on Computer and Communications Security (ASIACCS 2016), Xi'an, China, May 2016, pp. 413-424. [DOI, BibTeX, PDF and Details...]