METHOD, SYSTEM AND NON-TRANSITORY COMPUTER-READABLE MEDIUM FOR THE UNAMBIGUOUS IDENTIFICATION OF NON-ASSOCIATED WI-FI DEVICES

Abstract

A method, system and non-transitory computer-readable medium for the unambiguous identification of non-associated Wi-Fi devices, where upon receiving (102), by an access point (200), a probe request (202) from a Wi-Fi device (201) not associated to the access point (200), sending (104) a probe response (204) addressed to the non-associated Wi-Fi device (201), wherein the probe response (204) comprises a Hotspot 2.0 Indication element (206) including a ANQP Domain ID field (207) with a determined value; receiving (106), by the access point (200), an action frame (208) sent by the non-associated Wi-Fi device (201) in response to the Hotspot 2.0 Indication element (206) of the probe response (204); obtaining a static MAC address (209) of the non-associated Wi-Fi device (201) from the source address of the received action frame (208); and identifying (110) the non-associated Wi-Fi device (201) based on the obtained static MAC address (209).

Claims

1. A method for the unambiguous identification of non-associated Wi-Fi devices, the method (100) comprising: upon receiving (102), by an access point (200), a probe request (202) from a Wi-Fi device (201) not associated to the access point (200), sending (104) a probe response (204) addressed to the non-associated Wi-Fi device (201), wherein the probe response (204) comprises a Hotspot 2.0 Indication element (206) including a ANQP Domain ID field (207) with a determined value; receiving (106), by the access point (200), an action frame (208) sent by the non-associated Wi-Fi device (201) in response to the Hotspot 2.0 Indication element (206) of the probe response (204); obtaining a static MAC address (209) of the non-associated Wi-Fi device (201) from the source address of the received action frame (208); and identifying (110) the non-associated Wi-Fi device (201) based on the obtained static MAC address (209).

2. The method of claim 1, wherein the value of the ANQP Domain ID field (207) is modified each time the probe response (204) is sent again to the same non-associated Wi-Fi device (201).

3. The method of claim 1, wherein the combined value of the ANQP Domain ID field (207) and the SSID field (402) of the probe response (204) is modified each time the probe response (204) is sent again to the same non-associated Wi-Fi device (201).

4. The method of claim 1, further comprising periodically modifying, by the access point (200), the value of the ANQP Domain ID field (207) to be used in the probe response (204).

5. The method of claim 4, further comprising modifying the SSID field (402) to be used in the probe response (204) when a determined number of values have been used for the ANQP Domain ID field (207).

6. The method of claim 5, wherein the value of the SSID field (402) of the probe response (204) is randomized.

7. A system for the unambiguous identification of non-associated Wi-Fi devices, the system comprising at least one access point (200), wherein each access point (200) comprises: a Wi-Fi interface (210); a processing unit (220) configured to: upon receiving a probe request (202) from a Wi-Fi device (201) not associated to the access point (200), send a probe response (204) addressed to the non-associated Wi-Fi device (201), wherein the probe response (204) comprises a Hotspot 2.0 Indication element (206) including a ANQP (Access Network Query Protocol) Domain ID field (207) with a determined value; receive an action frame (208) sent by the non-associated Wi-Fi device (201) in response to the Hotspot 2.0 Indication element (206) of the probe response (204); obtain a static MAC address (209) of the non-associated Wi-Fi device (201) from the source address of the received action frame (208); and identify the non-associated Wi-Fi device (201) based on the obtained static MAC address (209).

8. The system of claim 7, wherein the processing unit (220) of each access point (200) is configured to modify the value of the ANQP Domain ID field (207) each time the probe response (204) is sent again to the same non-associated Wi-Fi device (201).

9. The system of claim 7, wherein the processing unit (220) of each access point is configured to modify the combined value of the ANQP Domain ID field (207) and the SSID field (402) of the probe response (204) each time the probe response (204) is sent again to the same non-associated Wi-Fi device (201).

10. The system of claim 7, wherein the processing unit (220) of each access point (200) is configured to periodically modify the value of the ANQP Domain ID field (207) to be used in the probe response (204).

11. The system of claim 10, wherein the processing unit (220) of each access point (200) is configured to modify the SSID field (402) to be used in the probe response (204) when a determined number of values have been used for the ANQP Domain ID field (207).

12. The system of claim 7, wherein the processing unit (220) of each access point (200) is configured to randomize the value of the SSID field (402) of the probe response (204).

13. A non-transitory computer-readable medium for the unambiguous identification of non-associated Wi-Fi devices, comprising executable programming instructions stored thereon that, when executed by a processor, cause the processor to carry out the steps of the method of claim 1.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0030] A series of drawings which aid in better understanding the invention and which are expressly related with an embodiment of the said invention, presented as a non-limiting example thereof, are very briefly described below.

[0031] FIG. 1 depicts, according to an embodiment of the present invention, a flow diagram of the steps of the method for the unambiguous identification of non-associated Wi-Fi devices.

[0032] FIG. 2 represents, according to an embodiment of the present invention, a system for the unambiguous identification of non-associated Wi-Fi devices.

[0033] FIG. 3 shows an exemplary embodiment of the system comprising several access points.

[0034] FIG. 4 shows a probe response sent by an access point according to the present invention.

[0035] FIG. 5 shows an example of an action frame including the static MAC address of the non-associated Wi-Fi device, which is sent in response to the probe response of FIG. 4.

[0036] FIG. 6 represents an exemplary communication between a non-associated Wi-Fi device and an access point according to the present invention.

DESCRIPTION OF A PREFERRED EMBODIMENT OF THE INVENTION

[0037] FIG. 1 represents a flow diagram of a method 100 for the unambiguous identification of non-associated Wi-Fi devices according to an embodiment of the present invention.

[0038] First, an access point (AP) receives 102 a probe request from a Wi-Fi device which is currently not associated to the AP. As a probe response, the AP sends 104 a probe response addressed to said non-associated Wi-Fi device. The probe response includes a Hotspot 2.0 Indication element, which in turn includes an ANQP Domain ID field with a determined value.

[0039] The AP receives 106 an action frame sent by the non-associated Wi-Fi device in response to the Hotspot 2.0 Indication element of the probe response. The AP then obtains 108 a static MAC address of the non-associated Wi-Fi device from the source address of the received action frame.

[0040] Finally, the AP identifies 110 the non-associated Wi-Fi device based on the obtained static MAC address.

[0041] FIG. 2 depicts a system for the unambiguous identification of non-associated Wi-Fi devices according to an embodiment of the present invention. In the embodiment, the system comprises an access point 200, which in turn includes a Wi-Fi interface 210 and a processing unit 220.

[0042] The processing unit 220 is configured to implement the steps of the method. In particular, upon receiving a probe request 202 from a Wi-Fi device 201 not associated to the access point 200, the processing unit 220 is configured to send (through the Wi-Fi interface 210) a probe response 204 addressed to the non-associated Wi-Fi device 201, wherein the probe response 204 comprises a Hotspot 2.0 Indication element 206 including a ANQP Domain ID field 207 with a determined value.

[0043] The processing unit 220 is also configured to receive an action frame 208 sent by the non-associated Wi-Fi device 201 in response to the Hotspot 2.0 Indication element 206 of the probe response 204, and obtain a static MAC address 209 of the non-associated Wi-Fi device 201 from the source address of the received action frame 208. The access point 200 can now identify the non-associated Wi-Fi device 201 using the obtained static MAC address 209.

[0044] The system of the present invention may comprise a plurality of access points 200 as described in FIG. 2. FIG. 3 shows an exemplary embodiment of the system comprising a plurality of access points 200, namely AP.sub.1 and AP.sub.2. The access points 200 of the system are configured to identify non-associated Wi-Fi devices 201 (such as the depicted STA.sub.1 and STA.sub.2) which are located within their respective range and are associated with another access point 300, which is not an element of the system (alternatively, the stations 201 may be not associated with any access point). Using the configuration described in FIG. 2, each access point 200 of the system can identify each one of the non-associated Wi-Fi devices 201.

[0045] The Hotspot 2.0 specification defines a new information element called the Hotspot 2.0 Indication element 206. This element serves a similar purpose as the Extended Capabilities element. Its basic purpose is to indicate support for, and compliance with, Passpoint™ (Hotspot 2.0) certification. To advertise support for Hotspot 2.0, the Interworking bit in the Extended Capabilities information element needs to be set in the Beacon and Probe Response frames. A Hotspot 2.0 Indication element 206 is therefore included in the probe response 204 to enable the access points 200 to indicate to non-associated Wi-Fi devices 201 (stations) that they are Hotspot 2.0 capable. The Hotspot 2.0 Indication element 206 uses the vendor-specific information element and is included in every Beacon frame and Probe Response frame from an ESS (Extended Service Set) that supports Hotspot 2.0.

[0046] FIG. 4 depicts an exemplary probe response 204 sent by the access points 200 including two relevant information elements (the probe response 204 includes more fields which are not depicted in the figure): a Hotspot 2.0 Indication (HS20) element 206 and an SSID (Service Set Identifier) field 402. FIG. 4 also shows the different fields forming a Hotspot 2.0 Indication (HS20) element 206 according to the IEEE 802.11u standard for interworking with external networks. According to this standard, the Hotspot 2.0 Indication element 206 contains a field, the ANQP (Access Network Query Protocol) Domain ID 207. The ANQP Domain ID field 207 contains the ANQP domain identifier of the access point. All access points in the same ESS (Extended Service Set) that share a common non-zero value of ANQP Domain ID 207 have identical ANQP information for the ANQP-elements and Hotspot 2.0 Vendor Specific ANQP-elements defined in the standard. According to the present invention, the ANQP Domain ID field 207 is always included in the probe response 204, this field having a determined value which may change with time.

[0047] When a station (i.e. a non-associated Wi-Fi device 201) receives the probe response 204 including a Hotspot 2.0 Indication element 206, the station asks the access point 200 for the complete HS20 profile corresponding to the received ANQP Domain ID 207. For requesting this info, the station sends an action frame 208 that is used by the access point 200 to extract the static MAC address 209 of the station. Said action frame 208 is a management frame that encapsulates a GAS (Generic Advertisement Service) Initial Request 500. As depicted in the example of FIG. 5, the GAS Initial Request includes an ANQP Query List 502 and a HS Query List 504 (ANQP vendor-specific list). The station sends this particular action frame 208 using a MAC address that does not change with time: its static MAC address 209.

[0048] The stations only send this action frame 208 the first time they discover a new ANQP Domain ID 207, or a new combination of ANQP Domain ID 207 and SSID 402 in the probe response 204. The access points 200 of the system of the present invention are configured to force the stations to send this action frame 208 at least once, so that its static MAC address 209 can be obtained and the station can be identified.

[0049] In an embodiment, the access points are configured to force the station to repeatedly send this action frame 208, so that its static MAC address 209 and the RSSI (Received Signal Strength Indicator, i.e. the signal strength) can be continuously obtained and stored in real time. To that end, the value of the ANQP Domain ID field 207 is modified each time a probe response 204 is sent again to the same non-associated Wi-Fi device 201.

[0050] In an embodiment, the combined value of the ANQP Domain ID field 207 and the SSID field 402 of the probe response 204 is modified each time a probe response 204 is sent again to the same non-associated Wi-Fi device 201.

[0051] In an embodiment, since a station asks for each different HS20 profile they see advertised, the access points 200 are configured to periodically advertise different HS20 profiles to provoke a response from the stations, by periodically modifying the value of the ANQP Domain ID 207 to be used in the next probe responses 204 (e.g. increasing the value of ANQP Domain ID 207 every 5 seconds, wherein the updated value will be used in the next probe responses 204 transmitted by the access point 200 until said value is again updated) and listen to the reply from the station. The ANQP Domain ID value is therefore repeatedly modified (e.g. increasing or decreasing the value by a certain quantity), wherein the period of time between modifications may be or not constant (e.g. the ANQP Domain ID value is modified after a random period of time comprised between 5 and 6 seconds).

[0052] The access points 200 may be further configured to modify the SSID field 402 to be used in the next probe responses 204 when a determined number of different values have been used for the ANQP Domain ID field 207. In an embodiment, the value of the SSID field of the probe response (204) sent to a non-associated Wi-Fi device 201 is randomized whenever it needs changing (e.g. when running out of values for the ANQP Domain ID field 207).

[0053] FIG. 6 represents an exemplary communication between a non-associated Wi-Fi device 201 (i.e. a station) and an access point 200 according to the present invention. In each iteration 602 the following sequence is fulfilled: [0054] Non-associated stations are in sleep mode most of the time, the access points 200 can only track them when they wake up to scan the medium. When the non-associated Wi-Fi device 201 wakes up from sleep mode, it sends probe requests 202 (two probe requests in the example) to scan the medium, using a random MAC address 604 (in the example, “02.00.00.00.00.00”). [0055] The access point 200 responds with two probe responses 204 that contain an ANQP Domain ID 207. [0056] In response, the non-associated Wi-Fi device 201 sends an action frame 208 that leaks its static MAC address (in the example, “SamsungE_83:5f:c9”), instead of the random MAC address 604 used in its probe requests 202.

[0057] As can be seen in the column referring to the ANQP Domain ID field 207, the value of this field varies in the different iterations 602. This is due to the fact that the value of the ANQP Domain ID field 207 is periodically modified (in the example, the value is incremented by 1 each 5 seconds) to advertise a new HS20 profile. Without making this modification in the value of the ANQP Domain ID field 207, the station would only respond the first time. By applying a periodic increment in the value of the ANQP Domain ID field 207, the stations may be continuously identified and tracked.

[0058] For instance, a station may be identified at a certain time when entering the coverage range of the access point, the station may be tracked while it remains within coverage range of the access point, the access point may determine the time when the station leaves the area (when out of range, it will no longer be detected and identified by the access point), and the access point may also determine the time when the station returns to the area (when it is again within range of the access point). Moreover, when the system of the invention comprises three or more access points 200 arranged in a same area, a precise tracking (geolocation by triangulation) may be performed.

[0059] As can be seen in FIG. 4, the size of the ANQP Domain ID field 207 is 2 bytes (16 bits), which provides the access points with up to 2.sup.16 (i.e. 65536) HS20 profiles available. If the access point 200 increments the ANQP Domain ID field 207 every 5 seconds, the continuous identification of the stations can be roughly performed for around 91 hours before every existing ANQP Domain ID is exhausted. Fortunately, the stations identify the HS20 profile using the combination of SSID 402 and ANQP Domain ID 207, instead of only the ANQP Domain ID 207. Knowing this, the access point 200 only needs to change the combined value of SSID 402 and ANQP Domain ID 207 when the last value for the ANQP Domain ID (e.g. 65535 when incrementing the values from an initial value of 0) is reached.

[0060] If for example the following SSID is used “GalgusH2E xxxxxxxx”, where each ‘x’ is a hexadecimal digit, when the access point 200 reaches the last value of the ANQP Domain ID 207, the access point 200 may randomly generate another hex number of 8 digits and start again. This allows 16.sup.8 (i.e. 4.294.967.296) possible combinations, with 65536 ANQP Domain ID values for each combination.

[0061] When the system comprises several access points, arranged for instance in a same installation, the system can track the MAC address and RSSI of the non-associated stations. The access points of the system may periodically change the combined value of the ANQP Domain ID field 207 and the SSID field 402. A random combination of these values (ANQP Domain ID & SSID) may be generated in each access point, so that each access point advertises a different Hotspot 2.0 profile and the stations must respond (with the action frame 208) to all the access points of the system.

[0062] For instance, each access point may use an incremental value for the ANQP Domain ID field 207 and a randomized value for the SSID field 402 each time the ANQP Domain ID field 207 reached the last available value (65536). Since there are a huge number of possible SSID combinations (in the previous example, 4.294.967.296 possible SSID combinations), the probability of two different access points in the same installation using the same SSID is negligible (0,0000000002328306436538696).

[0063] According to the Wi-Fi operation, each different SSID used by an access point needs a different BSSID (Basic Service Set Identifier). The BSSID normally corresponds to the MAC address of the Wi-Fi interface 210 of the access point 200. When the access point generates a new value for the SSID field 402, a new BSSID is also created. The BSSID is generated so that it does not collide with other BSSIDs in use by any other Wi-Fi interface in the zone. To that end, some particular bits of the BSSID (which normally remain unchanged) may be modified; for instance, the last byte is incremented by one and the locally administered bit (the seventh bit starting from the left of the BSSID) is enabled. When the locally administered bit is set to 1, it indicates that this MAC has been modified and does not correspond to a real MAC of any Wi-Fi device. The access point sets this bit to 1 to avoid accidentally stepping on a real MAC of a Wi-Fi device that is in the vicinity.

[0064] The applications of the present invention are multiple, since it is a transversal technology that can be easily applied in a wide range of scenarios. To begin with, a system capable of unveiling the static identifier (static MAC address) of non-associated devices can track them or store these data for further processing. It is up to the network administrator to exploit these data for research, logistics or commercial purposes, among others. The present invention may be used to locate in real-time on a map the Wi-Fi devices in an airport, a shopping center, or a hotel, by using only the Wi-Fi network deployed and without the need to ask permission to users to install annoying applications or make changes in the software of their terminal.

[0065] In addition, aggregated and anonymized data from all users at a particular site can be refined using machine learning techniques to perform: [0066] Estimates on masses of people, movements, from the number of nearby devices (there will be users without devices, devices that does not send frames, users with multiple devices, etc). [0067] Prediction of agglomerations, flow patterns of crowds. Security applications.

[0068] Once the real users in an environment have been identified, the system can track them when they visit the facilities where the access points are deployed, as well as exploit the obtained data to improve the deployment of the environment (network level, placement of shops, establishments, and restaurants, etc.).

[0069] The invention uses the aforementioned frames to cause a non-associated station (which usually does not react to anything) to reveal its static MAC to an access point. To this end, the access points periodically cause the non-associated station to continuously send the static MAC address by rotating the ANQP Domain IDs and SSIDs. In addition, this solution is scalable and can be used with an arbitrary number of access points.