XPost: alt.comp.os.windows-10, comp.mobile.android, misc.phone.mobile.iphone   
   From: marianjones@helpfulpeople.com   
      
   Marian wrote:   
   > Hence, whether a BSSID without an SSID ends up in a vendor database is a   
   > policy/implementation question we need to find out for Apple/Google WPS.   
      
   Legal issues:   
      
   I should be clear that I think it would/should be LEGALLY untenable for the   
   random iOS/Android device to be querying client packets to obtain the SSID   
   of an access point whose beacon frames do not contain that SSID.   
      
   It's a POLICY DECISION whether or not random phones upload the BSSID.   
   But it's a technical impossibility to "passively" obtain the SSID.   
      
   Beacon frames always contain the BSSID (i.e., the AP's MAC address) but if   
   the SSID is set to "hidden", then the beacon frame SSID field is blank or   
   set to null. So a passive scanner (like a random android/ios phone) can   
   always see the BSSID, but it can never see the SSID in a beacon frame.   
      
   However, if the scanner is active, it can "wait long enough" outside your   
   home to learn the SSID by sniffing specific authenticated client traffic.   
    a. When a client device that already knows the SSID tries to connect,   
       it sends a directed probe request with the SSID in cleartext.   
    b. The AP responds with a probe response containing the SSID.   
    c. Association/authentication frames also reveal the SSID.   
      
   Hence, an active scanner, if it "waits long enough" and if it captures   
   authentication traffic, can capture these frames and learn the SSID but   
   only if a client connects, as if no client connects, a passive scanner will   
   only know the BSSID, not the SSID of the router's access point.   
      
   It's important to note that if the connection from my Windows PC to my   
   router access point never drops, then that SSID may not be observable for   
   hours or even days after the initial encrypted connection had been   
   established.   
      
   From a legal standpoint, it seems untenable, to me, that a random   
   iOS/Android device will "wait long enough" to "capture client traffic".   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)