Signal Remembers: Wi-Fi Recon Beyond MAC
Recon Village @ DEF CON 34 • August 6-9, 2026
Abstract
Modern Wi-Fi clients are designed to hide. They randomize MAC addresses, reduce directed probes, avoid exposing preferred networks, and use per-network private addresses. Yet before a device connects, it still speaks.
This talk introduces a Python-based proof-of-value tool for passive Wi-Fi reconnaissance and privacy exposure analysis. The tool listens to 802.11 management traffic, builds an environmental AP map from beacon frames, observes client reactions through probe requests, parses Information Elements from probe and association frames, and correlates randomized MAC identities using IE semantics, sequence behavior, packet size, timing, and channel context.
The core idea is, even when the MAC address changes, the device’s wireless behavior may remain linkable.
We will demonstrate how passive wireless metadata can reveal device presence, movement context, SSID exposure, privacy leakage, and probable same-device candidates even when MAC randomization is enabled. The demo will use only controlled test devices in a lab environment.
The talk also introduces an AI-assisted scoring module trained on IE-level Wi-Fi fingerprints to improve correlation accuracy and reduce false positives. By combining semantic 802.11 features with behavioral signals, the tool aims to produce a practical privacy exposure score for Wi-Fi clients.
This is not a tracking product or a vendor-specific platform. The goal is to show defenders, researchers, privacy engineers, and red teams what Wi-Fi clients still expose by default, and how passive management-frame metadata can become a meaningful reconnaissance surface.
Speaker
Research Engineer
Wi-Fi Research Engineer working on wireless privacy, security, fingerprinting, and interoperability. His background includes IoT, mobile, network penetration testing, RF-oriented security research, and 802.11 management-frame analysis. His work focuses on practical wireless research that connects protocol behavior, privacy exposure, device fingerprinting, and real-world defensive testing. He is particularly interested in how Wi-Fi clients behave during connection and how passive wireless signals can be analyzed responsibly for security and privacy assessment.
View full speaker profile →