Yep. Whenever wifi is enabled, your device is sending out probe request frames, which includes your list of preferred networks/networks you've connected to before.
Could it be used as a sort of fingerprint to identify phones? I'm imagining using a scanner to create a list of phones in the area. You walk through the halls of congress to compile a list of devices. Do this every few days or over the course of a month, to eliminate visitors.
Now that you have your fingerprint, you can leave a few scanners around where you're trying to track the congressmen. IE, if you want to blackmail, put it around strip clubs.
It's called "active scan", and it's one of the default behaviours that I'd really like an option to disable, since (unless you hide the SSID) APs will broadcast beacon frames announcing their presence anyway.
For iOS you can use iPhone Configuration Utility or similar to add profiles for WiFi-networks, and set their SSIDs to be always broadcasting. That option should make it so that those names aren't included in the active scans, if it is to make any sense.
It also allows APs to be "hidden", by not broadcasting its own SSID, but relying on devices to send out a probe to ask if it's there. Of course, it's not hidden from packet sniffers if it's talking to someone.
To an extent it is; if your phone never connects to any WiFi device (and instead uses GPRS / EDGE / LTE etc... to a mobile carrier), and your laptop only ever connects to your phone, then the probes the attacker will see are for your laptop probing for the SSID of your phone. Given an appropriately vague SSID, this doesn't give the attacker much information (c.f. connecting to access points everywhere and giving away that list of SSIDs).
If you use WPA2 PSK and choose a long, random password (you want enough entropy that brute forcing it is impossible - for example, 20 completely random and independent characters taken from a dictionary of 62 characters gives you ~105 bits of entropy, which should be enough, while 8 characters or a few dictionary words might not cut it) impersonating your phone is not feasible if your laptop is configured to only ever connect using the saved pre-shared key.
Yes. They are called probe requests, and can be easily intercepted and viewed. Multiple programs exist to grab these requests off the air and stand up wireless networks with that SSID.[1]
You could brute force it by using common network names and seeing which ones get bites. Take it a step further and generate expected patterns ie. "2WIRE123". I'd expect "linksys" alone would grab a surprising amount to start, though.
Exactly, even if it's not broadcasting network names, almost every student in the Netherlands will have the train's WiFi hotspot in their list of networks.
One thing I still want to check out is whether the laptop will connect to an open network with the same name as a known network that was password protected.
