Randomized MAC addresses are widely deployed to prevent passive Wi-Fi device tracking. However, real-world devices still emit structured behavioral patterns in management traffic that persist across sessions and environments. We show that device behavior itself forms a powerful fingerprinting side channel, even when explicit identifiers are aggressively randomized.

Most prior Wi-Fi fingerprinting techniques rely on syntactic features such as Information Elements (IEs), sequence numbers (SEQ), or RSSI correlations. These approaches degrade in dense environments and fail under strong randomization, as they overlook the underlying logic of device behavior.

Behavioral modeling

StateFi models each device’s activity as a finite-state machine (FSM) that captures:

• structural transition patterns
• temporal execution dynamics

The resulting FSMs are embedded into compact feature vectors enabling scalable similarity measurement and supervised classification.

Key results

Across five heterogeneous campus environments and large public datasets, StateFi achieves:

• 94-97% accuracy for in-network fingerprinting using full management-frame FSMs
• Up to 97% re-identification under MAC randomization using probe-only FSMs
• 98% discrimination accuracy, outperforming prior signatures by up to 17 percentage points

Why it matters

StateFi reveals that randomized identifiers alone are insufficient for privacy protection. Behavioral dynamics in Wi-Fi traffic are stable, distinctive, and resilient to existing defenses, forming a persistent and largely unmitigated tracking channel.

Paper

📄 Paper appearing in ACM WiSec’26.