Could it be used as a sort of fingerprint to identify phones? I'm imagining using a scanner to create a list of phones in the area. You walk through the halls of congress to compile a list of devices. Do this every few days or over the course of a month, to eliminate visitors.

Now that you have your fingerprint, you can leave a few scanners around where you're trying to track the congressmen. IE, if you want to blackmail, put it around strip clubs.

Seems like a major security hole to me.

That's definitely possible. There are already a few startups that use the same method to track analytics and repeat customers.

iOS 8 somewhat mitigates this through using random MAC addresses when scanning

> somewhat

Due to the extremely narrow circumstances [1] under which the MAC address randomization is actually used, the feature may as well not exist.

[1] http://blog.airtightnetworks.com/ios8-mac-randomgate/

It's called "active scan", and it's one of the default behaviours that I'd really like an option to disable, since (unless you hide the SSID) APs will broadcast beacon frames announcing their presence anyway.

At least for Android, someone else agrees: http://code.google.com/p/android/issues/detail?id=65890

For iOS you can use iPhone Configuration Utility or similar to add profiles for WiFi-networks, and set their SSIDs to be always broadcasting. That option should make it so that those names aren't included in the active scans, if it is to make any sense.

What's the point of that? To speed up reconnection?

It also allows APs to be "hidden", by not broadcasting its own SSID, but relying on devices to send out a probe to ask if it's there. Of course, it's not hidden from packet sniffers if it's talking to someone.

That might just be the most stupid misfeature in the history of IT.

Not only is a "hidden" AP not really hidden at all, it makes a lot of functionality much more difficult, such as channel choosing and reconnect.

Yes, and also so that you can go between two access points for the same network without having to reconnect.

Wow... And I was thinking that using my phone to hotspot in cafes was mitigating things like that. Thanks for sharing!

To an extent it is; if your phone never connects to any WiFi device (and instead uses GPRS / EDGE / LTE etc... to a mobile carrier), and your laptop only ever connects to your phone, then the probes the attacker will see are for your laptop probing for the SSID of your phone. Given an appropriately vague SSID, this doesn't give the attacker much information (c.f. connecting to access points everywhere and giving away that list of SSIDs).

If you use WPA2 PSK and choose a long, random password (you want enough entropy that brute forcing it is impossible - for example, 20 completely random and independent characters taken from a dictionary of 62 characters gives you ~105 bits of entropy, which should be enough, while 8 characters or a few dictionary words might not cut it) impersonating your phone is not feasible if your laptop is configured to only ever connect using the saved pre-shared key.