{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,7,13]],"date-time":"2025-07-13T16:40:03Z","timestamp":1752424803589,"version":"3.41.2"},"reference-count":0,"publisher":"Privacy Enhancing Technologies Symposium Advisory Board","issue":"4","license":[{"start":{"date-parts":[[2025,10,1]],"date-time":"2025-10-01T00:00:00Z","timestamp":1759276800000},"content-version":"unspecified","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["PoPETs"],"abstract":"<jats:p>Static and hard-coded layer-two network identifiers are well known to present security vulnerabilities and endanger user privacy. In this work, we introduce a new privacy attack against Wi-Fi access points listed on secondhand marketplaces. Specifically, we demonstrate the ability to remotely gather a large quantity of layer-two Wi-Fi identifiers by programmatically querying the eBay marketplace and applying state-of-the-art computer vision techniques to extract IEEE 802.11 BSSIDs from the seller's posted images of the hardware. By leveraging data from a global Wi-Fi Positioning System (WPS) that geolocates BSSIDs, we obtain the physical locations of these devices both pre- and post-sale. In addition to validating the degree to which a seller's location matches the location of the device, we examine cases of device movement\u2013once the device is sold and then subsequently re-used in a new environment. Our work highlights a previously unrecognized privacy vulnerability and suggests, yet again, the strong need to protect layer-two network identifiers.<\/jats:p>","DOI":"10.56553\/popets-2025-0164","type":"journal-article","created":{"date-parts":[[2025,7,13]],"date-time":"2025-07-13T15:58:27Z","timestamp":1752422307000},"page":"912-925","source":"Crossref","is-referenced-by-count":0,"title":["Buy it Now, Track Me Later: Attacking User Privacy via Wi-Fi AP Online Auctions"],"prefix":"10.56553","volume":"2025","author":[{"given":"Steven","family":"Su","sequence":"first","affiliation":[{"name":"University of Maryland"}]},{"given":"Erik","family":"Rye","sequence":"additional","affiliation":[{"name":"University of Maryland"}]},{"given":"Dave","family":"Levin","sequence":"additional","affiliation":[{"name":"University of Maryland"}]},{"given":"Robert","family":"Beverly","sequence":"additional","affiliation":[{"name":"San Diego State University"}]}],"member":"35752","published-online":{"date-parts":[[2025,10]]},"container-title":["Proceedings on Privacy Enhancing Technologies"],"original-title":[],"deposited":{"date-parts":[[2025,7,13]],"date-time":"2025-07-13T15:58:37Z","timestamp":1752422317000},"score":1,"resource":{"primary":{"URL":"https:\/\/petsymposium.org\/popets\/2025\/popets-2025-0164.php"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,10]]},"references-count":0,"journal-issue":{"issue":"4","published-online":{"date-parts":[[2025,10]]}},"alternative-id":["10.56553\/popets-2025-0164"],"URL":"https:\/\/doi.org\/10.56553\/popets-2025-0164","relation":{},"ISSN":["2299-0984"],"issn-type":[{"type":"electronic","value":"2299-0984"}],"subject":[],"published":{"date-parts":[[2025,10]]}}}