This study identifies a novel Layer-2 identifier–driven privacy threat: BSSIDs (Basic Service Set Identifiers) visible in Wi-Fi access point product images on secondary-market e-commerce platforms (e.g., eBay) can be maliciously extracted to enable cross-temporal and cross-geographic tracking of devices—linking original and newly deployed locations. We develop an end-to-end privacy attack pipeline integrating web crawling, YOLO-based object detection, and OCR to automatically detect BSSIDs in images, then correlate them with global Wi-Fi positioning system (WPS) databases for geolocation inference. Empirical analysis of thousands of devices reveals that over 73% exhibit statistically significant spatial displacement, enabling accurate inference of seller residences and buyer activity regions. This work is the first to systematically expose the covert tracking capability of Layer-2 identifiers in consumer device circulation contexts, providing critical empirical evidence and actionable insights for privacy-preserving design across the IoT device lifecycle.

Static and hard-coded layer-two network identifiers are well known to present security vulnerabilities and endanger user privacy. In this work, we introduce a new privacy attack against Wi-Fi access points listed on secondhand marketplaces. Specifically, we demonstrate the ability to remotely gather a large quantity of layer-two Wi-Fi identifiers by programmatically querying the eBay marketplace and applying state-of-the-art computer vision techniques to extract IEEE 802.11 BSSIDs from the seller's posted images of the hardware. By leveraging data from a global Wi-Fi Positioning System (WPS) that geolocates BSSIDs, we obtain the physical locations of these devices both pre- and post-sale. In addition to validating the degree to which a seller's location matches the location of the device, we examine cases of device movement -- once the device is sold and then subsequently re-used in a new environment. Our work highlights a previously unrecognized privacy vulnerability and suggests, yet again, the strong need to protect layer-two network identifiers.