Randomized MAC addresses aim to prevent passive device tracking, yet Wi-Fi management frames still leak structured behavioral patterns. Prior work has relied primarily on syntactic probe-request features such as Information Elements (IEs), sequence numbers (SEQ), or RSSI correlations, which degrade in dense environments and fail under aggressive randomization. We introduce StateFi, a fingerprinting framework that models device behavior as finite-state machines (FSMs), capturing both structural transition patterns and temporal execution logic. These FSMs are embedded into compact feature vectors that support efficient similarity computation and supervised classification. Across five heterogeneous campus environments, StateFi achieves 94-97% accuracy for in-network fingerprinting using full management-frame FSMs. With probe-only FSMs, it re-identifies devices under MAC randomization with up to 97% accuracy across large public datasets comprising more than a million frames. When looking at the discrimination accuracy of the model, StateFi reaches 98%, outperforming the strongest prior signature by up to 17 percentage points. These results demonstrate that FSM-level behavioral dynamics form a powerful and largely unmitigated side channel, stable enough to defeat randomization and expressive enough for robust, scalable device identification.

翻译：随机化MAC地址旨在防止被动设备追踪，然而Wi-Fi管理帧仍会泄露结构化的行为模式。先前研究主要依赖语法层面的探测请求特征，如信息元素（IEs）、序列号（SEQ）或接收信号强度指示（RSSI）相关性，这些特征在密集环境中效果下降，且在激进随机化策略下失效。我们提出StateFi——一种将设备行为建模为有限状态机（FSMs）的指纹识别框架，该框架同时捕捉结构转换模式与时间执行逻辑。这些有限状态机被嵌入为紧凑的特征向量，支持高效的相似度计算与监督分类。在五种异构校园环境中，StateFi利用完整管理帧有限状态机实现94-97%的网内指纹识别准确率；仅使用探测帧有限状态机时，在包含超百万帧的大型公开数据集上，对MAC随机化设备的重识别准确率最高达97%。在模型区分准确率方面，StateFi达到98%，较现有最强签名方法提升高达17个百分点。这些结果表明，有限状态机层面的行为动态构成强大且基本未受抑制的侧信道，其稳定性足以抵御随机化策略，且表现力足以支撑鲁棒、可扩展的设备识别。