Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Desktops (Apple) Security Android Communications IOS Network Networking Operating Systems Privacy Software Wireless Networking Technology

MAC Address Randomization Flaws Leave Android and iOS Phones Open To Tracking (theregister.co.uk) 56

New submitter cryptizard writes: Modern Android and iOS versions include a technology called MAC address randomization to prevent passive tracking of users as they move from location to location. Unfortunately, researchers have revealed that this technology is implemented sporadically by device manufacturers and is often deployed with significant flaws that allow it to be easily defeated. A research paper [published by U.S. Naval Academy researchers] highlights a number of flaws in both Android and iOS that allow an adversary to track users even when their phones are using randomized MAC addresses. Most significantly, they demonstrate that a flaw in the way wireless chipsets handle low-level control messages can be exploited to track 100% of devices, regardless of manufacturer or operating system.
This discussion has been archived. No new comments can be posted.

MAC Address Randomization Flaws Leave Android and iOS Phones Open To Tracking

Comments Filter:
  • by mveloso ( 325617 ) on Friday March 10, 2017 @07:32PM (#54015875)

    "Every 802.11 radio on a mobile device possesses a 48-bit link-layer MAC address that is a globally unique identifier for that specific WiFi device."

    Uh, no. That address is assumed to be unique and identifies a specific WiFi radio/client. There is no enforcement for uniqueness, and indeed you can spoof your MAC address.

    Assuming the MAC is a unique identifier is always a Bad Idea.

    • by Anonymous Coward

      Yeah, uh. Tell that to the people who are tracking you.

      You: "Don't assume I'm me, dammit! Someone else could be spoofing me!"
      The man: "LOL. It's him again."

    • by AHuxley ( 892839 )
      It could depend on what the Automated Implant Branch (AIB) can get to even after the MAC address has been altered.
      The hardware responds to a request for its hardware MAC address.
    • You used to be able to spoof your MAC address. Intel removed the capability from their WiFi cards some time around 2010. The laptop I had before then could do it, but the laptop I replaced it with couldn't. When I investigated why, I learned that Intel had removed the capability due to too many wardrivers using the capability to connect to WiFi networks with poor security which were relying on MAC address filters. Kind of a backwards solution if you ask me, but it is what it is.
      • I'm guessing this is a Windows driver problem, not allowing you to spoof your Mac Addresss.

        I just bought a new laptop in November. Has an Intel 7265 Wifi chip.

        On Linux, spoofing the MAC is built in, and randomly generates a nee MAC when connecting to an Access Point with recent kernels and using Network Manager.

        It actually confused me for a bit, as part of my setup at home uses MAC whitelisting in conjunction with a really long key.

        I whitelisted the MAC, then started the install. When I rebooted after insta

    • by Cramer ( 69040 )

      By design, they're supposed to be unique. Manufacturers aren't supposed to "recycle" an OUI, but I've heard some lesser known Chinese companies have. The likelihood of having a collision is nearly zero. Now, if you start "randomly" generating your own MACs, the probability of collisions goes way up. (30 years and counting, I've never seen two NICs with the same MAC -- well, that I hadn't messed with, or were broken (all 0's))

      Assuming a built-in-address is unique is a safe bet. Assuming a made up one is uniq

  • ...just turn off your SmartPhone's WiFi (and Bluetooth while you are at it)

    • Attacks still work against Android phones with WiFi turned off in some cases, check out the paper.
      • by Anonymous Coward

        No, C: if the WiFi circuit isn't powered, there is no MAC address sent, period. If you need to confirm that WiFi is truly off, just compare the power consumption of the phone on vs. off.

        Now this doesn't require that the device be registered to an access point, so in theory this attack would work if you left the WiFi circuit on, even if you didn't use a public WiFi service. The risk is only that your phone will be tracked, not hacked.

        • No, C: if the WiFi circuit isn't powered, there is no MAC address sent, period. If you need to confirm that WiFi is truly off, just compare the power consumption of the phone on vs. off.

          Good luck with that. The WiFi is such a piddling amount of the draw that it may not even show up in the breakdown at all.

        • by skids ( 119237 )

          Location services turn the wifi radio back on in short blips even in airplane mode or with wifi off, long enough for their active tracking attack to work. Whether the response to the active attack can be quelched by device firmware alterations is not examined in the paper... it could very well be a silicon-encoded behavior to conserve power. Whether said location services include the e911 function is also not explicitly addressed. Whether this fact is a violation of airline policies is also beyond the sc

  • It's a real issue because stores can buy Wi-Fi equipment that logs smartphones' MAC addresses, so that shoppers are recognized by their handheld when they next walk in, or walk into affiliate shop with the same creepy system present.

    Hmmm, not an issue. I don't use WiFi when I am away from known secure locations. Not an issue.

  • Am I not remembering correctly, or am I correct in that when a packet is routed past it's original logical subnet, the MAC address is no longer part of the packet header, in which case the ability to track individual users is only possible within the logical subnet, and therefore only the ISP or wireless provider can track you?
    • by Anonymous Coward

      I think this has more to do with how the WiFi is processed on the machine. The summary seems to say the MAC address can be tracked but not very well so they just use another better method. "Most significantly, they demonstrate that a flaw in the way wireless chipsets handle low-level control messages can be exploited to track 100% of devices, regardless of manufacturer or operating system." Kinda like fingerprinting by audio, graphic, etc... If I had to guess.

    • This is physical tracking the randomization is supposed to prevent, not web tracking. It is supposed to prevent law enforcement, or Disneyland, or whoever, from placing a bunch of wifi sniffing devices around the area they wish to track, listening for probes, and tracking your location without you knowing it.
      • Oh, and to follow up, the devices revert to their hardwired address once they join a network or bluetooth pairs.
  • About a decade ago I was taught Computer systems in College that the MAC address assures you that, It is a unique address that is hard coded on the NIC, and that Ethernet card only owns, and nobody else has hat number.. The mac authorized number is stored in the IEEE Registration Authority. (Yes I know it can be spoofed, but it is hard not to bump into an identical mac number.) This is the persons device, they own it, assuring you that you are talking to is their personal device.. Where they reside and whe
    • Re: (Score:3, Insightful)

      by clonehappy ( 655530 )

      And that's why real world experience always trumps what you're taught out of a book. Yes, in theory, all physical addresses are unique. But in practice this has really never been the case. In the mid-2000s I remember tracking down an issue with two brand-name (3Com) NICs having identical MAC addresses.

      On a large wired LAN, duplicate MACs can cause issues. Beyond Layer 2, it shouldn't make one lick of difference whether your physical address is unique or not. Of course if you spoof your MAC, you're probably

      • by skids ( 119237 )

        Any network admin worth their salt already knows that address can very well be duplicated and should have taken steps to mitigate any issues it might cause.

        For modern WiFi controllers using WPA2, this is usually taken care of by the hardware... it only allows one session state per mac address. Though occasionally testing that the vendors didn't introduce a bug in this scenario is merited, because vendor QA sucks.

        For wired networks, there are actually not very many good solutions to this. The best is to do dot1x EAP-TLS and embed registered MACs in the cert and teach the AAA servers to enforce that. (Really the best would be EAP-PEAP-MSCHAP with additional c

      • Sorry but I do. A MAC address is like the address on your house. The postman knows where and who you are to deliver the mail. And what about GPS? If you can change you address if would be great for crooks, and to blame the unlucky person who happens to own that false MAC. I personally don't see any advantage or good purpose to it. TCP/IP can only get you to the general area these days - Wi Fi break ins, and mobile gear took care of that.
    • by Anonymous Coward

      Your professors were already wrong 10 years ago, so you've been living a lie this entire time.

      I've personally been using the Mac address clone feature on my router for about 18 years, and I'm sure it has been around longer than that. Back in the day, ISPs wanted you to hook your PC directly to the DSL modem, but doing so made it impossible to switch PCs without calling tech support. Users quickly learned to use the MAC address clone feature of their routers. I'm still using the MAC address of the PC that I

    • by skids ( 119237 )

      Now I'm being told that a mac address has all the meaning of a Lotto card.

      MAC addresses with the "locally administered address" bit set are not assumed to be unique under normal (non-spoofed) network operation. The burned in address does not have this bit set. If a unicast MAC's second digit is 2,6,A, or E it is a locally administered address.

      Supposedly even among the locally administered address, you are supposed to restrict your activity in a range in which you are registered. That horse has left the barn as all Apple devices don't respect that for address randomization... a

      • Locally administered addresses are often used for low volume products where someone doesn't want to deal withe IEEE. Some dataloggers I was working on around the turn of the century used local addresses made up of a common 16 most significant bit code (with the local bit set) and the 32 least significant bits coming from a Dallas one-wire serial number chip. At the time IEEE wouldn't even let Dallas sell chips with MAC addresses in them. I think eventually IEEE gave in.
      • That's sad. They had a good thing and they ruined it. :(
  • A friend of mine had a computer with a 3com NIC that incremented its MAC address every time he rebooted his PC. This started happening after he pulled the NIC out of a PCI slot while that motherboard was still turned on. This fried his motherboard and caused this peculiar behavior with his NIC.

  • Just don't enable wifi when you are not nearby a known access point you use.
    https://play.google.com/store/... [google.com]

  • So having a unique MAC address allows people to track you. Why son't we all use the same MAC address, then people won't be able to tell who we are. It's obvious really, what could possibly go wrong?

The one day you'd sell your soul for something, souls are a glut.