MAC Address Randomization Flaws Leave Android and iOS Phones Open To Tracking

New submitter cryptizard writes: Modern Android and iOS versions include a technology called MAC address randomization to prevent passive tracking of users as they move from location to location. Unfortunately, researchers have revealed that this technology is implemented sporadically by device manufacturers and is often deployed with significant flaws that allow it to be easily defeated. A research paper [published by U.S. Naval Academy researchers] highlights a number of flaws in both Android and iOS that allow an adversary to track users even when their phones are using randomized MAC addresses. Most significantly, they demonstrate that a flaw in the way wireless chipsets handle low-level control messages can be exploited to track 100% of devices, regardless of manufacturer or operating system.

Re:

[C R Johnson]

And always visit different sites and use different services on separate devices.
Advertising networks can identify you just by seeing you view ads on the few web sites you visit most often. And they can identify your phone in the same way.

Re:If you want to stay anonymous

[TimHunter]

Yes, this is why I have 17 different phones. One for home, one for the office, one for the mall, one for the coffee shop, one for Amazon, one for Twitter, etc. It's great because I never see ads that are targeted to me. The only problem is that I'd like to visit my friend in San Fransisco but I can't do it until I get another phone.

Re:

[AHuxley]

Create your message on a one time pad using paper away from any device. Never re use the one time pad. That will return privacy for the message from the junk hardware and software.
Send the created message using the US brand hardware. No anonymity from the NSA, GCHQ, CIA but its easy, instant two way communications.
If you need anonymity use a cult, faith group and have someone going on trip for holiday, work, education pass on the message.

Re:

[Coren22]

Don't forget to burn the OTP, and to mix the ashes up.

Re:

[AHuxley]

A spy in WW2 kept a book of all their past messages in code and the plain text with them .... as they felt they had to file everything.

A MAC is not necessarily unique

[mveloso]

"Every 802.11 radio on a mobile device possesses a 48-bit link-layer MAC address that is a globally unique identifier for that specific WiFi device."

Uh, no. That address is assumed to be unique and identifies a specific WiFi radio/client. There is no enforcement for uniqueness, and indeed you can spoof your MAC address.

Assuming the MAC is a unique identifier is always a Bad Idea.

Re:

[Anonymous Coward]

Yeah, uh. Tell that to the people who are tracking you.

You: "Don't assume I'm me, dammit! Someone else could be spoofing me!"
The man: "LOL. It's him again."

Re:

[AHuxley]

It could depend on what the Automated Implant Branch (AIB) can get to even after the MAC address has been altered.
The hardware responds to a request for its hardware MAC address.

Re:

[Solandri]

You used to be able to spoof your MAC address. Intel removed the capability from their WiFi cards some time around 2010. The laptop I had before then could do it, but the laptop I replaced it with couldn't. When I investigated why, I learned that Intel had removed the capability due to too many wardrivers using the capability to connect to WiFi networks with poor security which were relying on MAC address filters. Kind of a backwards solution if you ask me, but it is what it is.

Re: A MAC is not necessarily unique

[corychristison]

I'm guessing this is a Windows driver problem, not allowing you to spoof your Mac Addresss.

I just bought a new laptop in November. Has an Intel 7265 Wifi chip.

On Linux, spoofing the MAC is built in, and randomly generates a nee MAC when connecting to an Access Point with recent kernels and using Network Manager.

It actually confused me for a bit, as part of my setup at home uses MAC whitelisting in conjunction with a really long key.

I whitelisted the MAC, then started the install. When I rebooted after insta

Re:

[Cramer]

By design, they're supposed to be unique. Manufacturers aren't supposed to "recycle" an OUI, but I've heard some lesser known Chinese companies have. The likelihood of having a collision is nearly zero. Now, if you start "randomly" generating your own MACs, the probability of collisions goes way up. (30 years and counting, I've never seen two NICs with the same MAC -- well, that I hadn't messed with, or were broken (all 0's))

Assuming a built-in-address is unique is a safe bet. Assuming a made up one is uniq

Re:

[skids]

so you have to turn off wifi for that to be true

From TFA:

Additional tests, while the target device had WiFi
or Airplane-modes, enabled or disabled respectively,
revealed further concerns. Namely, Android devices
performing location-service enabled functions wake
the 802.11 radio. Our RTS attack was thusly able to
trigger a CTS response from the target, circumvent-
ing even extreme privacy countermeasures

Re:

[clonehappy]

I believe this is referring to the passive tracking of unassociated WLAN clients by rogue elements. Once you're associated with an AP and on the open internet, all bets are off because as you said, there are about 1000 better ways to track you at that point other than your MAC address.

Easily defeated...

[skullandbones99]

...just turn off your SmartPhone's WiFi (and Bluetooth while you are at it)

Re:

[cryptizard]

Attacks still work against Android phones with WiFi turned off in some cases, check out the paper.

Re:

[Anonymous Coward]

No, C: if the WiFi circuit isn't powered, there is no MAC address sent, period. If you need to confirm that WiFi is truly off, just compare the power consumption of the phone on vs. off.

Now this doesn't require that the device be registered to an access point, so in theory this attack would work if you left the WiFi circuit on, even if you didn't use a public WiFi service. The risk is only that your phone will be tracked, not hacked.

Re:

[Plus1Entropy]

No, C: if the WiFi circuit isn't powered, there is no MAC address sent, period. If you need to confirm that WiFi is truly off, just compare the power consumption of the phone on vs. off.

Good luck with that. The WiFi is such a piddling amount of the draw that it may not even show up in the breakdown at all.

Re:

[skids]

Location services turn the wifi radio back on in short blips even in airplane mode or with wifi off, long enough for their active tracking attack to work. Whether the response to the active attack can be quelched by device firmware alterations is not examined in the paper... it could very well be a silicon-encoded behavior to conserve power. Whether said location services include the e911 function is also not explicitly addressed. Whether this fact is a violation of airline policies is also beyond the sc

Using WiFi in public?

[krelvin]

It's a real issue because stores can buy Wi-Fi equipment that logs smartphones' MAC addresses, so that shoppers are recognized by their handheld when they next walk in, or walk into affiliate shop with the same creepy system present.

Hmmm, not an issue. I don't use WiFi when I am away from known secure locations. Not an issue.

Re:

[skids]

It doesn't even have to be enabled, on Android... but they need to already know your MAC address by some other means (like one of the other derandomization attacks in the paper.)

MAC stops at the subnet level

[Rick Schumann]

Am I not remembering correctly, or am I correct in that when a packet is routed past it's original logical subnet, the MAC address is no longer part of the packet header, in which case the ability to track individual users is only possible within the logical subnet, and therefore only the ISP or wireless provider can track you?

Re: MAC stops at the subnet level

[Anonymous Coward]

I think this has more to do with how the WiFi is processed on the machine. The summary seems to say the MAC address can be tracked but not very well so they just use another better method. "Most significantly, they demonstrate that a flaw in the way wireless chipsets handle low-level control messages can be exploited to track 100% of devices, regardless of manufacturer or operating system." Kinda like fingerprinting by audio, graphic, etc... If I had to guess.

Re:

[chispito]

This is physical tracking the randomization is supposed to prevent, not web tracking. It is supposed to prevent law enforcement, or Disneyland, or whoever, from placing a bunch of wifi sniffing devices around the area they wish to track, listening for probes, and tracking your location without you knowing it.

Re:

[chispito]

Oh, and to follow up, the devices revert to their hardwired address once they join a network or bluetooth pairs.

There goes the foundation of the Web

[Neuronwelder]

About a decade ago I was taught Computer systems in College that the MAC address assures you that, It is a unique address that is hard coded on the NIC, and that Ethernet card only owns, and nobody else has hat number.. The mac authorized number is stored in the IEEE Registration Authority. (Yes I know it can be spoofed, but it is hard not to bump into an identical mac number.) This is the persons device, they own it, assuring you that you are talking to is their personal device.. Where they reside and whe

Re:

[skids]

If a randomized MAC misbehaves I'll start banning all randomized MAC addresses.

That might be an interesting way to cut down on RF chatter in dense AP deployments, if all your clients can either connect without probes or have your network preconfigured and will do directed probes. The paper did mention 17 out of 25 devices identified as "windows 10 or linux" used a locally administered address during and after association, though. So maybe just ignore probes rather than totally ban them.

Re:

[clonehappy]

And that's why real world experience always trumps what you're taught out of a book. Yes, in theory, all physical addresses are unique. But in practice this has really never been the case. In the mid-2000s I remember tracking down an issue with two brand-name (3Com) NICs having identical MAC addresses.

On a large wired LAN, duplicate MACs can cause issues. Beyond Layer 2, it shouldn't make one lick of difference whether your physical address is unique or not. Of course if you spoof your MAC, you're probably

Re:

[skids]

Any network admin worth their salt already knows that address can very well be duplicated and should have taken steps to mitigate any issues it might cause.

For modern WiFi controllers using WPA2, this is usually taken care of by the hardware... it only allows one session state per mac address. Though occasionally testing that the vendors didn't introduce a bug in this scenario is merited, because vendor QA sucks.

For wired networks, there are actually not very many good solutions to this. The best is to do dot1x EAP-TLS and embed registered MACs in the cert and teach the AAA servers to enforce that. (Really the best would be EAP-PEAP-MSCHAP with additional c

Re:

[Neuronwelder]

Sorry but I do. A MAC address is like the address on your house. The postman knows where and who you are to deliver the mail. And what about GPS? If you can change you address if would be great for crooks, and to blame the unlucky person who happens to own that false MAC. I personally don't see any advantage or good purpose to it. TCP/IP can only get you to the general area these days - Wi Fi break ins, and mobile gear took care of that.

Re:

[Anonymous Coward]

Your professors were already wrong 10 years ago, so you've been living a lie this entire time.

I've personally been using the Mac address clone feature on my router for about 18 years, and I'm sure it has been around longer than that. Back in the day, ISPs wanted you to hook your PC directly to the DSL modem, but doing so made it impossible to switch PCs without calling tech support. Users quickly learned to use the MAC address clone feature of their routers. I'm still using the MAC address of the PC that I

Re:

[skids]

Now I'm being told that a mac address has all the meaning of a Lotto card.

MAC addresses with the "locally administered address" bit set are not assumed to be unique under normal (non-spoofed) network operation. The burned in address does not have this bit set. If a unicast MAC's second digit is 2,6,A, or E it is a locally administered address.

Supposedly even among the locally administered address, you are supposed to restrict your activity in a range in which you are registered. That horse has left the barn as all Apple devices don't respect that for address randomization... a

Re:

[certsoft]

Locally administered addresses are often used for low volume products where someone doesn't want to deal withe IEEE. Some dataloggers I was working on around the turn of the century used local addresses made up of a common 16 most significant bit code (with the local bit set) and the 32 least significant bits coming from a Dallas one-wire serial number chip. At the time IEEE wouldn't even let Dallas sell chips with MAC addresses in them. I think eventually IEEE gave in.

Re:

[Neuronwelder]

That's sad. They had a good thing and they ruined it. :(

NIC with MAC address that changed every boot

[Vairon]

A friend of mine had a computer with a 3com NIC that incremented its MAC address every time he rebooted his PC. This started happening after he pulled the NIC out of a PCI slot while that motherboard was still turned on. This fried his motherboard and caused this peculiar behavior with his NIC.

Smarter Wifi Manager

[Nikademus]

Just don't enable wifi when you are not nearby a known access point you use.
https://play.google.com/store/... [google.com]

Easy solution

[jeremyp]

So having a unique MAC address allows people to track you. Why son't we all use the same MAC address, then people won't be able to tell who we are. It's obvious really, what could possibly go wrong?