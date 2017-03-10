Become a fan of Slashdot on Facebook

 


New submitter cryptizard writes: Modern Android and iOS versions include a technology called MAC address randomization to prevent passive tracking of users as they move from location to location. Unfortunately, researchers have revealed that this technology is implemented sporadically by device manufacturers and is often deployed with significant flaws that allow it to be easily defeated. A research paper [published by U.S. Naval Academy researchers] highlights a number of flaws in both Android and iOS that allow an adversary to track users even when their phones are using randomized MAC addresses. Most significantly, they demonstrate that a flaw in the way wireless chipsets handle low-level control messages can be exploited to track 100% of devices, regardless of manufacturer or operating system.

  • "Every 802.11 radio on a mobile device possesses a 48-bit link-layer MAC address that is a globally unique identifier for that specific WiFi device."

    Uh, no. That address is assumed to be unique and identifies a specific WiFi radio/client. There is no enforcement for uniqueness, and indeed you can spoof your MAC address.

    Assuming the MAC is a unique identifier is always a Bad Idea.

  • ...just turn off your SmartPhone's WiFi (and Bluetooth while you are at it)

  • It's a real issue because stores can buy Wi-Fi equipment that logs smartphones' MAC addresses, so that shoppers are recognized by their handheld when they next walk in, or walk into affiliate shop with the same creepy system present.

    Hmmm, not an issue. I don't use WiFi when I am away from known secure locations. Not an issue.

  • Am I not remembering correctly, or am I correct in that when a packet is routed past it's original logical subnet, the MAC address is no longer part of the packet header, in which case the ability to track individual users is only possible within the logical subnet, and therefore only the ISP or wireless provider can track you?
    • This is physical tracking the randomization is supposed to prevent, not web tracking. It is supposed to prevent law enforcement, or Disneyland, or whoever, from placing a bunch of wifi sniffing devices around the area they wish to track, listening for probes, and tracking your location without you knowing it.
      • Oh, and to follow up, the devices revert to their hardwired address once they join a network or bluetooth pairs.
  • About a decade ago I was taught Computer systems in College that the MAC address assures you that, It is a unique address that is hard coded on the NIC, and that Ethernet card only owns, and nobody else has hat number.. The mac authorized number is stored in the IEEE Registration Authority. (Yes I know it can be spoofed, but it is hard not to bump into an identical mac number.) This is the persons device, they own it, assuring you that you are talking to is their personal device.. Where they reside and whe

    • And that's why real world experience always trumps what you're taught out of a book. Yes, in theory, all physical addresses are unique. But in practice this has really never been the case. In the mid-2000s I remember tracking down an issue with two brand-name (3Com) NICs having identical MAC addresses.

      On a large wired LAN, duplicate MACs can cause issues. Beyond Layer 2, it shouldn't make one lick of difference whether your physical address is unique or not. Of course if you spoof your MAC, you're probably

