Slashdot Mirror

← Back to Stories (view on slashdot.org)

MAC Address Randomization Flaws Leave Android and iOS Phones Open To Tracking (theregister.co.uk)

Posted by BeauHD on from the worthless-privacy-protection dept.

New submitter cryptizard writes: Modern Android and iOS versions include a technology called MAC address randomization to prevent passive tracking of users as they move from location to location. Unfortunately, researchers have revealed that this technology is implemented sporadically by device manufacturers and is often deployed with significant flaws that allow it to be easily defeated. A research paper [published by U.S. Naval Academy researchers] highlights a number of flaws in both Android and iOS that allow an adversary to track users even when their phones are using randomized MAC addresses. Most significantly, they demonstrate that a flaw in the way wireless chipsets handle low-level control messages can be exploited to track 100% of devices, regardless of manufacturer or operating system.

56 comments

  1. If you want to stay anonymous by Anonymous Coward · · Score: 0

    On the internet make sure to use separate devices for anything personally identifiable and anything not. Then keep your device behind a VPN with proxy. Then again you could just not connect.

    1. Re:If you want to stay anonymous by C+R+Johnson · · Score: 1

      And always visit different sites and use different services on separate devices.
      Advertising networks can identify you just by seeing you view ads on the few web sites you visit most often. And they can identify your phone in the same way.

      --
      The alternative to limited government is unlimited government.
    2. Re:If you want to stay anonymous by TimHunter · · Score: 4, Funny

      Yes, this is why I have 17 different phones. One for home, one for the office, one for the mall, one for the coffee shop, one for Amazon, one for Twitter, etc. It's great because I never see ads that are targeted to me. The only problem is that I'd like to visit my friend in San Fransisco but I can't do it until I get another phone.

    3. Re:If you want to stay anonymous by AHuxley · · Score: 1

      Create your message on a one time pad using paper away from any device. Never re use the one time pad. That will return privacy for the message from the junk hardware and software.
      Send the created message using the US brand hardware. No anonymity from the NSA, GCHQ, CIA but its easy, instant two way communications.
      If you need anonymity use a cult, faith group and have someone going on trip for holiday, work, education pass on the message.

      --
      Domestic spying is now "Benign Information Gathering"
    4. Re:If you want to stay anonymous by Coren22 · · Score: 1

      Don't forget to burn the OTP, and to mix the ashes up.

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
    5. Re:If you want to stay anonymous by AHuxley · · Score: 1

      A spy in WW2 kept a book of all their past messages in code and the plain text with them .... as they felt they had to file everything.

      --
      Domestic spying is now "Benign Information Gathering"
  2. A MAC is not necessarily unique by mveloso · · Score: 3, Insightful

    "Every 802.11 radio on a mobile device possesses a 48-bit link-layer MAC address that is a globally unique identifier for that specific WiFi device."

    Uh, no. That address is assumed to be unique and identifies a specific WiFi radio/client. There is no enforcement for uniqueness, and indeed you can spoof your MAC address.

    Assuming the MAC is a unique identifier is always a Bad Idea.

    1. Re: A MAC is not necessarily unique by Anonymous Coward · · Score: 0

      Assuming a MAC is unique is enough for advertising proposes. If you are using your android for more nefarious purposes then you are an ass.

    2. Re:A MAC is not necessarily unique by Anonymous Coward · · Score: 0

      Perhaps, but usually it is unique.
      So for 99.998% of things with MAC addresses, they can be tracked in spite of all the (broken) randomization schemes.

      Have fun trying to spoof your MAC address well enough to avoid the tracking.

    3. Re:A MAC is not necessarily unique by Anonymous Coward · · Score: 1

      Yeah, uh. Tell that to the people who are tracking you.

      You: "Don't assume I'm me, dammit! Someone else could be spoofing me!"
      The man: "LOL. It's him again."

    4. Re:A MAC is not necessarily unique by AHuxley · · Score: 2

      It could depend on what the Automated Implant Branch (AIB) can get to even after the MAC address has been altered.
      The hardware responds to a request for its hardware MAC address.

      --
      Domestic spying is now "Benign Information Gathering"
    5. Re:A MAC is not necessarily unique by Solandri · · Score: 2

      You used to be able to spoof your MAC address. Intel removed the capability from their WiFi cards some time around 2010. The laptop I had before then could do it, but the laptop I replaced it with couldn't. When I investigated why, I learned that Intel had removed the capability due to too many wardrivers using the capability to connect to WiFi networks with poor security which were relying on MAC address filters. Kind of a backwards solution if you ask me, but it is what it is.

    6. Re: A MAC is not necessarily unique by corychristison · · Score: 2

      I'm guessing this is a Windows driver problem, not allowing you to spoof your Mac Addresss.

      I just bought a new laptop in November. Has an Intel 7265 Wifi chip.

      On Linux, spoofing the MAC is built in, and randomly generates a nee MAC when connecting to an Access Point with recent kernels and using Network Manager.

      It actually confused me for a bit, as part of my setup at home uses MAC whitelisting in conjunction with a really long key.

      I whitelisted the MAC, then started the install. When I rebooted after installing, I couldn't connect to the network. I thought I either didn't compile in the right kernel module, or I missed something.

      Turns out it was NetworkManager trying to make my life more secure. Fortunately you can configure a fixed MAC for specific Wireless networks.

    7. Re:A MAC is not necessarily unique by Cramer · · Score: 1

      By design, they're supposed to be unique. Manufacturers aren't supposed to "recycle" an OUI, but I've heard some lesser known Chinese companies have. The likelihood of having a collision is nearly zero. Now, if you start "randomly" generating your own MACs, the probability of collisions goes way up. (30 years and counting, I've never seen two NICs with the same MAC -- well, that I hadn't messed with, or were broken (all 0's))

      Assuming a built-in-address is unique is a safe bet. Assuming a made up one is unique is going to be a problem eventually.

  3. forest or trees? by Anonymous Coward · · Score: 0

    If you are not running javascript, the MAC address is not sent outside your local network.

    If you are running javascript, you have tracking problems 1000X times the size of this one, so this is not where you should be focusing your attention.

    1. Re:forest or trees? by Anonymous Coward · · Score: 0

      Correcting myself here: it is sent to listening access points, so you have to turn off wifi for that to be true (which you ought to do anyway).

      But point about not running javascripts from random sites still holds: if you do that, all bets are off.

    2. Re:forest or trees? by clonehappy · · Score: 2

      I believe this is referring to the passive tracking of unassociated WLAN clients by rogue elements. Once you're associated with an AP and on the open internet, all bets are off because as you said, there are about 1000 better ways to track you at that point other than your MAC address.

    3. Re:forest or trees? by skids · · Score: 1

      so you have to turn off wifi for that to be true

      From TFA:

      Additional tests, while the target device had WiFi
      or Airplane-modes, enabled or disabled respectively,
      revealed further concerns. Namely, Android devices
      performing location-service enabled functions wake
      the 802.11 radio. Our RTS attack was thusly able to
      trigger a CTS response from the target, circumvent-
      ing even extreme privacy countermeasures

      --
      Someone had to do it.
  4. Easily defeated... by skullandbones99 · · Score: 1

    ...just turn off your SmartPhone's WiFi (and Bluetooth while you are at it)

    1. Re:Easily defeated... by cryptizard · · Score: 1

      Attacks still work against Android phones with WiFi turned off in some cases, check out the paper.

    2. Re:Easily defeated... by Anonymous Coward · · Score: 1

      No, C: if the WiFi circuit isn't powered, there is no MAC address sent, period. If you need to confirm that WiFi is truly off, just compare the power consumption of the phone on vs. off.

      Now this doesn't require that the device be registered to an access point, so in theory this attack would work if you left the WiFi circuit on, even if you didn't use a public WiFi service. The risk is only that your phone will be tracked, not hacked.

    3. Re:Easily defeated... by Plus1Entropy · · Score: 1

      No, C: if the WiFi circuit isn't powered, there is no MAC address sent, period. If you need to confirm that WiFi is truly off, just compare the power consumption of the phone on vs. off.

      Good luck with that. The WiFi is such a piddling amount of the draw that it may not even show up in the breakdown at all.

      --
      Only crack the nuts that crack. You don't put the ones that don't crack in the sack.
    4. Re: Easily defeated... by Anonymous Coward · · Score: 0

      If wifi off
      Then
        screen power draw equals screen power draw plus wifi draw
        set wifi draw 0

    5. Re:Easily defeated... by skids · · Score: 2

      Location services turn the wifi radio back on in short blips even in airplane mode or with wifi off, long enough for their active tracking attack to work. Whether the response to the active attack can be quelched by device firmware alterations is not examined in the paper... it could very well be a silicon-encoded behavior to conserve power. Whether said location services include the e911 function is also not explicitly addressed. Whether this fact is a violation of airline policies is also beyond the scope of this paper.

      --
      Someone had to do it.
    6. Re: Easily defeated... by Anonymous Coward · · Score: 0

      not on ios

  5. poor Verizon by Anonymous Coward · · Score: 0

    Their tracking data won't be worth nearly as much if anyone can track their customers and make their own.

    I thought they can track you by battery characteristics and a myriad of other ways already.

  6. Using WiFi in public? by krelvin · · Score: 1

    It's a real issue because stores can buy Wi-Fi equipment that logs smartphones' MAC addresses, so that shoppers are recognized by their handheld when they next walk in, or walk into affiliate shop with the same creepy system present.

    Hmmm, not an issue. I don't use WiFi when I am away from known secure locations. Not an issue.

    1. Re:Using WiFi in public? by Anonymous Coward · · Score: 0

      You don't have to actually *use* WiFi to be tracked, it merely has to be enabled. It's quite a promiscuous technology - always looking to pair up.

    2. Re:Using WiFi in public? by skids · · Score: 1

      It doesn't even have to be enabled, on Android... but they need to already know your MAC address by some other means (like one of the other derandomization attacks in the paper.)

      --
      Someone had to do it.
  7. MAC stops at the subnet level by Rick+Schumann · · Score: 1

    Am I not remembering correctly, or am I correct in that when a packet is routed past it's original logical subnet, the MAC address is no longer part of the packet header, in which case the ability to track individual users is only possible within the logical subnet, and therefore only the ISP or wireless provider can track you?

    1. Re:MAC stops at the subnet level by Anonymous Coward · · Score: 0

      That's correct. This attack is limited to the same broadcast domain so the targets are very limited.

    2. Re: MAC stops at the subnet level by Anonymous Coward · · Score: 1

      I think this has more to do with how the WiFi is processed on the machine. The summary seems to say the MAC address can be tracked but not very well so they just use another better method. "Most significantly, they demonstrate that a flaw in the way wireless chipsets handle low-level control messages can be exploited to track 100% of devices, regardless of manufacturer or operating system." Kinda like fingerprinting by audio, graphic, etc... If I had to guess.

    3. Re:MAC stops at the subnet level by chispito · · Score: 2

      This is physical tracking the randomization is supposed to prevent, not web tracking. It is supposed to prevent law enforcement, or Disneyland, or whoever, from placing a bunch of wifi sniffing devices around the area they wish to track, listening for probes, and tracking your location without you knowing it.

      --
      The Daddy casts sleep on the Baby. The Baby resists!
    4. Re:MAC stops at the subnet level by chispito · · Score: 2

      Oh, and to follow up, the devices revert to their hardwired address once they join a network or bluetooth pairs.

      --
      The Daddy casts sleep on the Baby. The Baby resists!
  8. There goes the foundation of the Web by Neuronwelder · · Score: 1

    About a decade ago I was taught Computer systems in College that the MAC address assures you that, It is a unique address that is hard coded on the NIC, and that Ethernet card only owns, and nobody else has hat number.. The mac authorized number is stored in the IEEE Registration Authority. (Yes I know it can be spoofed, but it is hard not to bump into an identical mac number.) This is the persons device, they own it, assuring you that you are talking to is their personal device.. Where they reside and where they are going.. Now I'm being told that a mac address has all the meaning of a Lotto card. This opens a door wide open for all kinds of huge abuse, like a free-for-all has just started.

    1. Re:There goes the foundation of the Web by Anonymous Coward · · Score: 0

      Thankfully HTTPS everywhere is closing that.

      Oh, and BTW I've been known to ban misbehaving MAC addresses. If a randomized MAC misbehaves I'll start banning all randomized MAC addresses. (There's a way to tell.)

    2. Re:There goes the foundation of the Web by clonehappy · · Score: 3, Insightful

      And that's why real world experience always trumps what you're taught out of a book. Yes, in theory, all physical addresses are unique. But in practice this has really never been the case. In the mid-2000s I remember tracking down an issue with two brand-name (3Com) NICs having identical MAC addresses.

      On a large wired LAN, duplicate MACs can cause issues. Beyond Layer 2, it shouldn't make one lick of difference whether your physical address is unique or not. Of course if you spoof your MAC, you're probably using the MAC of another device, somewhere, out in the wild. But unless they're on the same physical segment (or for cases of large scale DHCP and static leasing, the same LAN) no one will ever know. Any network admin worth their salt already knows that address can very well be duplicated and should have taken steps to mitigate any issues it might cause.

      Or are you under the impression that somehow MAC addresses are important to TCP/IP routing on the open internet? Because trust me, it doesn't matter at that level. That's what TCP/IP is for!

    3. Re:There goes the foundation of the Web by Anonymous Coward · · Score: 1

      Your professors were already wrong 10 years ago, so you've been living a lie this entire time.

      I've personally been using the Mac address clone feature on my router for about 18 years, and I'm sure it has been around longer than that. Back in the day, ISPs wanted you to hook your PC directly to the DSL modem, but doing so made it impossible to switch PCs without calling tech support. Users quickly learned to use the MAC address clone feature of their routers. I'm still using the MAC address of the PC that I threw away in 2005.

      p.s. Your head will probably explode when you find out about promiscuous mode. Basically every NIC made in the past decade supports it. If you don't like your device's MAC address and you've got root, you can change it to whatever you feel like. It's great fun at LAN parties. :)

    4. Re:There goes the foundation of the Web by Anonymous Coward · · Score: 0

      > If a randomized MAC misbehaves I'll start banning all randomized MAC addresses.

      That's every iphone period, and most Androids. So get fucked.

    5. Re:There goes the foundation of the Web by Anonymous Coward · · Score: 0

      > out a decade ago I was taught Computer systems in College that the MAC address assures you that, It is a unique address that is hard coded on the NIC, and that Ethernet card only owns, and nobody else has hat number.

      That's (a) wrong and (b) moronic on its face. Just because there's a list doesn't mean it is accurate, or can be used to authenticate. It's also terrible news for privacy if that WAS the case.

      https://en.wikibooks.org/wiki/Changing_Your_MAC_Address/Linux

      If you can change your MAC address, it is obviously not guaranteed to be unique, or registered, or any other fucking thing.

    6. Re:There goes the foundation of the Web by Anonymous Coward · · Score: 0

      Since forever Sun workstations and servers used the same MAC on all of their interfaces by default. In theory no two interfaces would be on the same ethernet subnet so it made things simpler. In practice that wasn't always the case.

    7. Re:There goes the foundation of the Web by skids · · Score: 1

      Now I'm being told that a mac address has all the meaning of a Lotto card.

      MAC addresses with the "locally administered address" bit set are not assumed to be unique under normal (non-spoofed) network operation. The burned in address does not have this bit set. If a unicast MAC's second digit is 2,6,A, or E it is a locally administered address.

      Supposedly even among the locally administered address, you are supposed to restrict your activity in a range in which you are registered. That horse has left the barn as all Apple devices don't respect that for address randomization... and really if they wanted people to respect that rule, they should not have named that bit as they did.

      The paper did find one particular class of devices that violated the globally unique subspace within a certain OID range, which is trash behavior.

      --
      Someone had to do it.
    8. Re:There goes the foundation of the Web by skids · · Score: 1

      If a randomized MAC misbehaves I'll start banning all randomized MAC addresses.

      That might be an interesting way to cut down on RF chatter in dense AP deployments, if all your clients can either connect without probes or have your network preconfigured and will do directed probes. The paper did mention 17 out of 25 devices identified as "windows 10 or linux" used a locally administered address during and after association, though. So maybe just ignore probes rather than totally ban them.

      --
      Someone had to do it.
    9. Re:There goes the foundation of the Web by skids · · Score: 1

      Any network admin worth their salt already knows that address can very well be duplicated and should have taken steps to mitigate any issues it might cause.

      For modern WiFi controllers using WPA2, this is usually taken care of by the hardware... it only allows one session state per mac address. Though occasionally testing that the vendors didn't introduce a bug in this scenario is merited, because vendor QA sucks.

      For wired networks, there are actually not very many good solutions to this. The best is to do dot1x EAP-TLS and embed registered MACs in the cert and teach the AAA servers to enforce that. (Really the best would be EAP-PEAP-MSCHAP with additional client certificate validation, but good luck getting the various supplicants to all sing that tune.) That's not a common setup in all but the most well-staffed IT departments due to the overhead of running an in-house CA and provisioning clients to do dot1x on wired interfaces. The next best thing is a mac-auth-bypass setup with duplicate login protection, but this can be unreliable if a user moves between wired ports and the always somewhat cretinous vendor NAS code bungles the accounting packets so the old session is not closed out promptly. Almost all wired networks should do ip source guard and arp-protect, but without some in-house magic on the DHCP server and NAS to send and process NAS/port identification attributes to cobble together an in-house duplicate prevention system, all that does is prevent multiple IPs from being used by the same MAC, not two machines using the same MAC/IP pair.

      So even network admins "worth their salt" often have not taken measures to prevent wired MAC spoofing... it's extremely time consuming and hard to sell to the PHB in all but high security environments.

      --
      Someone had to do it.
    10. Re:There goes the foundation of the Web by certsoft · · Score: 1

      Locally administered addresses are often used for low volume products where someone doesn't want to deal withe IEEE. Some dataloggers I was working on around the turn of the century used local addresses made up of a common 16 most significant bit code (with the local bit set) and the 32 least significant bits coming from a Dallas one-wire serial number chip. At the time IEEE wouldn't even let Dallas sell chips with MAC addresses in them. I think eventually IEEE gave in.

    11. Re:There goes the foundation of the Web by Neuronwelder · · Score: 1

      Sorry but I do. A MAC address is like the address on your house. The postman knows where and who you are to deliver the mail. And what about GPS? If you can change you address if would be great for crooks, and to blame the unlucky person who happens to own that false MAC. I personally don't see any advantage or good purpose to it. TCP/IP can only get you to the general area these days - Wi Fi break ins, and mobile gear took care of that.

    12. Re:There goes the foundation of the Web by Neuronwelder · · Score: 1

      That's sad. They had a good thing and they ruined it. :(

    13. Re: There goes the foundation of the Web by Anonymous Coward · · Score: 0

      It is true. Manufacturers apply for a unique OUI and they uniquely hardcode MAC addresses into the hardware to prevent duplicate MAC address problems. This is in hardware, stored in an eeprom.

      What you're talking about, is simply just a software change in the driver to not read the hardware's MAC address from EEPROM and use whatever you specify. You can do what you want when you write the drivers and firmware of a device.

    14. Re:There goes the foundation of the Web by Anonymous Coward · · Score: 0

      Thankfully HTTPSSometimesMaybe is closing that.

      FTFY.

      NTTPNowhere seems to be a bit better.

  9. The point is to have people keep using the devices by Anonymous Coward · · Score: 0

    The manufacturers don't care about the tracking. They only want people to keep using the devices, and will only do just enough to appease them.

  10. same as bluetooth by Anonymous Coward · · Score: 0

    even if you change the name its mac remains without spoof. in a short range if you know who has a device you could now who is in the area and track.

  11. NIC with MAC address that changed every boot by Vairon · · Score: 1

    A friend of mine had a computer with a 3com NIC that incremented its MAC address every time he rebooted his PC. This started happening after he pulled the NIC out of a PCI slot while that motherboard was still turned on. This fried his motherboard and caused this peculiar behavior with his NIC.

  12. Smarter Wifi Manager by Nikademus · · Score: 1

    Just don't enable wifi when you are not nearby a known access point you use.
    https://play.google.com/store/...

    --
    I gave up with the idea of an useful sig...
  13. Easy solution by jeremyp · · Score: 1

    So having a unique MAC address allows people to track you. Why son't we all use the same MAC address, then people won't be able to tell who we are. It's obvious really, what could possibly go wrong?

    --
    All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe
    1. Re: Easy solution by Anonymous Coward · · Score: 0

      Works great till my girlfriend gets your dick pics instead of mine.

  14. It'll be really cheap too by Anonymous Coward · · Score: 0

    Everybody in the world sharing that one device.