Slashdot Mirror

← Back to Stories (view on slashdot.org)

MAC Address Randomization Flaws Leave Android and iOS Phones Open To Tracking (theregister.co.uk)

Posted by BeauHD on from the worthless-privacy-protection dept.

New submitter cryptizard writes: Modern Android and iOS versions include a technology called MAC address randomization to prevent passive tracking of users as they move from location to location. Unfortunately, researchers have revealed that this technology is implemented sporadically by device manufacturers and is often deployed with significant flaws that allow it to be easily defeated. A research paper [published by U.S. Naval Academy researchers] highlights a number of flaws in both Android and iOS that allow an adversary to track users even when their phones are using randomized MAC addresses. Most significantly, they demonstrate that a flaw in the way wireless chipsets handle low-level control messages can be exploited to track 100% of devices, regardless of manufacturer or operating system.

2 of 56 comments (clear)

  1. A MAC is not necessarily unique by mveloso · · Score: 3, Insightful

    "Every 802.11 radio on a mobile device possesses a 48-bit link-layer MAC address that is a globally unique identifier for that specific WiFi device."

    Uh, no. That address is assumed to be unique and identifies a specific WiFi radio/client. There is no enforcement for uniqueness, and indeed you can spoof your MAC address.

    Assuming the MAC is a unique identifier is always a Bad Idea.

  2. Re:There goes the foundation of the Web by clonehappy · · Score: 3, Insightful

    And that's why real world experience always trumps what you're taught out of a book. Yes, in theory, all physical addresses are unique. But in practice this has really never been the case. In the mid-2000s I remember tracking down an issue with two brand-name (3Com) NICs having identical MAC addresses.

    On a large wired LAN, duplicate MACs can cause issues. Beyond Layer 2, it shouldn't make one lick of difference whether your physical address is unique or not. Of course if you spoof your MAC, you're probably using the MAC of another device, somewhere, out in the wild. But unless they're on the same physical segment (or for cases of large scale DHCP and static leasing, the same LAN) no one will ever know. Any network admin worth their salt already knows that address can very well be duplicated and should have taken steps to mitigate any issues it might cause.

    Or are you under the impression that somehow MAC addresses are important to TCP/IP routing on the open internet? Because trust me, it doesn't matter at that level. That's what TCP/IP is for!