MAC Address Randomization Flaws Leave Android and iOS Phones Open To Tracking

New submitter cryptizard writes: Modern Android and iOS versions include a technology called MAC address randomization to prevent passive tracking of users as they move from location to location. Unfortunately, researchers have revealed that this technology is implemented sporadically by device manufacturers and is often deployed with significant flaws that allow it to be easily defeated. A research paper [published by U.S. Naval Academy researchers] highlights a number of flaws in both Android and iOS that allow an adversary to track users even when their phones are using randomized MAC addresses. Most significantly, they demonstrate that a flaw in the way wireless chipsets handle low-level control messages can be exploited to track 100% of devices, regardless of manufacturer or operating system.

A MAC is not necessarily unique

[mveloso]

"Every 802.11 radio on a mobile device possesses a 48-bit link-layer MAC address that is a globally unique identifier for that specific WiFi device."

Uh, no. That address is assumed to be unique and identifies a specific WiFi radio/client. There is no enforcement for uniqueness, and indeed you can spoof your MAC address.

Assuming the MAC is a unique identifier is always a Bad Idea.

Re:A MAC is not necessarily unique

[AHuxley]

It could depend on what the Automated Implant Branch (AIB) can get to even after the MAC address has been altered.
The hardware responds to a request for its hardware MAC address.

Re:A MAC is not necessarily unique

[Solandri]

You used to be able to spoof your MAC address. Intel removed the capability from their WiFi cards some time around 2010. The laptop I had before then could do it, but the laptop I replaced it with couldn't. When I investigated why, I learned that Intel had removed the capability due to too many wardrivers using the capability to connect to WiFi networks with poor security which were relying on MAC address filters. Kind of a backwards solution if you ask me, but it is what it is.

Re: A MAC is not necessarily unique

[corychristison]

I'm guessing this is a Windows driver problem, not allowing you to spoof your Mac Addresss.

I just bought a new laptop in November. Has an Intel 7265 Wifi chip.

On Linux, spoofing the MAC is built in, and randomly generates a nee MAC when connecting to an Access Point with recent kernels and using Network Manager.

It actually confused me for a bit, as part of my setup at home uses MAC whitelisting in conjunction with a really long key.

I whitelisted the MAC, then started the install. When I rebooted after installing, I couldn't connect to the network. I thought I either didn't compile in the right kernel module, or I missed something.

Turns out it was NetworkManager trying to make my life more secure. Fortunately you can configure a fixed MAC for specific Wireless networks.

Re:MAC stops at the subnet level

[chispito]

This is physical tracking the randomization is supposed to prevent, not web tracking. It is supposed to prevent law enforcement, or Disneyland, or whoever, from placing a bunch of wifi sniffing devices around the area they wish to track, listening for probes, and tracking your location without you knowing it.

Re:MAC stops at the subnet level

[chispito]

Oh, and to follow up, the devices revert to their hardwired address once they join a network or bluetooth pairs.

Re:If you want to stay anonymous

[TimHunter]

Yes, this is why I have 17 different phones. One for home, one for the office, one for the mall, one for the coffee shop, one for Amazon, one for Twitter, etc. It's great because I never see ads that are targeted to me. The only problem is that I'd like to visit my friend in San Fransisco but I can't do it until I get another phone.

Re:There goes the foundation of the Web

[clonehappy]

And that's why real world experience always trumps what you're taught out of a book. Yes, in theory, all physical addresses are unique. But in practice this has really never been the case. In the mid-2000s I remember tracking down an issue with two brand-name (3Com) NICs having identical MAC addresses.

On a large wired LAN, duplicate MACs can cause issues. Beyond Layer 2, it shouldn't make one lick of difference whether your physical address is unique or not. Of course if you spoof your MAC, you're probably using the MAC of another device, somewhere, out in the wild. But unless they're on the same physical segment (or for cases of large scale DHCP and static leasing, the same LAN) no one will ever know. Any network admin worth their salt already knows that address can very well be duplicated and should have taken steps to mitigate any issues it might cause.

Or are you under the impression that somehow MAC addresses are important to TCP/IP routing on the open internet? Because trust me, it doesn't matter at that level. That's what TCP/IP is for!

Re:forest or trees?

[clonehappy]

I believe this is referring to the passive tracking of unassociated WLAN clients by rogue elements. Once you're associated with an AP and on the open internet, all bets are off because as you said, there are about 1000 better ways to track you at that point other than your MAC address.

Re:Easily defeated...

[skids]

Location services turn the wifi radio back on in short blips even in airplane mode or with wifi off, long enough for their active tracking attack to work. Whether the response to the active attack can be quelched by device firmware alterations is not examined in the paper... it could very well be a silicon-encoded behavior to conserve power. Whether said location services include the e911 function is also not explicitly addressed. Whether this fact is a violation of airline policies is also beyond the scope of this paper.