MAC Address Randomization: Not as Random as You Think

@Patrick re: Blog Post

MAC Address Randomization: Not as Random as You Think

For privacy-minded individuals, randomization of Media Access Control (MAC) addresses for Wi-Fi networks and mobile devices has long been touted as a standard defensive technique. However, recent research https://arxiv.org/pdf/1703.02874v1.pdf suggests that major flaws in implementation have left smartphone users defenseless and vulnerable to exploitation.

What is MAC Address Randomization?

All network interfaces on networked devices have a factory-assigned MAC address which is hard-coded on a network interface controller. In the case of smartphones using 802.11 (Wi-Fi) radio specifications IEEE 802.11 - Wikipedia, devices have a 48-bit link-layer MAC address that functions as a globally unique identifier. The MAC address is sent in every link-layer frame sent to or from the mobile device. https://arxiv.org/pdf/1703.02874v1.pdf

Smartphone behaviour is distinct from general computing network cards (both wired and wireless), as the MAC address used to assign an address to your computer on the local network is not passively sent to computers beyond the local router. This means the MAC address is not traceable unless logged by other computers on the network. [Footnote: Unfortunately, due to weaknesses in current spoofing methods it is likely the MAC address can be enumerated via the physical characteristics of the Wi-Fi card.] Computer Security Education - Whonix
[Footnote: Spoofing is only necessary if you expect to travel with your laptop or PC. It is not required for home PCs that do not change locations. For further information on spoofing MAC addresses in Whonix, see Computer Security Education - Whonix ]

Smartphone behaviour has grave privacy implications. Any network observer can eavesdrop on nearby Wi-Fi traffic, with pinpointing of this trafic to a uniquely identified device. https://arxiv.org/pdf/1703.02874v1.pdf In addition to broadcasting of the MAC address ID, smartphones constantly send probe requests that broadcast at a semi-constant rate, posing an even greater surveillance risk: https://arxiv.org/pdf/1703.02874v1.pdf

... wireless devices identify access points within close proximity. Traditionally, devices perform active scanning where they broadcast probe request frames asking nearby APs to identify themselves and respond with 802.11 parameter information required for connection setup. These probe request frames require a source MAC address, but if an 802.11 device uses its globally unique MAC address then it is effectively broadcasting its identity at all times to any wireless receiver that is nearby. Wireless device users can then easily be tracked across temporal and spatial boundaries as their devices are transmitting with their unique identity.

In an attempt to solve this problem, most major smartphone device manufacturers and operating systems (Android, iOS etc.) have implemented protocols to create temporary, randomized MAC addresses that are distinct from the true global identifier. Randomized, pseudonym addresses are changed periodically to restrict third party tracking. MAC spoofing - Wikipedia

In theory, observers of network traffic (like ISPs) should be prevented from singling out smartphone traffic or identifying the physical location from other nearby devices, because randomized MAC addresses shouldn’t be linkable to the previous address. https://arxiv.org/pdf/1703.02874v1.pdf

The Flawed MAC Address Randomization Implemention

Transportation of network traffic without a static ID is a common sense approach for privacy advocates. Unfortunately, a recent study by the US Naval Academy shows the implementation of this technique in smartphones is seriously flawed across every OS platform, device manufacturer and model.

Using real-world datasets, the 2017 study found: https://arxiv.org/pdf/1703.02874v1.pdf

• Randomization techniques and schemes were easily identified from large collections of wireless traffic.
• Adoption rates for MAC randomization are low, particularly for Android devices. [Footnote: Possibly due to chipset and firmware incompatibilities.]
• Passive and active techniques for determining true global identifiers is a trivial task due to flawed MAC randomization implementations, particularly for Android devices. [Footnote: Notably, Samsung devices were never observed to perform MAC randomization, despite being the leading manufacturer of Android devices.]
• The global MAC address was discoverable via a “control frame attack”. This allows tracking/surveillance for all known devices, irrespective of the OS, manufacturer, device type or randomization scheme.

Smartphone chipsets were discovered to have a flaw in how they handled low-level control frames, allowing an identification accuracy of 100%. Considering previous studies exhibited “only” a 50% accuracy rate, and Android devices were susceptible even when Wi-Fi was disabled or Airplane Mode enabled, this is a devastating result for user privacy. MAC Address Randomization Gets Clobbered

Conclusion

Unfortunately, smartphone MAC address randomization policies are not universally adopted, nor particularly effective at eliminating privacy risks. Network adversaries currently have a smaller test set to contend with, making their job of identification easier. https://arxiv.org/pdf/1703.02874v1.pdf

Standardized MAC address randomization needs to be correctly implemented on any mobile device using Wi-Fi, with the entire length of the MAC field used as randomization input. Unique methods of randomization simply increase the attacker’s chances of deanonymizing a user. https://arxiv.org/pdf/1703.02874v1.pdf

Other critical changes for smartphone user privacy include: https://arxiv.org/pdf/1703.02874v1.pdf [Footnote: See the original paper for further discussion of these issues.]

• Random addresses for every probe request.
• Removal of sequencing numbers from probe requests.
• Removal of global MAC addreses from probe requests.
• Elimination of directed probe requests for cellular offloading.
• Redesign of chipset firmware to prevent RTS frames eliciting a CTS response while in State 1.

Convincing device manufacturers to implement MAC address randomization consistently across all devices is a large and improbable undertaking. MAC Address Randomization Gets Clobbered Without a solution on the horizon, users of mobile devices should expect to be uniquely fingerprinted. User behaviour on mobile devices should be adjusted accordingly in response to this clear and present danger to user privacy.

Primary Source

Martin, J. et al. (2017). “A Study of MAC Address Randomization in Mobile Devices and When it Fails”. US Naval Academy.

Oh, great! That’s MUCH more than I expected. Great writeup!

Could you please sign up for a Whonix blog account at News - Whonix Forum?

Just two feature requests:

• link to existing Whonix MAC changing documentation
• briefly mention that MAC’s “still” aren’t sent over the internet, that this most matters for travelers

Once the blog post is posted - a forum post will be created automatically. Then we should delete this thread to avoid duplication.

Thanks. Will do.

I see a couple of errors in the entry too e.g. spelling and grammatical. I’m pretty worn out from editing today, so I’ll knock this over tomorrow with fresh eyes, add your suggestions, and follow up on sign-up stuff.

Cheers

Done. I had to use another throwaway email address, as my original sigaint one I used to sign up here is defunct, since they closed downed. Profile updated with new one.

OK → Fixed (hopefully).

Edits above, changed:

• To highlight this research is focused on smartphones.
• Noted this is distinct from general computer network cards where MAC address information does not get sent beyond the local router (but can be logged by other computers on the network).
• Put in Whonix links re: when MAC address spoofing is necessary and how to do it. Noted it is not generally necessary.

Note: Smartphone users do have the MAC address sent to/from the device (in the link-layer frame). The problem is just that they rely on totally failed randomization schemes that don’t work and they have chipsets with built-in faults.

Can somebody check this is all technically correct (from their understanding) before posting? Networking stuff is complicated.

Great! Just now made the wordpress torjunkie account and editor.
(As per News - Whonix Forum)
(So you’ll in future might perhaps want to edit other blog post drafts such as release announcements and whatnot.)

Could you please copy the text to News - Whonix Forum and save as draft? I’ll give it a final review and then hit the publish button.

OK. Will do. I’m not familiar with that platform (how to footnote etc) though. Hopefully it’s similar.

Edit: OK - draft saved over there as you requested.

I see the preview formatting for bold text and blockquotes work, but none of the references (ref) or footers do. I’ll leave that up to your editing magic and learn from how you do it for the next time.

Thanks!

I am not familiar with it either.

It’s not.

Wordpress for me is usability wise is worst webapp we have on whonix.org. The editor is after all these years still deterrent and confusing for me.

Please add it to a temporary wiki page.

https://www.whonix.org/wiki/Temp

Add footnotes in the wiki. Once that’s done we copy the html that mediawiki created to wordpress.

Wordpress editor has:
Visual | Text

Paste it was Text.

I.e. we are feeding wordpress the raw html. Looks much easier than teaching wordpress footnotes.

Done. I’ve still used (ref) method.

If it needs to be just references written at the very bottom and links in the main text numbered e.g. [1] [2] [3.0] [3.1] etc. let me know. It wasn’t clear to me.