A Study of MAC Address Randomization in Mobile Devices and When It Fails

The main Android detection here can probably be defeated using a tool like Pry-Fi on a rooted device,<p><a href="https:&#x2F;&#x2F;play.google.com&#x2F;store&#x2F;apps&#x2F;details?id=eu.chainfire.pryfi&amp;hl=en" rel="nofollow">https:&#x2F;&#x2F;play.google.com&#x2F;store&#x2F;apps&#x2F;details?id=eu.chainfire.p...</a><p>You can also set specific MACs per-AP so it&#x27;ll defeat probe-based attacks too theoretically. This should get it by 4&#x2F;5 attacks here.<p>Their RTS&#x2F;CTS method in particular sounds like it&#x27;ll be impossible to defeat without Wifi chipset manufacturers simply removing their hardcoded MAC and switching to letting the OS pick it - unless there&#x27;s a possibility of triggering that change via a driver already, might be time to start looking at datasheets on wifi chips.

I get the idea from reading this paper that the authors don&#x27;t have much networking experience. Having lots of MAC addresses randomly changing in your network is more than a potential headache. It can really cause stuff to break and the authors don&#x27;t even address that.<p>At the very least, I expected a discussion of arp for IPv4 and ICMPv6&#x2F;NDP&#x2F;RA&#x2F;SLAAC&#x2F;DHCPv6 for IPv6. But beyond that, I really need to see some discussion on the effect of randomization on L2 security mechanisms like limiting MAC learning on ports. A smart thing to do if you&#x27;re a network admin concerned about security is to limit the number of MACs that can be learned on a given port&#x2F;vlan. So randomizing MACs on devices would cause some devices to just drop connection occasionally. The authors don&#x27;t address this.<p>It&#x27;s almost like they don&#x27;t even realize that MAC addresses are used for things in networks besides invading people&#x27;s privacy. There might be very good reasons why manufacturers of mobiles do things the way they do them. However, it doesn&#x27;t look like the author&#x27;s reached out vendors at all to ask.

Side question: the last time I watched broadcasts coming out of my unassociated iPhone, it was specifically asking for certain SSIDs. The set seemed somewhat random (I&#x27;ve joined all of them, but not recently), and I don&#x27;t think any of them had ever been hidden networks.<p>Are these broadcasts viable for tracking (it seems like they would be)? Is there anything I can do as a user to mitigate the effects (other than turning off WiFi)?

This is very similar to our earlier work on the security of MAC address randomization: <a href="http:&#x2F;&#x2F;papers.mathyvanhoef.com&#x2F;asiaccs2016.pdf" rel="nofollow">http:&#x2F;&#x2F;papers.mathyvanhoef.com&#x2F;asiaccs2016.pdf</a> They provide some more practical details if you want to implement our probe request fingerprint tracking mechanism. This is a passive tracking technique.<p>Their method to track all devices requires actively sending packets for every single MAC address that is being tracked. The (imperfect) passive tracking techniques can be used to reduce the number of MAC addresses you have to try though. Nice finding overall! And it will likely be hard to patch this issue..<p>Sometimes there are also silly driver bugs that allow you to get the real MAC address of a device when the user is using a spoofed MAC address :) <a href="http:&#x2F;&#x2F;www.mathyvanhoef.com&#x2F;2013&#x2F;11&#x2F;unmasking-spoofed-mac-address.html" rel="nofollow">http:&#x2F;&#x2F;www.mathyvanhoef.com&#x2F;2013&#x2F;11&#x2F;unmasking-spoofed-mac-ad...</a>

They didn&#x27;t mention of they used windows or Linux when testing the USB device as. I would expect different results.