iOS 8 randomises the MAC address while scanning for WiFi networks

442 点作者 DavidChouinard将近 11 年前

31 条评论

brunnsbe将近 11 年前

If this becomes the trend (which in my opinon would be nice) it will become a big problem for companies that specialise in customer tracking e.g. for supermarkets and big department stores. Previously it was quite easy to track a customer, how long he or she spends time in the store, which floors he or she visits, etc. by putting up dummy WiFI-networks that the customers phones find by giving out their MAC-addresses.

评论 #7866684 未加载

评论 #7865475 未加载

评论 #7865684 未加载

评论 #7865784 未加载

评论 #7866624 未加载

评论 #7866330 未加载

评论 #7865436 未加载

评论 #7865569 未加载

评论 #7865559 未加载

评论 #7866009 未加载

评论 #7868865 未加载

评论 #7867532 未加载

评论 #7866650 未加载

评论 #7865656 未加载

IBM将近 11 年前

It's pretty clear that Apple is positioning themselves in stark contrast to Google, they want to be the privacy/security company. Internet companies with advertising business models are a dime a dozen so that is a real advantage that differentiates Apple.

评论 #7865799 未加载

评论 #7865779 未加载

评论 #7866054 未加载

评论 #7866111 未加载

评论 #7866501 未加载

评论 #7865774 未加载

评论 #7865747 未加载

qq66将近 11 年前

This is Apple forcing the in-store analytics companies like Euclid to use iBeacon rather than WiFi. With the market share numbers the way they are, though, for all but the highest-end stores what Android does matters more.

评论 #7865495 未加载

评论 #7865524 未加载

评论 #7865420 未加载

评论 #7866734 未加载

评论 #7865413 未加载

twistedpair将近 11 年前

It's about time. I quite intentionally keep my wifi mode off for this reason until I intend to use a network. No doubt someone is tracking and selling every transmission you make.FWIW, once you read about a PoC of an attack/tracking vector on HackaDay, you can be sure it's already in production tracking you.<a href="http://www.tomsguide.com/us/how-to-bluesniper-pt1,review-408.html" rel="nofollow">http://www.tomsguide.com/us/how-to-bluesniper-pt1,review-408...</a><a href="https://www.schneier.com/blog/archives/2008/04/tracking_vehicl.html" rel="nofollow">https://www.schneier.com/blog/archives/2008/04/tracking_vehi...</a>

评论 #7868366 未加载

A_COMPUTER将近 11 年前

MAC address ranges are assigned to device manufacturers, I wonder if they'll only randomize inside the Apple device range or if they'll go outside of it. Analytics companies might start seeing people carrying their sparcstations into the grocery store.

评论 #7865582 未加载

thrownaway2424将近 11 年前

This is interesting. If _I_ did this while trying to find an open network, I'd probably be described by the FBI man who tries to charge me with unauthorized network access as using countermeasures learned from al Qaeda's IT guys. If Apple does it on behalf of users though I'm sure it would be fine.And yes, I've been involved in a criminal proceeding where the government tried to claim that changing a wifi MAC was evidence of malice.

评论 #7867500 未加载

yuubi将近 11 年前

We learned during the prosecution of Swartz that MAC addresses are the analog of VIN number numbers, and that tampering with them is a sign of ill intent. I await the federal case against Apple or an Apple customer with bated breath.

评论 #7865830 未加载

评论 #7865699 未加载

评论 #7869165 未加载

therobotking将近 11 年前

There's a great app for rooted Android devices called Pry-fi that generates random MAC addresses while you're not connected to a network.edit: <a href="https://play.google.com/store/apps/details?id=eu.chainfire.pryfi" rel="nofollow">https://play.google.com/store/apps/details?id=eu.chainfire.p...</a>

评论 #7868262 未加载

评论 #7865590 未加载

i_am_ralpht将近 11 年前

Many Bluetooth LE devices (including iOS 7) do something similar -- otherwise you'd be able to track people by all of their BT LE devices which are constantly advertising their existence. They cycle their advertised MAC addresses every 15 minutes or so (and some provide a "random resolvable address" which you can use to find out the physical BT MAC address after pairing for easier reconnection).From my office in downtown Los Altos, I can currently see a FitBit Flex, a FitBit One and a couple of phones -- the randomized MAC address is all that prevents someone bad from tracking them (BTLE scanners/phones are cheap!).I guess you could still use the 15 minute MAC to track people through a train station or other semi-public space (to gather metrics on where people are coming from and going to). If you had a lot of antennas then you could circumvent the MAC cycling by linking devices in the same area with the same name and similar RSSI...

评论 #7866776 未加载

captn3m0将近 11 年前

Is there something like this available for Linux desktops?

评论 #7865703 未加载

sirdogealot将近 11 年前

If you're wanting to accomplish this on your desktop/laptop... check out Arch Linux: <a href="https://wiki.archlinux.org/index.php/MAC_Address_Spoofing" rel="nofollow">https://wiki.archlinux.org/index.php/MAC_Address_Spoofing</a>Every single time my laptop boots up, it randomizes it's MAC address.

schoen将近 11 年前

The FTC held a workshop this spring about location tracking, particularly the retail analytics kind that this is calculated to thwart. I spoke there and was the person on the panel categorically opposed to the tracking (though I placed the blame on the wifi device makers for leaking a tracking identifier, rather than the people taking advantage of the tracking opportunity).<a href="http://www.ftc.gov/news-events/events-calendar/2014/02/spring-privacy-series-mobile-device-tracking" rel="nofollow">http://www.ftc.gov/news-events/events-calendar/2014/02/sprin...</a>You can also read the comments that various organizations filed about this:<a href="http://www.ftc.gov/policy/public-comments/initiative-516" rel="nofollow">http://www.ftc.gov/policy/public-comments/initiative-516</a>

antman将近 11 年前

If only they thought of that a few years ago [1] <a href="http://blog.erratasec.com/2013/01/i-conceal-my-identity-same-way-aaron.html" rel="nofollow">http://blog.erratasec.com/2013/01/i-conceal-my-identity-same...</a>I hope all the people with IOS8 won't be charged with wire fraud.

esbranson将近 11 年前

I've asked the HostAP mailing list about this as a feature request for wpa_supplicant.[1] From what Jouni Malinen says, it should be relatively straightforward.[2] (I think. I used a poor choice of words in my request.)BTW AFAIK Android uses hostapd/wpa_supplicant.Its beyond by technical abilities, but hopefully someone submits some patches. (Or Jouni graciously does the deed. Because he is awesome.) HINT HINT WINK WINK.[1] <a href="http://lists.shmoo.com/pipermail/hostap/2014-June/030405.html" rel="nofollow">http://lists.shmoo.com/pipermail/hostap/2014-June/030405.htm...</a>[2] <a href="http://lists.shmoo.com/pipermail/hostap/2014-June/030406.html" rel="nofollow">http://lists.shmoo.com/pipermail/hostap/2014-June/030406.htm...</a>

ColinDabritz将近 11 年前

I wonder what effects this has on law enforcement. It seems probable that if stores are using systems to track people by WIFI Mac, then law enforcement is probably doing the same. An interesting trade off.Also, does this apply to the other ID being broadcast, the Bluetooth MAC?

评论 #7869843 未加载

michaelmior将近 11 年前

I hope it still connects with the real MAC address. Otherwise that could get very problematic.

评论 #7865444 未加载

评论 #7865443 未加载

评论 #7865694 未加载

circa将近 11 年前

This will probably throw Ruckus for a loop - <a href="http://www.ruckuswireless.com/products/smart-wireless-services/spot" rel="nofollow">http://www.ruckuswireless.com/products/smart-wireless-servic...</a>

jonemo将近 11 年前

I don't know if anyone does that, but if you are making your access point only discoverable to known devices (i.e. known MAC addresses) then this would be a problem, right?

评论 #7866745 未加载

stove将近 11 年前

Has anyone stopped to ask if this is confirmed/true? TechCrunch/Gizmodo/etc... all picked up on this from Frederic's tweet but is a tweet really a definitive news source? Apple has been historically taciturn about documenting these things but does anyone have any more docs or sources for this issue?

rsync将近 11 年前

Depressing that this is not done for OSX as well, but par for the course as iOS remains the focus of apple.

elwell将近 11 年前

RIP Density [0].[0] - <a href="http://www.density.io/" rel="nofollow">http://www.density.io/</a>

zaroth将近 11 年前

I think this is a feature for stores implementing WiFi tracking systems, not a hindrance. If I own a store, I really want to understand traffic patterns. If I can do that without causing a privacy shitstorm, I think that's a benefit.

评论 #7869255 未加载

评论 #7868026 未加载

Solok将近 11 年前

I've got a new iPod touch that I've upgraded to the iOS 8 beta and I'm still seeing probe requests with the real MAC address. I wonder if this feature isn't turned on yet, or if it only works in certain conditions.

nitrogen将近 11 年前

Is it randomized using Dual_EC_DRBG? Seriously though, it's something that should have been done a long time ago, and for Bluetooth too. Hopefully no iOS8 users get arrested for changing their MAC addresses.

cpeterso将近 11 年前

Here is the bug requesting this feature in Firefox OS: <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1022444" rel="nofollow">https://bugzilla.mozilla.org/show_bug.cgi?id=1022444</a>

savrajsingh将近 11 年前

Princeton's guest network allows users to join for up to 3 days a month. I guess this change will nullify that restriction. :)

评论 #7868279 未加载

Scoundreller将近 11 年前

Couldn't they just have my device spoof the first smartphone MAC that I see inside the store? That would be a lot more fun.

benmarks将近 11 年前

Great tech, but am I the only one who noticed "administrated"?

ashah将近 11 年前

they also randomize bluetooth mac address fyi

snowplay将近 11 年前

If only Yosemite would do the same.

评论 #7868194 未加载

infra178将近 11 年前

What about Bluetooth?