A Study of MAC Address Randomization in Mobile Devices and When it Fails

Open access


Media Access Control (MAC) address randomization is a privacy technique whereby mobile devices rotate through random hardware addresses in order to prevent observers from singling out their traffic or physical location from other nearby devices. Adoption of this technology, however, has been sporadic and varied across device manufacturers. In this paper, we present the first wide-scale study of MAC address randomization in the wild, including a detailed breakdown of different randomization techniques by operating system, manufacturer, and model of device.

We then identify multiple flaws in these implementations which can be exploited to defeat randomization as performed by existing devices. First, we show that devices commonly make improper use of randomization by sending wireless frames with the true, global address when they should be using a randomized address. We move on to extend the passive identification techniques of Vanhoef et al. to effectively defeat randomization in ~96% of Android phones. Finally, we identify a previously unknown flaw in the way wireless chipsets handle low-level control frames which applies to 100% of devices we tested. This flaw permits an active attack that can be used under certain circumstances to track any existing wireless device.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] Linux WPA supplicant (IEEE 802.1x WPA WPA2 RSN IEEE 802.11i). https://w1.fi/wpa_supplicant/.

  • [2] IDC: Smartphone vendor market share. http://www.idc.com/promo/smartphone-market-share/vendor.

  • [3] Guidelines for Use Organizationally Unique Identifier (OUI) and Company ID (CID). https://standards.ieee.org/develop/regauth/tut/eui.pdf.

  • [4] WPA supplicant change log. https://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog.

  • [5] China Deputizes Smart Phones to Spy on Beijing Residents’ Real-Time Location. https://www.eff.org/deeplinks/2011/03/china-deputizes-smart-phones-spy-beijing-residents Oct 2011.

  • [6] WiFiGate - How Mobile Carriers Expose Us to Wi-Fi Attacks. https://www.skycure.com/blog/wifigate-how-mobile-carriers-expose-us-to-wi-fi-attacks/ Apr 2014.

  • [7] Danger Close: Fancy Bear Tracking of Ukrainian Field Artillery Units. https://www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/ Jan 2017.

  • [8] D. E. 3rd and J. Abley. IANA Considerations and IETF Protocol and Documentation Usage for IEEE 802 Parameters. RFC 7042 (Best Current Practice) Oct. 2013.

  • [9] M. V. Barbera A. Epasto A. Mei S. Kosta V. C. Perta and J. Stefa. CRAWDAD dataset sapienza/probe-requests. http://crawdad.org/sapienza/probe-requests/20130910 Sept. 2013.

  • [10] J. Bard. Unpacking the Dirtbox: Confronting Cell Phone Location Tracking with the Fourth Amendment. BCL Rev. 57:731 2016.

  • [11] Z. Cui and A. Agrawala. WiFi Localization Based on IEEE 802.11 RTS/CTS Mechanism. In Proceedings of the 12th EAI International Conference on Mobile and Ubiquitous Systems pages 199–208. ICST 2015.

  • [12] M. Cunche. I know your mac address: targeted tracking of individual using wi-fi. Journal of Computer Virology and Hacking Techniques 2014.

  • [13] M. Cunche M. A. Kaafar and R. Boreli. Linking wireless devices using information contained in Wi-Fi probe requests. In Pervasive and Mobile Computing vol. 11 pages 56–69 2014.

  • [14] J. Franklin D. McCoy P. Tabriz V. Neagoe and D. Sicker. Passive data link layer 802.11 wireless device driver fingerprinting.

  • [15] M. Gast. 802.11 Wireless Networks: The Definitive Guide. O’Reilly Beijing Farnham 2005. ISBN 0-596-10052-3.

  • [16] D. Gentry and A. Pennarun. Passive Taxonomy of Wifi Clients using MLME Frame Contents. CoRR abs/1608.01725 2016.

  • [17] C. Hoene and J. Willmann. Four-way TOA and software-based trilateration of IEEE 802.11 devices. In 2008 IEEE 19th International Symposium on Personal Indoor and Mobile Radio Communications pages 1–6 Sept 2008.

  • [18] IEEE. OUI Public Listing. http://standards.ieee.org/develop/regauth/oui/oui.txt.

  • [19] D. Kerr. Russian police spy on people’s mobile data to catch thieves. https://www.cnet.com/news/russian-police-spy-on-peoples-mobile-data-to-catch-thieves/ Jul 2013.

  • [20] J. Martin E. Rye and R. Beverly. Decomposition of MAC Address Structure for Granular Device Inference. In Proceedings of the 32nd Annual Conference on Computer Security Applications pages 78–88. ACM 2016.

  • [21] C. Matte M. Cunche F. Rousseau and M. Vanhoef. Defeating MAC Address Randomization Through Timing Attacks. In Proceedings of the 9th ACM Conference on Security; Privacy in Wireless and Mobile Networks WiSec ’16 pages 15–20. ACM 2016.

  • [22] C. Mims. If You Have a Smart Phone Anyone Can Now Track Your Every Move. https://www.technologyreview.com/s/427687/if-you-have-a-smart-phone-anyone-can-now-track-your-every-move/ Oct 2012.

  • [23] T. Mitchell. Smartphone ownership rates skyrocket in many emerging economies but digital divide remains. http://www.pewglobal.org/2016/02/22/smartphone-ownership-rates-skyrocket-in-many-emerging-economies-but-digital-divide-remains/ Feb 2016.

  • [24] A. Musa and J. Eriksson. Tracking Unmodified Smartphones Using Wi-Fi Monitors. In Proceedings of the 10th ACM conference on embedded network sensor systems pages 281–294. ACM 2012.

  • [25] B. L. Owsley. Spies in the Skies: Dirtboxes and Airplane Electronic Surveillance. Mich. L. Rev. First Impressions 113: 75–75 2015.

  • [26] J. Pang B. Greenstein R. Gummadi S. Seshan and D. Wetherall. 802.11 User Fingerprinting. In Proceedings of the 13th annual ACM international conference on Mobile computing and networking pages 99–110 2007.

  • [27] M. Sarwar and T. R. Soomro. Impact of Smartphone’s on Society. European journal of scientific research 98(2):216–226 2013.

  • [28] M. Vanhoef C. Matte M. Cunche L. Cardoso and F. Piessens. Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms. In ACM AsiaCCS 2016.

  • [29] J. Wright and J. Cache. Hacking Exposed Wireless: Wireless Security Secrets & Solutions. McGraw-Hill Education Group 3rd edition 2015. ISBN 0071827633 9780071827638.

Journal information
Cited By
All Time Past Year Past 30 Days
Abstract Views 0 0 0
Full Text Views 1448 734 35
PDF Downloads 689 395 45