MAC address privacy inches towards standardisation
IEEE hums along to IETF anti-surveillance tune
The Internet Engineering Task Force's (IETF's) decision last year to push back against surveillance is bearing fruit, with the 'net boffins and the IEEE proclaiming successful MAC address privacy tests.
While MAC address randomisation has been a feature of various clients (including Linux, Windows, Apple OSs and Android) for some time, it has yet to be written into standards.
Hence, as part of the anti-surveillance effort it launched in May 2014, the IETF had identified MAC address snooping as a problem for WiFi users.
In November, the IETF ran an experiment to look at whether MAC address randomisation would upset the network – for example, because two clients presented the same MAC address to an access point.
The success of that test had to be confirmed with the IEEE, though, because the latter is the standards body responsible for 802 standards. Those standards are where the handling of the media access control address is specified, so changing the old assumption that the MAC address is written into hardware needs the IEEE's co-operation.
Now, the IETF and IEEE have agreed that the experiment was a success, along with further trials at the IEEE's 802 plenary and a second IETF meeting, both in March.
In their brief announcement, the groups clearly foreshadow revisions to both the 802 standards and relevant IETF documents.
InterDigital principal engineer Juan Carlos Zuniga, who chairs the IEEE 802 Privacy Executive Committee Study Group, said the tests “set the stage for further study and collaboration to ensure the technical community prioritises Internet privacy and security”.
For those whose knowledge below the routing layer is sketchy, the MAC address is what Ethernet uses to send frames to the right machine.
Back in the 1980s when Ethernet was first created, and even in the 1990s when WiFi was born, little thought was given to the risk that the MAC address could put personal privacy at risk.
The blossoming of mobile computing, smartphones, and public WiFi, however, means that fixed, unique identifiers no longer look like such a good idea. ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Privacy Sandbox
- Trusted Platform Module
- Zero trust