In 2017, US Naval Academy researchers found that MAC address randomization in mobile devices was largely worthless as a privacy defense. Three years later, the same research group took another look and found that while there's been meaningful improvement, many phones still fail to effectively prevent MAC address-based tracking.
The boffins' research paper, "Three Years Later: A Study of MAC Address Randomization In Mobile Devices And When It Succeeds," is scheduled to be presented at PETS, the Privacy Enhancing Technologies Symposium, in July, even though it will be four years later than the initial project [PDF].
Written by Naval Academy researchers Ellis Fenske, Dane Brown, Jeremy Martin (now with Mitre), Travis Mayberry, Peter Ryan, and Erik Rye, the paper describes the analysis of 160 mobile phones and the extent to which these devices employ MAC address randomization to mitigate tracking vulnerabilities.
"Our results show that, although very new phones with updated operating systems generally provide a high degree of privacy to their users, there are still many phones in wide use today that do not effectively prevent tracking," the paper says.
Safety in randomness
Media Access Control (MAC) address randomization involves sending a random identifier in network transmissions in place of the fixed identifier that equipment makers register through the Institute of Electrical and Electronics Engineers (IEEE). The technique makes it more difficult for adversaries and advertisers to track devices across networks and generally improves privacy.
Wi-Fi radios, the paper explains, regularly send probe requests to identify nearby network access points. In so doing, the 802.11 network interface in a mobile phone reveals some or all of its 48-bit MAC address layer-2 hardware identifier, making the device trackable if it should communicate again, or with another network access point.
To mitigate this risk, phone vendors and developers began using 46-bit MAC address randomization (the other two bits remain fixed), so each probe request would appear to be unique.
With the debut of iOS 8 in September 2014, Apple became the first major vendor to deploy MAC address randomization, only to take a step backward when iOS 10 debuted – it added its own vendor-specific data to network probe broadcasts to extend the Wi-Fi protocol which made iOS 10 devices trackable despite MAC address randomization.
Other vendors subsequently began expanding their use of MAC address randomization [PDF] and work began to deal with weaknesses that broke randomization, such as the use of Request to Send (RTS) and Clear to Send (CTS) frames.
Initially, the focus was on pre-association MAC address randomization, wherein a device uses a randomized identifier before associating with an access point, and then uses a consistent identifier thereafter. More recently, defense efforts have expanded to include per-network MAC address randomization.
Android 8, which debuted in August 2017, added pre-association MAC address randomization and made them the default for Android 10 in September 2019. Android 9 added support for per-network MAC address randomization as a developer option after Windows 10 had done so (with a WiFi card and driver that supports it). Linux support arrived in 2016. With the release of iOS 14 in September 2020, Apple adopted per-network MAC address randomization, creating a unique identifier for every network by default.
"We think this per-connection randomization scheme is a significant step in the right direction and has become the standard across modern mobile devices as of iOS 14 and Android 10," Ellis Fenske, assistant professor of cyber science at the US Naval Academy told The Register, in a personal rather than institutional capacity.
"While from a privacy perspective, we would prefer per-connection addresses that change over time (to protect users against tracking across a corporate or university network or municipal WiFi, for example), this rotation schedule could be disruptive to many existing WiFi networks which, we believe, is why this scheme was not ultimately deployed with the most recent software releases on either platform," he said.
Get it together folks
While the paper indicates that mobile phones have become better at implementing MAC address randomization, it also points out that the lack of a standard approach has led to inconsistent implementations.
Even Android 10 and iOS 14 handle MAC address randomization differently. For instance, Android 10 doesn't change its random MAC address when connecting to a different access point with the same name (SSID), whereas iOS 14 does.
The Android 10 random address also remains the same across re-connections, while iOS's identifier changes after a certain amount of time. And Android 10 enables randomization by default for new Wi-Fi networks (but not old ones where the real MAC address has been used), whereas iOS 14 enables randomization by default for all Wi-Fi networks.
One of the inconsistencies cited by the researchers is that many devices will randomize MAC addresses but will also at some point use their actual hardware MAC address.
The researchers, however, were heartened by the fact that few of the mobile devices they tested communicate with network access points when Wi-Fi is disabled.
- MAC randomization: A massive failure that leaves iPhones, Android mobes open to tracking
- Eufycam Wi-Fi security cameras streamed video feeds from other people's homes
- Wi-Fi devices set to become object sensors by 2024 under planned 802.11bf standard
- Location tracking report: X-Mode SDK use much more widespread than first thought
"Although it is widely known that disabling Wi-Fi on Android and iOS devices does not prevent all Wi-Fi interactions (e.g. devices can still survey nearby APs for location information), we did not see a significant number of devices transmitting probe requests with Wi-Fi disabled," the paper says.
Exceptions to this included the Sony Xperia X Compact, which sent probe requests with its hardware address when Wi-Fi was off, and the 4th Generation Motorola Moto Z, which flung out requests with a randomized address when Wi-Fi was off.
In general, the Motorola devices fared poorly when compared to other vendors' devices: Of 21 Motorola devices tested, only the 4th Gen Moto Z uses randomization effectively by applying 46-bit randomization in both active and idle states.
The researchers found 11 Huawei, LG, Motorola, OnePlus, and Sony devices randomizing consistently when idle, but sometimes using their actual MAC addresses when active.
"In particular, we highlight among this group the 7th Generation Motorola Moto G on Android 10 and 9, marking it as the only one of our ten Android 10 devices that did not consistently deploy 46-bit randomization at all times," they said in their paper. "All other devices exhibiting idle-only randomization were running Android 6 and 7."
Overall, the researchers said Apple and Samsung devices showed themselves to be the most consistent in terms of randomization behavior.
Fenske said the gap between Android and iOS devices in terms of Wi-Fi privacy has closed considerably in the past few years.
"The majority of modern Android devices that we studied exhibit few of the flaws identified previously, and some are as effective at protecting user privacy as Apple devices," he said.
"However, Android is fragmented, and some devices remain vulnerable to certain tracking techniques. Interestingly, Android deployed post-association randomization earlier than iOS (introduced in Android 10 and iOS 14), though currently the two handle this problem very similarly."
Fenske said mobile device makers have addressed the issue seriously and have paid attention to the recommendations of academic researchers.
"The tracking techniques that we found to remain effective are more limited in scope (coarse device model classification, for example)," he said. "While I can't speak comprehensively about all of the many other wireless protocols these devices support, Wi-Fi privacy has improved significantly." ®