A Study of MAC Address Randomization in Mobile Devices and When it Fails

Abstract Media Access Control (MAC) address randomization is a privacy technique whereby mobile devices rotate through random hardware addresses in order to prevent observers from singling out their traffic or physical location from other nearby devices. Adoption of this technology, however, has been sporadic and varied across device manufacturers. In this paper, we present the first wide-scale study of MAC address randomization in the wild, including a detailed breakdown of different randomization techniques by operating system, manufacturer, and model of device. We then identify multiple flaws in these implementations which can be exploited to defeat randomization as performed by existing devices. First, we show that devices commonly make improper use of randomization by sending wireless frames with the true, global address when they should be using a randomized address. We move on to extend the passive identification techniques of Vanhoef et al. to effectively defeat randomization in ~96% of Android phones. Finally, we identify a previously unknown flaw in the way wireless chipsets handle low-level control frames which applies to 100% of devices we tested. This flaw permits an active attack that can be used under certain circumstances to track any existing wireless device.

[1]  Johnny Cache,et al.  Hacking Exposed Wireless: Wireless Security Secrets & Solutions , 2007 .

[2]  Ashok K. Agrawala,et al.  WiFi Localization Based on IEEE 802.11 RTS/CTS Mechanism , 2015, EAI Endorsed Trans. Cogn. Commun..

[3]  Avery Pennarun,et al.  Passive Taxonomy of Wifi Clients using MLME Frame Contents , 2016, ArXiv.

[4]  Jonathan Bard Unpacking the Dirtbox: Confronting Cell Phone Location Tracking with the Fourth Amendment , 2016 .

[5]  Matthew S. Gast,et al.  802.11 Wireless Networks: The Definitive Guide , 2002 .

[6]  Damon McCoy,et al.  Passive Data Link Layer 802.11 Wireless Device Driver Fingerprinting , 2006, USENIX Security Symposium.

[7]  Srinivasan Seshan,et al.  802.11 user fingerprinting , 2007, MobiCom '07.

[8]  P. Steerenberg,et al.  Targeting pathophysiological rhythms: prednisone chronotherapy shows sustained efficacy in rheumatoid arthritis. , 2010, Annals of the rheumatic diseases.

[9]  Christian Hoene,et al.  Four-way TOA and software-based trilateration of IEEE 802.11 devices , 2008, 2008 IEEE 19th International Symposium on Personal, Indoor and Mobile Radio Communications.

[10]  Alessandro Epasto,et al.  CRAWDAD dataset sapienza/probe-requests (v.2013-09-10) , 2013 .

[11]  Brian L. Owsley Spies in the Skies: Dirtboxes and Airplane Electronic Surveillance , 2015 .

[12]  Tariq Rahim Soomro,et al.  Impact of Smartphone's on Society , 2013 .

[13]  A. B. M. Musa,et al.  Tracking unmodified smartphones using wi-fi monitors , 2012, SenSys '12.

[14]  Erik C. Rye,et al.  Decomposition of MAC address structure for granular device inference , 2016, ACSAC.

[15]  Mathieu Cunche,et al.  I know your MAC address: targeted tracking of individual using Wi-Fi , 2014, Journal of Computer Virology and Hacking Techniques.

[16]  Eric Mayer,et al.  80211 Wireless Networks The Definitive Guide , 2016 .

[17]  Roksana Boreli,et al.  Linking wireless devices using information contained in Wi-Fi probe requests , 2014, Pervasive Mob. Comput..

[18]  Donald E. Eastlake,et al.  IANA Considerations and IETF Protocol and Documentation Usage for IEEE 802 Parameters , 2013, RFC.

[19]  Mathieu Cunche,et al.  Defeating MAC Address Randomization Through Timing Attacks , 2016, WISEC.

[20]  Frank Piessens,et al.  Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms , 2016, AsiaCCS.