MAC Randomization Flaws Expose Phones to Tracking

Researchers have disclosed a new attack method that can be leveraged to track mobile devices that rely on Media Access Control (MAC) address randomization to protect users’ privacy.

A MAC address is a unique identifier assigned to a device’s network interfaces. Since the address is unique and hardcoded, it can be very useful for tracking a device and its owner. In order to protect users against MAC-based tracking attempts, mobile device vendors have implemented MAC address randomization, which involves broadcasting a random Wi-Fi MAC address.

Experts have been working on demonstrating that MAC address randomization can be defeated and now, building on previous research, a team from the U.S. Naval Academy has come up with a technique that can be used to track all smartphones that rely on this feature.

Google introduced MAC address randomization to Android in 2015 with the release of Android 6 Marshmallow. However, researchers discovered that many device manufacturers that use Android, including Samsung, have not enabled MAC address randomization.

Apple introduced the feature in mid-2014 with the release of iOS 8, but experts found that iOS 10 makes it easy to identify and track devices regardless of their use of MAC address randomization.

U.S. Naval Academy researchers identified serious flaws in a majority of the Android implementations of MAC randomization, allowing them to break the protection in the case of roughly 96 percent of tested phones.

Researchers also analyzed so-called Karma attacks, a known method that involves simulating an access point that a device prefers to connect to. They also devised a new method that relies on control frames to expose the global MAC address for all types of devices, regardless of the operating system, manufacturer or the way randomization is implemented.

The new attack involves Request-to-Send (RTS) and Clear-to-Send (CTS) frames, which are used to avoid collisions in the IEEE 802.11 specification (i.e. Wi-Fi). When a node wants to send data, an RTS frame is transmitted to inform other nodes on the channel that the channel should not be used in order to avoid collisions. The target node responds with a CTS frame if the request to transmit data is approved.

By sending an RTS frame to IEEE 802.11 client devices, an attacker obtains a CTS response from which they can derive the global MAC address. Once the global MAC has been obtained, the attacker can easily track that device in the future by sending it RTS frames containing the global MAC.

Researchers said this attack method worked on all the devices they tested, including iPhone 5s, iPhone 6s, iPad Air, Google Pixel, LG Nexus 5X, LG G4 and G5, Motorola Nexus 6, Moto Z Play and OnePlus 3.

Since a wide range of devices are vulnerable to this attack, experts believe RTS/CTS responses are a function of the underlying 802.11 chipset, not the operating system. This would mean that the derandomization issue cannot be patched by smartphone manufacturers with an OS update.

“There are multiple scenarios in which a motivated attacker could use this method to violate the privacy of an unsuspecting user. If the global MAC address for a user is ever known, it can then be added to a database for future tracking,” researchers said in their paper. “Conceivably, an adversary with a sufficiently large database and advanced transmission capabilities could render randomization protections moot.”

Furthermore, the experts believe randomization can be truly effective only if it’s universally adopted.

“We propose the following best practices for MAC address randomization. Firstly, mandate a universal randomization policy to be used across the spectra of 802.11 client devices. We have illustrated that when vendors implement unique MAC address randomization schemes it becomes easier to identify and track those devices. A universal policy must include at minimum, rules for randomized MAC address byte structure, 802.11 IE usage, and sequence number behavior,” they added.