Connect with us

Hi, what are you looking for?


Mobile & Wireless

MAC Randomization Flaws Expose Phones to Tracking

Researchers have disclosed a new attack method that can be leveraged to track mobile devices that rely on Media Access Control (MAC) address randomization to protect users’ privacy.

Researchers have disclosed a new attack method that can be leveraged to track mobile devices that rely on Media Access Control (MAC) address randomization to protect users’ privacy.

A MAC address is a unique identifier assigned to a device’s network interfaces. Since the address is unique and hardcoded, it can be very useful for tracking a device and its owner. In order to protect users against MAC-based tracking attempts, mobile device vendors have implemented MAC address randomization, which involves broadcasting a random Wi-Fi MAC address.

Experts have been working on demonstrating that MAC address randomization can be defeated and now, building on previous research, a team from the U.S. Naval Academy has come up with a technique that can be used to track all smartphones that rely on this feature.

Google introduced MAC address randomization to Android in 2015 with the release of Android 6 Marshmallow. However, researchers discovered that many device manufacturers that use Android, including Samsung, have not enabled MAC address randomization.

Apple introduced the feature in mid-2014 with the release of iOS 8, but experts found that iOS 10 makes it easy to identify and track devices regardless of their use of MAC address randomization.

U.S. Naval Academy researchers identified serious flaws in a majority of the Android implementations of MAC randomization, allowing them to break the protection in the case of roughly 96 percent of tested phones.

Researchers also analyzed so-called Karma attacks, a known method that involves simulating an access point that a device prefers to connect to. They also devised a new method that relies on control frames to expose the global MAC address for all types of devices, regardless of the operating system, manufacturer or the way randomization is implemented.

Advertisement. Scroll to continue reading.

The new attack involves Request-to-Send (RTS) and Clear-to-Send (CTS) frames, which are used to avoid collisions in the IEEE 802.11 specification (i.e. Wi-Fi). When a node wants to send data, an RTS frame is transmitted to inform other nodes on the channel that the channel should not be used in order to avoid collisions. The target node responds with a CTS frame if the request to transmit data is approved.

By sending an RTS frame to IEEE 802.11 client devices, an attacker obtains a CTS response from which they can derive the global MAC address. Once the global MAC has been obtained, the attacker can easily track that device in the future by sending it RTS frames containing the global MAC.

Researchers said this attack method worked on all the devices they tested, including iPhone 5s, iPhone 6s, iPad Air, Google Pixel, LG Nexus 5X, LG G4 and G5, Motorola Nexus 6, Moto Z Play and OnePlus 3.

Since a wide range of devices are vulnerable to this attack, experts believe RTS/CTS responses are a function of the underlying 802.11 chipset, not the operating system. This would mean that the derandomization issue cannot be patched by smartphone manufacturers with an OS update.

“There are multiple scenarios in which a motivated attacker could use this method to violate the privacy of an unsuspecting user. If the global MAC address for a user is ever known, it can then be added to a database for future tracking,” researchers said in their paper. “Conceivably, an adversary with a sufficiently large database and advanced transmission capabilities could render randomization protections moot.”

Furthermore, the experts believe randomization can be truly effective only if it’s universally adopted.

“We propose the following best practices for MAC address randomization. Firstly, mandate a universal randomization policy to be used across the spectra of 802.11 client devices. We have illustrated that when vendors implement unique MAC address randomization schemes it becomes easier to identify and track those devices. A universal policy must include at minimum, rules for randomized MAC address byte structure, 802.11 IE usage, and sequence number behavior,” they added.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...