The Hackr

MAC Address Randomization Flaws make Devices Vulnerable to Tracking

What is MAC Address Randomization ?

MAC address randomization is a technique that is used to secure mobile devices from tracing. It replaces the unique ID that makes a mobile’s wireless hardware detectable with some randomly generated numbers. Thereby making it difficult to trace the device and preventing it from being exploited by malicious cyber-criminals.

Tracking mobile phones has become relatively easier since the advent of smartphones and wireless connectivity as these devices become traceable when they move across public Wi-Fi networks.

It is a helpful technique since smartphone’s MAC address is usually logged by owners of public Wi-Fi. Such as at retail outlets so that customers could be recognized the moment they walk in.

For many years, MAC Address Randomization was slated as the next big thing for protecting user privacy on the modern Internet. Deploying new MAC address to a device to break down user tracking attempts, is still under development at the IEEE. It has already passed a few security tests.



This is the same case that we have noticed in public wireless hotspots. For instance, in the UK, Transport for London uses this strategy to monitor Tube passengers. In theory, there is no problem with adopting such practices if the primary goal is to identify customers. However, it becomes a real issue when the data is sold to marketers and ad firms.


MAC Address Randomization Vulnerability

According to research report from US Naval Academy, even MAC address randomization technique is flawed and contain implementation related vulnerabilities.

The researchers successfully tracked 100% of devices (regardless of their make and model) using randomization. They exploited previously existed unknown flaw in the way wireless chipsets handled low-level control frames.

On a majority of Android devices, MAC address randomization isn’t enabled.

A similar technique used in previous research released in 2016 tracked 50% of smartphones, despite using MAC address randomization.

Apple introduced support for MAC address randomization in 2014 with the release of iOS 8. But later broke it last year, with the release of iOS 10.

Similarly Google introduced support for the standard in 2014, with the release of Android 6 (Marshmallow), and later backported the feature to Android 5 (Lollipop).

According to analysis, every single 802.11 network interface of a mobile phone had a 48-bit MAC address layer-2 hardware identifier. This is supposed to be unique on a universal basis.

Previous studies discovered flaws prevailing in the Wi-Fi Protected Setup (WPS) protocol, which can potentially be used to modify the MAC address of a device. The technique that allows this to happen is called Universally Unique IDentifier-Enrollee (UUID-E) reversal.


Attack leveraged low-level control frames

Despite the different ways of handling MAC address randomization in each OS, researchers said devices answered with specific packets (control frames) when they performed a specific request.

The novelty in their method is sending RTS frames to IEEE 802.11 client devices, not APs. Which then used to extract a CTS response message for deriving the true global MAC address of that device.

The result of sending a RTS frame to the global MAC address was that the target device responded with a CTS frame.

A CTS frame, having no source MAC address, is confirmed as a response to attack based on the fact that it was sent to the original, crafted source MAC address.

Once the global MAC address is known, that device can be easily tracked just as if randomization were never enabled.

To protect against attacks on MAC address randomization, researchers recommend a stricter policies when handling these operations.

Some recommendations are included at the end of their research paper.




It was a hobby I got into a long time ago, hacking cameras. And I am here making posts @TheHackr today!

Chat With Our Bot ☎️

IntroducingTheHackr Chatbot,now anyone can interact with our messenger bot and get daily crunches about Cyber-Security in just a clicks away!