MAC Randomization Isn’t As Secure As We’d Hoped

US Naval Academy findings reveal flaws in Media Access Control security.

Anyone who takes privacy more than a little seriously should already be aware that cellphones were once a hide-and-seek nightmare. Between pinging your location on cell phone towers and checking in inadvertently over public Wi-Fi connections, carrying a phone with you was a pretty nice homing beacon.

However, MAC (Media Access Control) address randomization changed that some time ago. This handy functionality changed the phone’s regular identifier into randomly generated strings of numbers, meaning it would be nearly impossible to place you at a certain location just based on the unused presence of your cell phone. Unfortunately, new information has come to light that says MAC address randomization isn’t anywhere near as foolproof as we were led to believe.

The good news? You’re probably being tracked all of the time… Probably.

First, the reality is that adoption of the capability has been spotty, meaning you might think you’re protected but you’re not. A team of researchers through the US Naval Academy did the legwork and concluded that they were able to identify the device in 100% of the cases, despite employing randomization.

“We then identify multiple flaws in these implementations which can be exploited to defeat randomization as performed by existing devices. First, we show that devices commonly make improper use of randomization by sending wireless frames with the true, global address when they should be using a randomized address. We move on to extend the passive identification techniques of Vanhoef et al. to effectively defeat randomization in ~96% of Android phones. Finally, we show a method that can be used to track 100% of devices using randomization, regardless of manufacturer, by exploiting a previously unknown flaw in the way existing wireless chipsets handle low-level control frames.”

So what’s a tinfoil hat user to do? Short of not carrying any kind of electronic device – which, admit it, seems harsh – it’s more prudent to understand that you’re probably being tracked at all times and take cover accordingly. On a more serious note, it’s far more important to understand what legal ramifications there are to this finding, though; the US has already ruled that you cannot be required to incriminate yourself based on the contents of your cell phone, and cases have already advanced through the court system to keep you from further incriminating yourself due to inaccurate cell phone tower pings. Law enforcement may be more than a little interested your whereabouts, and relying on features like randomization can let you down.