Researchers Break MAC Address Randomization and Track 100% of Test Devices

Share this…

For many years, MAC Address Randomization was slated as the next big thing for protecting user privacy on the modern Internet.

The standard, which works by deploying a new MAC address to a device in order to break down user tracking attempts, is still under development at the IEEE (Institute of Electrical and Electronics Engineers) and has already passed a few security tests.

Attack breaks MAC Address Randomization on all devices

Now, four scholars from the US Naval Academy say they’ve managed to track 100% of all test smartphones, despite the devices using randomized MAC addresses.

The technique worked across all tested manufacturers, and the researchers say this was possible because of a previously unknown flaw in the way wireless chipsets handle low-level control frames.

Their work was based on previous research released in 2016 by researchers from Belgium and France, who used a similar technique to track 50% of tested smartphones, despite using MAC address randomization.

Attack works regardless of device manufacturer

The Naval Academy researchers say “adoption of this technology, however, has been sporadic and varied across device manufacturer.”

For example, Apple introduced support for MAC address randomization in 2014, with the release of iOS 8, but later broke it last year, with the release of iOS 10.

Because researchers couldn’t peek into iOS’ source code, they can’t tell what Apple did exactly, but they say that before iOS 10, Apple had implemented MAC address randomization much better than Android devs.

For its part, Google similarly introduced support for the standard in 2014, with the release of Android 6 (Marshmallow), and later backported the feature to Android 5 (Lollipop).

Attack leveraged low-level control frames

Despite the different ways of handling MAC address randomization in each OS, researchers said devices answered with specific packets (control frames) when they performed a specific request.

The novelty in our method is that we are sending RTS frames to IEEE 802.11 client devices, not APs, to extract a CTS response message which we derive the true global MAC address of that device.

The result of sending a RTS frame to the global MAC address of a device performing randomization was that the target device responded with a CTS frame. A CTS frame, having no source MAC address, is confirmed as a response to our attack based on the fact that it was sent to the original, crafted source MAC address
Once the global MAC address is known, that device can be easily tracked just as if randomization were never enabled.

To protect against attacks on MAC address randomization, researchers recommend a stricter policies when handling MAC address randomization operations. Some recommendations are included at the end of their research paper, titled “A Study of MAC Address Randomization in Mobile Devices and When it Fails.”