iOS 8 is Randomizing MAC Addresses

This seems like a good idea.

Posted on June 10, 2014 at 4:40 PM • 43 Comments

Comments

G. BaileyJune 10, 2014 5:00 PM

I was surprised that the WiFi spec hands out the MAC address during scanning in the first place. This should have been addressed in the specification as a privacy concern, not addressed by Apple with a hack afterwards.

There's also some suspicion that Apple is just taking this information away so that it can sell it back through iBeacon (a proprietary Bluetooth LE application).

RobertJune 10, 2014 5:07 PM

Well, this sucks! I have an entire business based on tracking with this.

mastmakerJune 10, 2014 5:21 PM

I don't Apple, so I wouldn't know, but purely as a intermediate-level Networks expert, I would think it is possible to turn constant probing of WiFi networks off.

For example, in Android, if you (a)do not connect to a 'hidden' network, and (b) Turn off 'Network notification' the device will not 'probe' WiFi networks. It passively listens to available (broadcasting) WiFi networks to see if those are one of the networks in its 'list'. If it finds one, it connects to it (securely or unsecurely, as the case may be) and use it.

mastmakerJune 10, 2014 5:29 PM

Also, wouldn't randomly generated MAC addresses introduce the probability (however small) that the generated MAC address would match the address of a device already present in the network? This could be forbidden by IEEE specs.

JoeFJune 10, 2014 5:32 PM

There are Android apps that do the same thing (e.g., Pry-Fi from well-known developer Chainfire, requires root).

x117cfJune 10, 2014 5:33 PM

@mastmaker:
It's only doing it during the "scanning" phase, which, as G. Bailey points out above, shouldn't be handing out the MAC address at all anyway, probably. When you actually connect to the wifi, it presents your device's actual MAC address.

CallMeLateForSupperJune 10, 2014 6:23 PM

It would be a hoot if Apple's randon MAC generator sucks pond scum. I would expect multiple instances of any given MAC to abruptly send Intelligence gathering software into the 21st century version of the old "sys abend dump"[1]. Er.... maybe not. If that software is really, really stupid then it might not detect the impossibility, rather it might, for example, blithely note Instance #1 pausing in cleaning supplies while Instance #2 is leaving the premises and Instance #3 is in the toilet.

[1] In the early days of computing, a "system abnormal end" of a process would result in a "core dump", a printout of the contents of memory, used for diagnosing the error that had caused the process to abort.

RodJune 10, 2014 6:31 PM


Anybody could monetize location tracking with fixed MAC address leakage. All apple is doing is cutting those firms off so they have to use Apple's proprietary solution to track foot traffic.

StukeJune 10, 2014 6:41 PM

Randomizing MAC addresses? I dunno. My laptop gains access to my WIRELESS ENTRY POINT by its (fixed) MAC address. I don't know how effective it is, but its an extra layer of security.

CpragmanJune 10, 2014 7:03 PM

But won't this break ATT free wifi, hotel wifi, Starbucks wifi, and AirPort Extreme parental controls (MAC address based time limits)??

WhiskersInMenloJune 10, 2014 7:10 PM

Seems to make sense for coffee shop connections from which a VPN reaches out to someplace safe and beyond. I tend to use a tossable $5 USB wifi frob on my old laptops that I use in such places because the old laptops are less likely to be targeted by fools but have old WiFi hardware and no way to update the part because of BIOS white lists (FCC made me do it, honest they did). Yes encrypted...

Simon HJune 10, 2014 7:12 PM

could malware/spyware change the randomness when the device is in range of a network that meets certain conditions?
If yes, is this not also one of the hardest to detect ways people could steal your data?

Carl 'SAI' MitchellJune 10, 2014 7:34 PM

@Stuke
Totally ineffective. MACs have been settable in software for over a decade. Your laptop broadcasts its MAC, so all an attacker has to do is get that. It takes all of a minute with a reasonable setup (laptop with Kali or the like.) Also, your laptop's MAC is almost certainly not fixed, you just haven't changed it.

Dave MJune 10, 2014 7:56 PM

> MACs have been settable in software for over a decade.

Since their introduction. DECnet used to* change the MAC address to encode the DECnet node ID so no ARP equivalent was needed to find a node's MAC address.

* I'm sure it still does for anybody who is still running it.

bertieJune 10, 2014 8:41 PM

mastmaker, one can set a bit in a MAC addresses to indicate it's "locally administered" (as opposed to globally unique). If they do this, it can't conflict with any factory-assigned address. (Collisions between random addresses are unlikely with 46 bits of entropy, assuming a good source of randomness.)

Chris AbbottJune 10, 2014 9:12 PM

What if they secretly use DUAL_EC_DRBG to generate the MAC addresses? Make your own MAC with a program like Shake2Random, it uses the accelerometer to generate random numbers. This was an idea I had for generating secure keys for crypto apps. It's a great HRNG, IMO. Anyone know of any secure communications apps that do anything like that?

Kevin van HaarenJune 10, 2014 10:44 PM

G. Bailey in comment https://www.schneier.com/blog/archives/2014/06/ios_8_is_random.html#c6518936

iBeacons are deployed by companies and tracked via that companies app. If an app is distributed for free (as most retail apps are) then Apple makes nothing from the app. Apple will make some money from licenses if the iBeacons are labeled with an Apple certified logo, but that is not a requirement. Other than the developer fee there is no charge to a company that uses iBeacons.

iBeacons are also a completely opt-in technology. to use them the phone must have the app and apps can only read specific beacons. So the starbucks app couldn't see beacons from a different company. the OS handles the locating beacons and getting their UUID, apps register which UUIDs they support so not until a specified UUID is seen will the app be told there is one around. I believe (but haven't dug into completely) that each app can only specify a single primary UUID that it can identify.

Kevin van HaarenJune 10, 2014 10:50 PM

Simon H in comment https://www.schneier.com/blog/archives/2014/06/ios_8_is_random.html#c6520114

It would be far easier for the malware to simply force the phone to join the suspect network, the random mac is only used for querying for wifi hotspots, when the phone actually joins it falls back to it's "real" mac address. In fact I suspect this will make the carriers with widely deployed free wifi systems some money. If your phone is configured to auto-join a network with a specific name and that network is widespread then you'll be auto-joining as you walk around and trackable again.

I'm sure AT&T will be willing to sell you tracking data for the free hotspot they place in your business.

Mike the goatJune 11, 2014 8:10 AM

65535: exactly. This is nothing more than an Apple PR exercise given how many other wonderful ways you can be uniquely identified whilst using their products. Call me Mr. Cynical.

DaconsulJune 11, 2014 8:47 AM

@Mastmaker- not if the program scans the macs already in use and omits them from the available addresses.

SomebodyJune 11, 2014 10:09 AM

@ bertie

(Collisions between random addresses are unlikely with 46 bits of entropy, assuming a good source of randomness.)

This is the birthday problem. Collisions become likely with around 2^23 random address. If we are talking a single WiFi node 8 million devices is a lot, if we're talking about a global system 8 million is small and collisions will be common.

Erich SchmidtJune 11, 2014 10:59 AM

Just a reminder to later comments, RTFA, this isn't Slashdot. Or at least read the prior comments. As x117cf wrote:

It's only doing it during the "scanning" phase, which, as G. Bailey points out above, shouldn't be handing out the MAC address at all anyway, probably. When you actually connect to the wifi, it presents your device's actual MAC address.

boondoxJune 11, 2014 1:30 PM

iOS 8 is Randomizing MAC Addresses?

Just how random is "random"?

#nuffsaid

Jeeves StobJune 11, 2014 1:49 PM

@Robert: That's the idea. That way you have to pay Apple for the data.

FFFFJune 11, 2014 3:39 PM

@65535 et al

Not all OS allow software setting of an interface's MAC address. For example, OS X on a Mac Air will not allow you to do this. Sure you can sudo the command without generating errors but it has nil effect.

Why? I leave that to others.

G.

Earl KillianJune 11, 2014 10:46 PM

https://www.eff.org/deeplinks/2014/06/umbrella-hurricane-apple-limits-mobile-device-location-tracking
says "Unfortunately, in the overall scheme of location-tracking technology, Apple's privacy-protective step is something like opening an umbrella in the middle of a hurricane. ... But even when we just focus on Wi-fi, the Wi-fi probe packets sent by your smartphone also contain the names of networks that your phone wants to join (because it's joined them before). Not only does this broadcast a history of where you've been (through the names of these networks), it's also highly distinctive in itself. Just as you're probably the only person who both lives in your home and works in your workplace, you're probably the only person whose phone and laptop have joined both your home network and your work network. That means that, even without a persistent hardware MAC address, carefully watching the network list itself can allow an astute watcher to identify you."

Is this true?

DBJune 12, 2014 12:08 AM

@Earl

Yes, it's true, because some WiFi networks hide their SSID (i.e. the WiFi network name). When that happens, each device has to broadcast what it's looking for in order to connect to it. So every device probably does so for all previously-known SSIDs, whether they were ever hidden or not. So obviously devices need to stop doing that too for real privacy to be effective. Things like this are why this is just marketing hype from Apple, not real privacy.

See here: https://en.wikipedia.org/wiki/Wi-Fi#Securing_methods first paragraph in that section.

WaelJune 12, 2014 2:32 AM

Great! so now I'll get advertisements because someone else surfed an "inappropriate" site? Wait a second, now there is a vector of repudiation :)

WaelJune 12, 2014 3:04 AM

@FFFF,

Why? I leave that to others.
Because apparently what's deterministic for the goose is random for the gander ;)

Peter GerdesJune 13, 2014 1:16 AM

This might be worrying.......if phone tracking wasn't already done much more effectively by watching and decrypting GSM connections.

Give it up. Our electronic devices are so powerful and we make so many choices to customize them when we set them up and download apps that even just looking at the pattern of radio frequency usage (ignoring contents) is probably enough to distinguish your phone from all the nearby ones.

A sophisticated opponent can easily track your phone's location over time. This is just a PR stunt.

FigureitoutJune 13, 2014 1:51 AM

Peter Gerdes
when we set them up and download apps
--Uhh..I don't download apps on my phone, maybe you do. I know it can be hacked, but I don't download apps on it. Watch out for the "invisible" phone updates if you have a smart phone and the non-stop connecting to wifi networks and bluetooth; simply store your activity and dump it on the next wifi/bluetooth connection if you're targeted.

Unfortunately people are going to need to learn digital and software-defined radio to communicate w/ some controllable encryption. The bands, the phones, they are extremely owned. Drug people know this, code words can only get you so far when they track the shipments...I don't care about the drugs anymore, but younger people should have the chance to realize what a mistake it is themselves.

It's sh*tty to use Amateur bands for encrypted comms too (illegal), so it's basically you're f*cked legally if you want to send an encrypted message outside of the regular bands w/ the regular technology (though not very well enforced, and it won't be as it's way to hard for a while).

Jericho TrumpetJune 13, 2014 11:52 AM

Rod,


Anybody could monetize location tracking with fixed MAC address leakage. All apple is doing is cutting those firms off so they have to use Apple's proprietary solution to track foot traffic.

Just to clarify, do you mean iBeacon (or whatever its name is)?

Jericho TrumpetJune 13, 2014 12:04 PM

No clarification needed anymore. Weirdly enough, my browser did not display the first comment.

RonJune 13, 2014 6:34 PM

> Robert • June 10, 2014 5:07 PM
> Well, this sucks! I have an entire business based on tracking with this.

@Robert:
With all due respect -- did it occur to you (and your business plan) that individuals might not WANT to be tracked?

FigureitoutJune 16, 2014 11:14 PM

Mike the goat
--Didn't know you were active on bands (I prefer to listen), thought that was a hobby of the past. Occasionally you come across pure hilarity. You can get away w/ it if it's just bursts every now and then as it'll just be blown off as noise. Funny when you can start picking out modes based off just sound; and then you get the occasional "this is an alien signal!". Perhaps I'll email sometime and blow my "cover" fully (as if it isn't already) w/ a call-sign lol (don't worry it'll be encrypted).

SchneieronSecurityFanJune 18, 2014 12:42 AM

What about the approved list of MAC addresses that the access point uses to verify logins? How does that list keep up with the randomizations?

Apple might have some server-side solution in the works.

HowItWorksJune 22, 2014 6:01 AM

@SchneieronSecurityFan If the user or system chooses to join a network then the device will pass the true MAC address. It only uses the random ones while scanning.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.