MAC Randomization Fails to Protect Mobile Users From Tracking
It is hard to think of a better device for user tracking than smartphones or tablets. People carry them everywhere, and, in most cases, with Wi-Fi enabled. When hopping between wireless networks, it allows third-parties to monitor and track your movement according to your device. In order to address this privacy issue, technology called MAC randomization was developed. However, it is becoming evident that MAC randomization still has way too many flaws to protect mobile users from being tracked.
MAC randomization: what is it?
Every Wi-Fi device has a unique identifier, the media access control address (MAC), which is assigned by a manufacturer and serves as a network address. Easily accessible, MAC address makes tracking of your location just a breeze, for example, when you are walking down the street with your smartphone. As you walk, your device is scanning the environment for possible Wi-Fi networks, sending the MAC address to each one detected.
After this uncontrollable exchange of MAC addresses was recognized as a serious threat to users privacy, the randomization technique came as a solution to this problem. MAC randomization is based on the idea that regularly changing the MAC address would defeat such kind of tracking. When implicated, it replaces unique hardware number with a randomly generated value whenever MAC address is requested by a network, this way keeping user’s location from being exposed.
Serious security flaws disclosed
Although tech companies have started to implement MAC randomization, the technique appears to fail in protecting mobile users privacy. A recent study by U.S. Naval Academy has identified a serious error in the technology implementation: researchers have demonstrated a method of how 100% of mobile devices using MAC randomization can be detected. Research conveyed a previously unknown flaw in the way wireless chipsets handle low-level control frames, which was found evident in devices made by all tested manufacturers.
Moreover, the fact that there is no universal policy and practice for MAC address randomization hinders the technique’s effectiveness in terms of privacy protection. As different manufacturers are using different randomization schemes and not all OS deploy them, it only becomes easier for attackers to target the mobile device owners and identify them, study shows.
Devices running on Android are the most vulnerable to tracking – U.S Naval Academy’s research has revealed that the majority of them do not even support MAC randomization capabilities. According to experts, Apple performed slightly better with MAC addresses being randomized properly in iOS 8, however, updates in iOS 10 made identification possible again.
That said, in the long run, the common MAC randomization standard is still under development by the Institute of Electrical and Electronics Engineers (ICEE). The research findings clearly indicate the further work towards improvement is needed – especially when it comes to technological flaws and weak adoption issues.
Why keeping MAC address private matters
MAC address randomization is supposed to serve as a privacy measure for keeping your location data private, avoiding any snooping by third-parties. Location data is particularly useful for vendors, who can track shoppers and analyze their behavior patterns later to be used in targeted marketing campaigns or sold to advertisers. Smartphones’ or tablets’ MAC addresses are ideal for shopper identification and tracking, as it is not too difficult to set up an equipment that is capable to log MAC addresses and recognize them later. One of the most well-known cases was the “smart” spying trash cans in UK, which would detect the passing by commuters through their Wi-Fi enabled devices. Or, the transport authority gathering data through public hotspots on where passengers enter and leave the London Underground, which would let them improve the service.
Away from the commercial side, state intelligence agencies can capture smartphone’s location data to infer relationships between people. No matter what the reason of such data collection and tracking is, the fact that it happens without user’s consent makes it horrifying.
MAC randomization clearly has not been exploited to its’ full potential yet. While adoption and development improvements of the technology are still in progress, users might take actions themselves by keeping Wi-Fi on their mobile devices turned off when not in use. What about when going online? When browsing unprotected, your sensitive data becomes highly vulnerable to snooping – your IP address is like an open book for hackers and third-parties. Here, a VPN service like NordVPN, comes in handy: it encrypts and routes your Internet traffic through a remote VPN server, so you can browse anonymously with your IP address hidden. This means that neither hackers nor advertisers or ISPs will be able to track your activity online and your private data will remain private.