Three Years Later: A Study of MAC Address Randomization In Mobile Devices And When It Succeeds

Fenske, Ellis; Brown, Dane; Martin, Jeremy; Mayberry, Travis; Ryan, Peter Y. A.; Rye, Erik C.

doi:10.2478/popets-2021-0042

Cited by 42 publications

(27 citation statements)

References 11 publications

(33 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We extend their work by evaluating modern devices supporting wider bandwidth channels, and additionally show two-meter level accuracy can be achieved on low-multipath 20 MHz bandwidth channels, matching evaluation results obtained in [11]. Furthermore, even though Wi-Fi MAC address randomization has been studied at length [12,28,47], and countermeasures to deanonymization and tracking mechanisms were proposed (e.g., randomization of sequence numbers) [36], we find these have not seen their adoption in protocols such as Wi-Fi FTM. Next, researchers have shown fingerprinting techniques to uniquely identify Wi-Fi cards [44,50,55], and in [14], the authors performed fingerprinting by including Wi-Fi FTM configuration parameters.…”

Section: Related Worksupporting

confidence: 54%

“…That is, when sequence numbers are sequential, it becomes trivial to link distinct MAC addresses despite their address randomization. While researchers have correlated sequence numbers before [12,36], we find the problem persists beyond the traditional use cases of MAC address randomization (e.g., scanning for networks). That is, in practice we find the sequence number counters are not properly managed for protocols requiring address randomization, and these shortcomings become more severe in the con-text of privacy-sensitive protocols such as Wi-Fi FTM.…”

Section: Correlation Of Sequence Numbersmentioning

confidence: 94%

See 1 more Smart Citation

Privacy-Preserving Positioning in Wi-Fi Fine Timing Measurement

Schepers

Ranganathan

2022

Proceedings on Privacy Enhancing Technologies

View full text Add to dashboard Cite

With the standardization of Wi-Fi Fine Timing Measurement (Wi-Fi FTM; IEEE 802.11mc), the IEEE introduced indoor positioning for Wi-Fi networks. To date, Wi-Fi FTM is the most widely supported Wi-Fi distance measurement and positioning system. In this paper, we perform the first privacy analysis of Wi-Fi FTM and evaluate devices from a wide variety of vendors. We find the protocol inherently leaks location-sensitive information. Most notably, we present techniques that allow any client to be localized and tracked by a solely passive adversary. We identify flaws inWi-Fi FTM MAC address randomization and present techniques to fingerprint stations with firmware-specific granularity further leaking client identity. We address these shortcomings and present a privacy-preserving passive positioning system that leverages existing Wi-Fi FTM infrastructure and requires no hardware changes. Due to the absence of any client-side transmission, our design hides the very existence of a client and as a side-effect improves overall scalability without compromising on accuracy. Finally, we present privacy-enhancing recommendations for the current and next-generation protocols such as Wi-Fi Next Generation Positioning (Wi-Fi NGP; IEEE 802.11az).

show abstract

Section: Related Worksupporting

confidence: 54%

Section: Correlation Of Sequence Numbersmentioning

confidence: 94%

Privacy-Preserving Positioning in Wi-Fi Fine Timing Measurement

Schepers

Ranganathan

2022

Proceedings on Privacy Enhancing Technologies

View full text Add to dashboard Cite

show abstract

“…Probe requests in network discovery have distinguishable patterns despite using MAC randomization because of inconsistencies between implementations of the feature [1]. For example, a device may change only the last three bytes of its MAC address while another device only changes the locally administered bit in the MAC address.…”

Section: Patterns In Wi-fi Discovery Eventsmentioning

confidence: 99%

“…These configuration parameters create patterns because they determine the delay for each probe, how many bursts of probes are transmitted on a channel, and how many probes are sent in each burst. MAC randomization implementations create additional patterns because of variance in how often they change MAC addresses and when transmitting probe requests containing changed addresses [1]. To develop a time-based defense while MAC randomization is in use, adding jitter to ProbeDelay on each transmission becomes necessary to hide the pattern embedded in the IFATs.…”

Section: Patterns In Wi-fi Discovery Eventsmentioning

confidence: 99%

Defending wi-fi network discovery from time correlation tracking

Cifuentes-Urtubey

Kravets

Vasisht

2022

Proceedings of the 20th Annual International Conference on Mobile Systems, Applications and Services

View full text Add to dashboard Cite

To prevent tracking a Wi-Fi device based on its MAC address, several operating systems have adopted MAC address randomization to conceal its factory-assigned address. This feature benefits users when their devices scan for networks, but a flaw arises when timing between transmissions stays consistent despite MAC address randomization in use. We present a defense mechanism, implemented with the Netlink library, against a time correlation attack for probe request packets on Wi-Fi devices. We show how adding random jitter to probe request transmissions renders a timing correlation attack infeasible to track devices during network discovery. CCS CONCEPTS• Networks → Link-layer protocols; Mobile and wireless security.

show abstract

“…Even though there are works that study this randomization [278]- [281], the study within this field requires more work by the scientific community to obtain a policy that allows the security and privacy of the user, but that allows obtaining an estimate of the number of mobile devices in a room for its correct optimization and use.…”

Section: Contribution To Enhancing the Cognitive Capability Of Its Us...mentioning

confidence: 99%

Contribución al aumento de la capacidad cognitiva de los sistemas inteligentes de transporte mediante inteligencia artificial

Pérez¹

View full text Add to dashboard Cite

show abstract

Three Years Later: A Study of MAC Address Randomization In Mobile Devices And When It Succeeds

Cited by 42 publications

References 11 publications

Privacy-Preserving Positioning in Wi-Fi Fine Timing Measurement

Privacy-Preserving Positioning in Wi-Fi Fine Timing Measurement

Defending wi-fi network discovery from time correlation tracking

Contribución al aumento de la capacidad cognitiva de los sistemas inteligentes de transporte mediante inteligencia artificial

Contact Info

Product

Resources

About