Some limitations of wifi MAC address randomization

September 1, 2019

In a comment on my entry on an Android-based gadget with aggressive wifi MAC randomization, Jukka wrote:

The DHCP issues notwithstanding, I applaud this kind of MAC randomization. Easy to do manually, of course, but I haven't realized that also off-the-shelf products are doing it. Good for them: so-called WiFi tracking is nowadays rampant in public spaces. They're even combining this tracking with facial recognition and whatnot; cf. <link>

I sure hope that your university is not among these "smart offices"...

My university isn't (and hopefully never will be; I think a lot of people would object), but part of my reaction to Jukka's mention is that if it was, wifi MAC randomization wouldn't protect me because all of our wifi networks require authentication, generally through things like 802.1x. The university doesn't need to even try to track me indirectly by device MAC address when it can track me directly by authentication.

(There are no anonymous wifi networks at work, or at least there aren't supposed to be; it's a university policy that all wireless network access has to be identifiable and authenticated in some way.)

This points directly to the fundamental limitation of MAC randomization, which is that MAC randomization conceals your device's identity but not yours. Actively authenticated network access is one way to identify and track you, but it's far from the only one. For instance, a public wifi network with a captive portal could drop a cookie on you the first time you visit and then try to read it back out on later visits, so it could associate your current MAC with past ones (and such a cookie would be a first-party cookie, so not subject to many browser precautions). It could even sell this as a convenience; if you have your identifying cookie, it'll automatically authorize you since it has an acceptable indication that you've already agreed to the network's TOS.

(Various intrusive forms of traffic monitoring can be used to create some sort of fingerprint of your activity and your device's signature actions. Some of this will get harder when encrypted SNI rolls out, since then traffic monitoring will have to work harder to identify what HTTPS sites your device is checking in with.)

This doesn't make MAC randomization completely pointless on authenticated networks and other such environments; if nothing else, it potentially hides information on how many distinct devices you have (although that may be revealed if the devices have other identifying quirks, such as fixed DHCP 'host name' fields).

Written on 01 September 2019.
« The sorts of email attachments that we get these days have become boring
Another way to do easy configuration for lots of Prometheus Blackbox checks »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Sep 1 22:40:58 2019
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.