Client MAC Address Tracking

Threat Category: Network Threats: Wi-Fi

ID: LPN-4

Threat Description: When probing for available Wi-Fi networks, mobile devices transmit their MAC address. Persistent use of a single MAC address readily enables physical tracking of a specific device by listening or probing for messages that contain its associated MAC address. As a result, most mobile OS added support for some implementation of MAC address randomization, such that a device generates a new MAC address when establishing communication with an unknown Wi-Fi network. Note, however, that once an attacker has associated a target device with the MAC address it uses on a given Wi-Fi network, successful SSID spoofing may trigger the device to attempt to connect, thereby revealing a traceble MAC address.

Threat Origin

IEEE 802 Privacy Threat Analysis ¹

Exploit Examples

How Stores Use Your Phone’s Wi-Fi to Track Your Shopping Habits ²

Attention, Shoppers: Store is Tracking Your Cell ³

FTC Goes After Firm for Tracking Shoppers’ Cell Phones ⁴

How Retailers Use Smartphones to Track Shoppers In the Store ⁵

CVE Examples

Not Applicable

Possible Countermeasures

Mobile Device Owner

To increase the complexity of MAC address tracking, procure mobile devices with OS and hardware versions that support MAC address randomization. Starting in Android 6.0, randomized MAC addresses are used for Wi-Fi and Bluetooth scans. See Android 6.0 Changes. ⁶ In iOS 8, Wi-Fi scanning behavior changed to use random, locally administrated MAC addresses. See User Privacy on iOS and OS X. ⁷ Windows 10 and later verions support MAC address randomization. ⁸

Enterprise

Consider the use of devices supporting Android 10 or later, in which MAC randomization is enabled by default for client mode, SoftAp, and Wi-Fi Direct.

Mobile Device User

To reduce traceable signals from a mobile device, place it airplane mode when wireless communication is not in use. In this mode, most devices will disconnect from any current Wi-Fi network, and not attempt to join any Wi-Fi networks until reenabled.

To minimize traceable signals from a mobile device, power it off when not in use.

References

B. Weis, IEEE 802 Privacy Threat Analysis, Cisco Systems, 2016; www.ieee802.org/1/files/public/docs2016/802E-weis-privacy-threat-analysis-0718-v01.pdf [accessed 8/24/2016] ↩
B. Fung, “How stores use your phone’s WiFi to track your shopping habits”, The Washington Post, 19 Oct. 2013; www.washingtonpost.com/blogs/the-switch/wp/2013/10/19/how-stores-use-your-phones-wifi-to-track-your-shopping-habits [accessed 8/24/2016] ↩
S. Clifford and Q. Hardy, “Attention, Shoppers: Store Is Tracking Your Cell”, The New York Times, 14 July 2013; www.nytimes.com/2013/07/15/business/attention-shopper-stores-are-tracking-your-cell.html [accessed 8/24/2016] ↩
S. Mlot, “FTC Goes After Firm for Tracking Shoppers’ Cell Phones”, PCMag, 24 Apr. 2015; www.pcmag.com/article2/0,2817,2482985,00.asp [accessed 8/24/2016] ↩
How Retailers Use Smartphones To Track Shoppers In The Store, All Things Considered, National Public Radio, 16 June 2014, transcript; www.npr.org/2014/06/16/322597862/how-retailers-use-smartphones-to-track-shoppers-in-the-store [accessed 8/24/2016] ↩
Android 6.0 Changes, https://developer.android.com/about/versions/marshmallow/android-6.0-changes.html#behavior-hardware-id [accessed on 8/24/2016] ↩ ↩²
M. Beasley, More details on how iOS 8’s MAC address randomization feature works (and when it doesn’t), blog, 26 Sep. 2014; https://9to5mac.com/2014/09/26/more-details-on-how-ios-8s-mac-address-randomization-feature-works-and-when-it-doesnt/ [accessed 7/27/22] ↩ ↩²
M. Vanhoef et al., “Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Netowrk Discovery Mechanisms.”, in Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, 2016, pp. 413-424; https://papers.mathyvanhoef.com/asiaccs2016.pdf [accessed 8/1/2022] ↩ ↩²