Weaknesses in MAC address randomisation

Typical networked devices, including the ubiquitous smartphone have a now well known address – the IP address used to route information across the Internet. But there is another, less well known address which can be far more revealing of the actual device. This is the MAC (Media Access Control) address. Where the IP address is needed to enable end to end communication across the Internet, the MAC address deals with physically addressing devices on the local network. Unlike the IP address which is stamped on every packet of data, the MAC address does not bother with such things. It is a low level address, in Level 2 of the OSI model, or in the physical layer in IP terms. It deals with moving data – whatever that may be – between connected things. Examples include your smartTV and home router, or your smartphone and a wifi hub. Your smartphone passes data to the wifi hub using the wifi hub’s MAC address and vice versa. The wifi hub in turn passes the data onwards to, say your home router using the home router’s MAC address and vice versa. And so on.

MAC addresses are 48-bit addresses broken into two parts. The first 3 bytes (24 bits) are known as the Organisationally Unique Identifier (OUI) and companies purchase and register these with the controlling body, the Institute of Electrical and Electronics Engineers (IEEE). The second half is a unique serial number assigned to a Network Interface Card (NIC) (or most probably these days a chip, not an actual card).

MAC addresses were designed to be globally unique but the first byte contains a one bit flag to indicate if the address truly is global, or local. Local addresses are by definition not globally unique. A second type of identifier, the Company ID is formed from the same first 3 bytes but with the flag set to local.

Now, the first part of the problem is these first three bytes identify the manufacturer or company, so you can see how a MAC address can be used in a useful way by a surveilling agency. Even with such generic data, when faced with a room full of Android owners the one iPhone owner will stick out.

But there is a far more major issue. Although these MAC addresses are meaningless in wider Internet terms they are nonetheless supposed to be globally unique. And there is the issue. Were a global adversary able to inspect every thing in the Internet looking for MAC addresses then a device, a smartphone say could be traced across the planet.

To get round this issue operating systems can randomise the MAC address. This was intended as a privacy enhancing technique but unfortunately researchers have discovered multiple flaws in the various randomisation techniques used by system makers which enabled them to defeat the randomisation of MAC addresses in 96% of Android phones. They too teir work further to examine an attack method which can identify the global MAC address of a device even when it is in a randomised state.

See https://arxiv.org/pdf/1703.02874v1.pdf

See also http://papers.mathyvanhoef.com/asiaccs2016.pdf and https://lirias.kuleuven.be/bitstream/123456789/547642/1/wisec2016.pdf

Ablative privacy

Here’s something I’ve been thinking of for a while… and there’s a Star Trek link to boot. In Star Trek: Voyager the future Janeway managed to get ablative armour technology back in time to protect a shuttle against the Borg – or something like that, it was a while ago I saw that episode.

Anyway, so how about ‘ablative privacy’, information thrown out there in ways that when people drill into it they get what they think they want, which is actually what little you want to share. Satisfied, they go no further. If one were to put up sufficient information that would lead an aggressor into thinking they had uncovered every last detail, might that protect the real, deeply secured secrets that you really don’t want to share?

Well, maybe, maybe not. Really all I wanted to do was coin the phrase in case I want to make further use of it! You saw it here first folks…