MAC Address Randomization: Privacy at the Cost of Security and Convenience

Media access control (MAC) address randomization is a challenge for most traditional network operators and public Wi-Fi services. All iOS 14 devices have randomization enabled by default, as well as Android 10 devices from Google, Samsung, and OnePlus. Randomized MAC addresses are meant to obscure mobile devices and increase their privacy, making some networking and authentication solutions obsolete.

Download a short MAC randomization whitepaper.

According to separate research studies done by Microsoft and Singular, most users do not change default settings on their devices. This means that MAC randomization is quickly becoming the de facto standard in the mobile networking industry. Many networking services still rely on MAC addresses for device authentication and security. This is a cause for concern, as our device intelligence analysts working on CUJO AI Explorer expect over 30% of all mobile devices to use MAC randomization by Feb 2021. What happens when every third device has a random MAC address on a network? Read on to find out!

What Is MAC Randomization

MAC randomization is a process where software changes the hardware MAC addresses (also known as global MAC addresses) to random and unpredictable strings. In some cases, the first octets (1/6ths of the MAC address) still represent the device manufacturer and model, pseudo-randomizing the rest of the address. For most users, this latter type of predictable randomization provides no added benefit, as it is easy to identify and track.

MAC randomization happens when software changes the global MAC address of the device.

How it works

Not all MAC randomization protocols are the same. They depend on the manufacturer and the 802.11 chipset a device uses. Randomization techniques have also changed over time, but usually, MAC addresses randomize as a device probes new networks around it.

Randomization of the MAC address can happen at timed intervals or whenever the device probes a new SSID.

Why Randomized MAC Addresses Are Becoming the Standard

The short answer: privacy. MAC addresses have always been a means to Layer 2 OSI communication, but recent decades have seen the rising usage of MAC addresses as personal identifiers for customer service, device identification, and traffic offloading in numerous networks.

As with any identifying data point, marketers were quick to jump on using MAC addresses for tracking customers with the help of public Wi-Fi probe attacks, tracking beacons, and other privacy invading technologies. As the public grew more concerned with privacy, device manufacturers started rolling out standard means of MAC address randomization on Android, iOS, and Windows operating systems.

After years of testing and tweaking, as well as scrutiny from privacy and security analysts, MAC randomization has improved to the point where manufacturers are ready to ship new mobile devices with MAC randomization ON by default.

Security Issues with MAC Randomization

There are several levels of security risks that come from randomizing MAC addresses, primarily network destabilization and malicious device activity.

Interested in cybersecurity? Read the latest article by Leonardas Marozas, our Security Ressearch Lab Manager, about security threats to mobile devices.

Both Wi-Fi steering and traffic offloading from cellular nets rely on detecting, identifying, and classifying devices to provide stable connections for tens of millions of users every second. Whenever a 4k streaming device connects to a network, it needs more broadband allocation than a smart fridge. If the network cannot identify the device, it cannot steer it to the best SSID and router band.

Since MAC addresses are used for tracking devices on a network, operators and users will no longer be able to monitor devices connected to their routers when any significant number of devices use unpredictable addresses. What happens when you cannot monitor and detect a device? It becomes easier for malicious actors to hop onto your network with their own MAC address and hide.

“Cannot detect it – cannot protect it.”

Lastly, device-based parental controls and malicious content blockers often use MAC address blacklists and whitelists. Whenever a device randomizes its MAC address, these protective measures need to be set up anew. Unfortunately, doing this daily is not a good option for security and makes those solutions obsolete.

MAC Randomization on iOS 14 Devices

Apple devices make up almost 30% of all mobile devices in the US. MAC (called Wi-Fi address) randomization was available on all iOS devices starting from iOS 8 but was OFF by default. I should note that Apple had left some leaks which tracking companies quickly made good use of: iOS devices were transmitting their global MAC addresses without connecting to Wi-Fi networks first.

In the past, Apple had left some leaks which tracking companies quickly made good use of: iOS devices were transmitting their global MAC addresses without connecting to Wi-Fi networks first.

We saw drastic changes in Apple’s approach when testing the beta version of iOS 14, as it randomized MAC addresses daily for every network, even the user’s home Wi-Fi network. This would have meant pandemonium for service providers who use MAC addresses to optimize router performance – the number of unique and unclassified devices would have grown every day and made standard data allocation and prioritization solutions obsolete overnight.

Apple reconsider its aggressive approach and MAC randomization on the official iOS 14 release is less aggressive than in the beta. iPhones randomize their MAC addresses for each network, but only do that once unless the user decides to forget a network. An unforeseen caveat is that an iPhone or iPad connected to the same network on different bands (2.4 and 5 GHz) still shows up as two different devices based on MAC addresses. CUJO AI solves these issues without using MAC addresses, successfully identifying devices on a network with over 94% accuracy within the first 5 minutes.

Randomizing MAC Addresses on Android 10

Android OS had full MAC randomization since Android 9. It used to be OFF by default on all devices, but some manufacturers have started to ship devices with randomization enabled by default. The newest Samsung, Google and OnePlus devices already use randomization and, as adoption of Android 10 rolls on, up to 80% of all devices on mobile networks will have randomized MAC addresses in the coming years. Our conservative estimates show that current Android MAC randomization is close to just 5%, as new Android OS adoption is significantly slower than that of iOS releases.

Nevertheless, randomizing Android MAC addresses has proved to be a significant challenge for Android manufacturers too. Research from 2017 showed that Samsung’s devices would not randomize their global MAC address even when randomization was enabled.

See this presentation from Privacy Enhancing Technologies Symposium for a more in-depth dive into the subject:

What’s notable is that some major Android manufacturers still ship devices with MAC randomization switched OFF by default. These include Huawei and Xiaomi.

Default-OFF: Randomized MAC Addresses on Windows Devices

As with most Android devices, users have to enable MAC randomization on Windows devices. Nevertheless, Windows has one of the most aggressive randomization solutions on the market. It can randomize the MAC address daily for all networks, similarly to the beta version of iOS 14.

This aggressive randomization might cause local network usability issues, as 802.11 communications require a static MAC address. With its address randomizing every day, the Windows device might be forced to re-authenticate on the network every time. On the other hand, if it only randomizes the hardware address to send unique identifiers to each network, there shouldn’t be any authentication issues after the initial connection.

More to the Story

This article was just a primer on MAC address randomization. Follow our blog to read more about how MAC randomization impacts network service operators and how CUJO AI solves device identification without MAC addresses. Alternatively, read our whitepaper on the topic.