MAC Address Randomization Flaws

Tuesday, March 14, 2017 @ 07:03 AM gHale

There is a new attack method that can track mobile devices that rely on Media Access Control (MAC) address randomization.

A MAC address is a unique identifier assigned to a device’s network interfaces. Since the address is unique and hardcoded, it can be very useful for tracking a device and its owner. To protect users against MAC-based tracking attempts, mobile device vendors have implemented MAC address randomization, which involves broadcasting a random Wi-Fi MAC address.

Security Device Market Growing: Report
IIoT Attacks Coming: Report
Use of Ransomware Skyrockets
Robots: Design in Security

However, a team from the U.S. Naval Academy has come up with a technique that can track all smartphones that rely on this feature.

Google introduced MAC address randomization to Android in 2015 and Apple introduced the feature in mid-2014 with the release of iOS 8.

U.S. Naval Academy researchers identified serious flaws in the Android implementations of MAC randomization, allowing them to break the protection of 96 percent of tested phones.

Researchers also analyzed Karma attacks, a known method that involves simulating an access point that a device prefers to connect to. They also devised a new method that relies on control frames to expose the global MAC address for all types of devices, regardless of the operating system, manufacturer or the way randomization is implemented.

The new attack involves Request-to-Send (RTS) and Clear-to-Send (CTS) frames, which end up used to avoid collisions in the IEEE 802.11 specification (i.e. Wi-Fi). When a node wants to send data, an RTS frame transmits to inform other nodes on the channel the channel should not end up used in order to avoid collisions. The target node responds with a CTS frame if the request to transmit data is approved.

By sending an RTS frame to IEEE 802.11 client devices, an attacker obtains a CTS response from which they can derive the global MAC address. Once the global MAC has been obtained, the attacker can easily track that device in the future by sending it RTS frames containing the global MAC.

Researchers said this attack method worked on all the devices they tested.

Since a wide range of devices are vulnerable to this attack, experts believe RTS/CTS responses are a function of the underlying 802.11 chipset, not the operating system. This would mean that the derandomization issue cannot end up patched by smartphone manufacturers with an OS update.

“There are multiple scenarios in which a motivated attacker could use this method to violate the privacy of an unsuspecting user. If the global MAC address for a user is ever known, it can then be added to a database for future tracking,” researchers said in their paper. “Conceivably, an adversary with a sufficiently large database and advanced transmission capabilities could render randomization protections moot.”

Leave a Reply

You must be logged in to post a comment.