back to article MAC address privacy inches towards standardisation

The Internet Engineering Task Force's (IETF's) decision last year to push back against surveillance is bearing fruit, with the 'net boffins and the IEEE proclaiming successful MAC address privacy tests. While MAC address randomisation has been a feature of various clients (including Linux, Windows, Apple OSs and Android) for …

  1. Adam JC

    Randomising MAC address

    How on earth is this possibly going to work? If you randomise a MAC address connecting to an access point, how am I supposed to apply DHCP reservations, keep tabs on which machine is which, apply MAC-Addressed VLAN policies, not to mention how this would possibly break captive portal and hotspot-style services completely.

    I may be completely missing the point here, some information how how exactly this will be implemented would be extremely interesting to read. I'm going to have to assume they'll negotiate with the AP initially with the real MAC address and then randomise it from that point onwards... This is making my head hurt just thinking about it!

    1. Ralph B

      Re: Randomising MAC address

      It's only the MAC address used when probing for known networks that is being randomised. As soon as you connect (or try to connect) then you're using your real MAC address. More details here.

      1. Ben Tasker

        Re: Randomising MAC address

        > It's only the MAC address used when probing for known networks that is being randomised. As soon as you connect (or try to connect) then you're using your real MAC address. More details here.

        That's how iOS 8 does it, but not how the experiment was run. The devices MAC was randomised before connecting to a new network but wasn't then reverted back to the real address.

        They essentially ran

        MAC_ADDR=06:`openssl rand -hex 5 | sed 's/\(..\)/:\1/g;s/^.\(.\)[0-3]/\12/;s/^.\(.\)[4-7]/\16/; s/^.\(.\)[89ab]/\1a/;s/^.\(.\)[cdef]/\1e/'`; sudo ifconfig <WLANIFACE> ether $MAC_ADDR; networksetup -setairportnetwork <WLANIFACE> <ESSID> <WiFi KEY>; echo $MAC_ADDR >> <PATH_TO_LOGFILE>

        (they used the 06 at the beginning to identify trial participants and DHCP/VLAN them differently).

        More info on mentor - https://mentor.ieee.org/privecsg/documents

        There's some interesting reading there actually....

        1. Ralph B

          Re: Randomising MAC address

          @Ben Tasker: Thanks for the info. That would certainly break filtering clients by MAC address. Sigh.

          1. Alan Brown Silver badge

            Re: Randomising MAC address

            "That would certainly break filtering clients by MAC address."

            It's not as if MACs can be spoofed, is it?

          2. chris 17 Silver badge

            Re: Randomising MAC address

            filtering by MAC was convenient, but as you should know, MAC's sent on the wire/less can be changed to what ever you want. Need a better way to do the same task like NAC (802.11x)

    2. Justin Clift

      Re: Randomising MAC address

      "If you randomise a MAC address connecting to an access point, how am I supposed to ... keep tabs on which machine is which ..."

      Yeah, I think that's the whole point. :)

      Note though, I do agree that in workplace settings this could be a real pita.

  2. Chris Miller
    Unhappy

    Does this mean

    I can no longer use DE:AD:BE:EF:CA:FE? Or xx:xx:xx:C0:FF:EE?

  3. This post has been deleted by its author

    1. Sebby

      Re: IPv6 addresses

      Not really relevant because we're talking about tracking that occurs on the local link. Privacy addresses are available for the non-local link case, in which case you just derive your interface identifier (host portion) of the address randomly so people can't track your single device across locations.

      1. chris 17 Silver badge

        Re: IPv6 addresses

        @ Sebby

        it is relevant.

        1) if the ipv6 router assigns the IP with the MAC as the host part then all on the net will see what machine you are using, where you are using it, can check where you've used it in their system & compare against commercial lists from other organisations. Pop into M&S and your phone tries to connect to their wifi then visit their website when you get home they can then link your device & then likely your home network prefix too just for visiting their site, not even logging in.

        2) If they have your MAC but don't use it in the host part of IPv6 they can track your visits and sell that info on.

        please feel free to work out why that might not be such a good thing.

    2. Anonymous Coward
      Anonymous Coward

      Re: IPv6 addresses

      If you look at the geo tracking built into every IPv6 address (8 groups of 16 bits), it is not hard to start to think that this was may be built in by design, or just laziness.

      Microsoft do not fully support IPv6 fully (yet)

      \\127.0.0.1\C$ works in Windows but

      \\::1\C$" does not (OS sees a colon, assumes you're referencing a drive letter)

      1. Yes Me Silver badge

        Re: IPv6 addresses

        " geo tracking built into every IPv6 address"????

        No such thing. I don't know where you got that from. The routing prefix is normally 64 bits and that is topological, of course, like an IPv4 address, so it serves for rough geolocation. The interface ID is normally 64 bits too, and the latest IETF recommendation is that it should be pseudo-random and with a reasonably short lifetime. How short depends on how much pervasive surveillance you're willing to accept. Enterprise networks that allow BYO are going to have to get used to this, and the spooks are no doubt frothing at the mouth. (Well, not so much, because mainly they rely on application layer metadata, but if you want to know which machine in a cybercafe somebody used at a certain time, a pseudo-random MAC address and interface ID will make your job harder.)

        1. Daniel 18

          Re: IPv6 addresses

          Randomizing the MAC is a good first step, which prevents leaking certain information... a lot more is sheltered by the VPN you are using. You are using a VPN, aren't you?

      2. gnarlymarley

        Re: IPv6 addresses

        "\\::1\C$" does not (OS sees a colon, assumes you're referencing a drive letter)"

        Don't forget that IPv6 should be accessed as [::1] when using an IP address literal.

  4. david 12 Silver badge

    "Little thought was given to the risk that the MAC address"

    Actually, enormous thought was wasted in the 90's on the risk to privacy and security due to MAC addresses. Like the silly decision to prevent Intel putting ID's into processor (since ignored by every European company selling into the utilities market), MAC's were the victim of a stupid smear campaign that ignored their utility, causing MS to hide them from programs in Win98, requiring you to use a stupid and inconvenient kludge to get the information.

    It is still the case that certain tasks, (like sending out broadcast packets on specific adapters on multi-adapter machines) are needlessly complex, and the ignorant "privacy" concerns of the 1990's are one of the reasons.

  5. Anonymous Coward
    Anonymous Coward

    "It is still the case that certain tasks, ... are needlessly complex, and the ignorant "privacy" concerns of the 1990's are one of the reasons."

    Privacy concerns are rarely ignorant, even if they sometimes make certain tasks more difficult to accomplish. Like breaching people's privacy.

    1. david 12 Silver badge

      Concerns are often ignorant, even if they sometimes are based on or related to genuine issues.

      The concerns about MAC's and Processor ID's were ignorant, the "solution" of hiding the ID number was unworkable, and the false "solution" only had the effect of giving a false sense of security.

      Like hiding your WiFi SSID

      .

  6. Anonymous Coward
    Anonymous Coward

    MAC spoofable since early nineties

    I've done it myself a few times, starting with Sun Ethernet devices. At that time, on early PC hardware, I don't remember the MAC address being changable but it was on the more capable Sun adaptors. On later PC hardware it also was possible. I then remember spoofing the MAC address of a newer Ethernet adaptor to the same as on a previous card so I could keep my IP address allocated by my ISP about 15 years ago which relied on the MAC which they had registered. Also if MACs weren't spoofable, this would make pentesting WiFi moot, as the pentester would be laying an evidence trail by identifying themselves through the MAC.

  7. Daniel 18

    Never use your real MAC

    I think the point is that you should never use a fixed/real MAC unless you personally control the network and can be assured where your data isn't going.

    The days when privacy was the default are long gone, and we are going to have to do quite a bit of work to get it back.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like