back to article MAC randomization: A massive failure that leaves iPhones, Android mobes open to tracking

To protect mobile devices from being tracked as they move through Wi-Fi-rich environments, there's a technique known as MAC address randomization. This replaces the number that uniquely identifies a device's wireless hardware with randomly generated values. In theory, this prevents scumbags from tracking devices from network …

  1. MNGrrrl
    Thumb Up

    food for thought

    Not only do criminals want to rip us off, but businesses too. And the government wants to steal all the data as well. And all three of them are at war, playing an endless game of exploit, counter, exploit. And yes, arresting someone is also an exploit -- it's a (puts on sunglasses) denial of existance attack. Am I the only one that's wondering who's on *my* side besides me?

    There's almost nobody trying to stop privacy invasions and create technology that achieves this goal... the few that exist are laughably underfunded compared to... well, everyone. It's basically privacy advocates versus the world.

    1. Anonymous Coward
      Anonymous Coward

      "nobody trying to stop privacy invasions"

      * Was sure after Snowden / Schrems a new industry would crop up to bring the fight home. However the world has bent over anyway and sold its soul to Big-Tech... How did that happen?

      * The tech giants, politicians and spies were all right, the public is too dumb, busy or preoccupied with the new shinny to get it.

      * That sure lets the elite off the hook, as whistleblowers, human rights activists & investigative journalists become the new target.

      * Here's a rare article showing WWIII and the power behind 'surveillance-capitalism'. Welcome to present-day dystopia folks:

      https://www.theguardian.com/politics/2017/feb/26/robert-mercer-breitbart-war-on-media-steve-bannon-donald-trump-nigel-farage

      1. Anonymous Coward
        Anonymous Coward

        Re: "nobody trying to stop privacy invasions"

        "https://www.theguardian.com/politics/2017/feb/26/robert-mercer-breitbart-war-on-media-steve-bannon-donald-trump-nigel-farage"

        Do you not see the irony of that article? It's an article telling you that you have secretly been brain washed by the right so you question your beliefs (if that is what you believe of course)

        I'm not buying it in the slightest, voter apathy, disappointment with the status quo and a want for change was why Brexit and Trump succeeded. The reason we now have this fake news phenomenon is because the real news backed the losing sides and the predictions they made were lies. (at least as of now). I also don't see how facebook likes can nail my personality so it can be manipulated, if I was on facebook I don't see how my liking marmite, pink floyd or getting up on cheek to stop the noise could be used against me.

        The worlds in a right pickle.

        1. Destroy All Monsters Silver badge
          Windows

          Re: "nobody trying to stop privacy invasions"

          Do you not see the irony of that article? It's an article telling you that you have secretly been brain washed by the right so you question your beliefs (if that is what you believe of course)

          100% This.

          If it's the Guardian, there is likely wool being pulled over someone's eyes.

          Guardian, The Economist, NYT, WaPo are the biggest reality resurfacing outfits out there. Straight from "How to Goodthink for Dummies" and sundry "officials who cannot be named" (i.e. MiniTruth) to the presses.

          The worlds in a right pickle indeed.

          1. Anonymous Coward
            Anonymous Coward

            "If it's the Guardian, there is likely wool being pulled over someone's eyes"

            https://www.theguardian.com/technology/2016/may/02/google-microsoft-pact-antitrust-surveillance-capitalism

        2. Anonymous Coward
          Anonymous Coward

          "if I was on facebook I don't see how my liking .... could be used against me"

          http://money.cnn.com/2014/06/30/technology/facebook-mood-experiment/index.html

        3. Pascal Monett Silver badge

          "if I was on facebook I don't see how my liking marmite, [..] could be used against me"

          It's not because you don't see how that it cannot be done.

          I just hope nobody will prove me right.

          1. Anonymous Coward
            Anonymous Coward

            Re: "if I was on facebook I don't see how my liking marmite, [..] could be used against me"

            I'll have to root around in my boxes of books for the one with the details of the 'ass'assination plot allegedly devised by a TLA, ISTR it involved the target having hemmoroids, the target being in the old Soviet Union, the target being in a position to favour a soft toilet paper obtained from a specific shop.

            Yes, the old poisoned toilet paper plot, a ridiculously OTT example, maybe apocryphal (though if you consider the schemes they came up with regarding Castro..), point being, you never know what piddling little detail about your life could be used against you..and when..and for what purposes...(same book also had the poisoned thermionic valve plot, valves coated in compound which when heated released toxic gas, target was known to listen to a lot of radio..)

        4. mstreet
          Big Brother

          Re: "nobody trying to stop privacy invasions"

          "The reason we now have this fake news phenomenon is because the real news backed the losing sides and the predictions they made were lies."

          Are you sure? I'd have thought it had something to do with :

          A) Advertising. We spend every day be bombarded with media hype for this or that product, most of which is pure BS. I remember in the 70's when "false advertising" was a pretty serious charge to be avoided at all costs, less your company have it's logo associated with the word "Liar". These days, the most preposterous claims can be made, and nobody seems to bat an eye.

          B) Politicians. It's almost impossible to trust politicians, mostly because they can use 500 words to say absolutely nothing, but make it seem like they are agreeing with you. George Orwell was trying to point this out in the 40's, drawing parallels to the nebulous language used in advertising, with the prattle politicians were using to befuddle the masses. Since then, it's gotten a lot worse, and a lot more common.

          C) Public gullibility. Compare any current politicians campaign promises, with the reality once they got into power. In my experience, they aren't just making little white lies anymore, but fundamentally misrepresenting what there intentions are. Take Canada for instance. I know people who's sole reason for voting for our current prime minister, was his promised reforms of the electoral system. Now he's in power, he has not only scrapped the idea, but makes it seem like it was an idiotic idea in the first place.

          D) Precedence. Two days after 9-11, one of the 24 hour US news outlets had an informative piece on the history of Afghanistan. One little snippet of information that came out of that, was that 1n 1978-1979, the (communist at the time) Afghan government had on 3 separate occasions asked Russia for support. Having lived through the fear the 1979 'invasion' caused, it was a watershed moment to learn that the Russians were actually invited into the country. It was also the last time I believed a media story without seeking confirmation from other sources.

          Fake news is nothing new. The delivery systems have just become better.

    2. Anonymous Coward
      Anonymous Coward

      Re: food for thought

      Nearly all businesses who use this are not actually interested in *you*. What they are trying to do is work out the people flow and dwell points so they can be more effective in their offers and marketing.

      It's similar to the way the traffic monitors on A road and motorway bridges work in the UK. They read your number plates and use those (apparently when they were installed they only used some of the number plate characters, but I doubt that is still true) to track traffic flow around the roads network to show congestion etc.

      So you can relax that they are usually not interested in *you* specifically but be alarmed that they (or someone else) could use that information to target your movements specifically if they had such a desire.

      1. Dan 55 Silver badge
        Big Brother

        Re: food for thought

        So you can relax that they are usually not interested in *you* specifically but be alarmed that they (or someone else) could use that information to target your movements specifically if they had such a desire.

        Could the Snooper's Charter be interpreted in a way (or easily tweaked so) as to mean that shops or these kind of tracking companies that work on their behalf are considered communication providers and found MAC addresses are included in connection records and have to be made available to over to the 50-odd govt departments?

        So turn WiFi (including Google WiFi location services which can be on even if WiFi is off) and Bluetooth off and when you leave home. I don't think my phone even offers the luxury of leaving them on as it'd flatten the battery anyway.

        1. salamamba too

          Re: food for thought

          wont help - theres a good chance your phone battery has its own rfid, and stores are using those for the same purpose.

      2. Anonymous Coward
        Anonymous Coward

        Re: food for thought

        Nearly all businesses who use this are not actually interested in *you*. What they are trying to do is work out the people flow and dwell points so they can be more effective in their offers and marketing.

        Indeed. I sometimes wonder if, rather than just paranoia, the people who make such a fuss about their data being visible/tracked, actually have a greater sense of self-worth than is actually appropriate?

        1. Anonymous Coward
          Anonymous Coward

          Re: food for thought

          "Indeed. I sometimes wonder if, rather than just paranoia, the people who make such a fuss about their data being visible/tracked, actually have a greater sense of self-worth than is actually appropriate?"

          Nice misdirection, although I have heard this one before. :)

          I cannot understand how this idea makes any sense.

          Privacy is nothing to do with self-worth !!!

          People who want their medical records kept secret do not have an excessive sense of self-worth.

          People who do not want 'Big Brother' to know where they go and what they do 24/7 also do not have a self-worth problem.

          BTW, it isn't paranoia either !!!

          I would ask you to justify the value, to you and I, of giving up our Privacy.

          Notice the word 'our', that is the perspective that I have about Privacy, it is not 'self' but everyone.

          I value the worth of everyone's privacy !!!

          1. robin thakur 1

            Re: food for thought

            Whilst I do take your point, the equation is that you get services like Google and FB for free, and in return you get tracked and your data and created content is used for marketing purposes. Most people are aware of this and are actually fine with it, whether they have actually read the finer print of the user agreements that they skip through or not. For example, connecting my lights up to the internet allows them to come on when it's night time and I'm in the vicinity. I'm aware I'm being tracked, and it's useful enough that I leave it enabled. I doubt that anyone will be coordinating a drone strike on my house because of it.

            The Governments can interrogate and seize this data at any point should you break the laws of the land. That should be a given at this point, regardless of encryption used.

            In recent cases (Aviva) which tried to monetize and incentivize social network data for the purposes of insurance premium cost reduction, it got banned in this country pretty quickly once it came to light. If you do not care for this arrangement, you have the option simply to not use the services and take steps to live a more luddite life, safe in the knowledge that you are not being tracked.

    3. TheVogon Silver badge

      Re: food for thought

      "The researchers found that "the overwhelming majority of Android devices are not implementing the available randomization capabilities built into the Android OS,""

      Probably because:

      a) It's off by default and your average punter doesn't know about tracking - and a lot of them probably wouldn't care even if they did, and

      b) Some WiFi systems record your MAC address to recognise who you are. Especially those that you pay for per connection in hotels, etc. Changing it randomly would mean that you need to login each time....

  2. ZSn

    off

    I presume that if you turn the WiFi on your phone off none of this works and you are secure? I rarely leave the WiFi on when I am out and about but I'm paranoid so perhaps not representative of normal people.

    1. Your alien overlord - fear me

      Re: off

      My thoughts exactly. Whose got a phone which has a battery that can support Wi-fi being left on all the time anyway?

      1. Ken Hagan Gold badge

        Re: off

        I leave my WiFi on all the time (since the actual mobile signal coverage is so dire here) but I take your point -- I wouldn't dream of leaving the GPS switched on.

        1. Adam 52 Silver badge

          Re: off

          There's option on Android to allow apps WiFi scanning at any time even when WiFi is off. Don't know if it's passive or active. Worth checking that it's turned off as well, not just the big button in the notification area.

          1. techulture

            Re: off

            Typically, this type of sneaky wifi activation is part of location settings.

        2. TheVogon Silver badge

          Re: off

          "I leave my WiFi on all the time (since the actual mobile signal coverage is so dire here) "

          Be aware that when wireless is not being used - because it's on and waiting to find a WiFi network you can use, if you have any hidden networks added, this will significantly increase battery load as the device has to actively search for them rather than passively listen.

          This is why hidden networks are a bad idea for mobile devices. Lots of corporates seem to use them, but imo security by obscurity isn't of much value.....

      2. Anonymous Coward
        Anonymous Coward

        Re: off

        Whose got a phone which has a battery that can support Wi-fi being left on all the time anyway?

        Not just WiFi. I turn off bluetooth when I'm on a trip without my car, so have no need to connect to anything via bluetooth. It's remarkable how much effect that has on battery life.

        1. David Nash

          Re: off

          "Not just WiFi. I turn off bluetooth when I'm on a trip without my car, so have no need to connect to anything via bluetooth. It's remarkable how much effect that has on battery life."

          The mindset should not be "turn off when x" but "only turn on when needed".

      3. Cuddles Silver badge

        Re: off

        "My thoughts exactly. Whose got a phone which has a battery that can support Wi-fi being left on all the time anyway?"

        Indeed. I really don't understand people who leave wi-fi, bluetooth, GPS, NFC, and everything else they can find, permanently enabled, and then complain about their battery life. This is even one of the rare situations where convenience and security aren't pushing in opposite directions, and yet huge numbers of people still manage to get it wrong.

        1. Dave 126 Silver badge

          Re: off

          WiFi doesn't eat my battery too much, but GPS has always caned power regardless of which Android handset I have. I can't imagine leaving it on all day. Shit, the measly 500mA that my car stereo USB port supplies isn't enough to prevent my phone discharging whilst using GPS (I set fire to the 12v cigarette lighter socket, so that option's out).

          Though I usually know where I'm going, I occasionally load Waze to get an idea of what fresh surprises the Highways Agency as in store for my travelling pleasure, and the app requires GPS.

          1. bazza Silver badge

            Re: off

            WiFi doesn't eat my battery too much, but GPS has always caned power regardless of which Android handset I have.

            It's not the GPS receiver itself that zonks the battery. It's the 3G/4G modem in the handset that's in constant use reporting your position back to Google, who use it for various purposes such as generating the traffic overlay on Google Maps.

            Don't believe me? You can buy a tiny little GPS logger for £40 that'll log GPS every 5 seconds all day long, all off a tiny battery.

            Now, if this is doable in such a tiny device, how come a phone has problems effectively doing the same thing? Answer: because it's not just the GPS receiver that's involved in Location Services.

            If I leave location services switched on on my BlackBerry Z30, it has no appreciable impact on battery life. BlackBerry aren't interested in knowing where you are in the same way Google are, so it's not uploading that via 3G/4G all day long.

            1. Brewster's Angle Grinder Silver badge

              @bazza

              Here are some GPS chips The first few are specified as 3.3V*44mA or 3.3V*29mA. That's consistent with a study I linked to below that gives real world usage of around 170mW.

              Set against that, the power drain is twice what the phone uses when idle. And GPS requires the CPU be kept awake---for minutes---while running. And Location Services will use other solutions (like wi-fi) which consume a lot more power. Still, I remain sceptical of this "GPS drains battery" meme.

              1. bazza Silver badge

                Re: @bazza

                @Brewster's Angle Grinder,

                That study is pretty ancient now. Nexus 1?!?!

                I fear your estimate of 170mW is pessimistic. You have calculated the continuous operation power consumption. Something like "location services" need not log position continuously - it'd serve no purpose.

                Looking at the datasheet for the Venus638FLPx-D, it has a fast start of 1 second, and a 10uA sleep mode. Logging position every 5 seconds (which sounds location services friendly) would take 1/5th of 98mW (the power during acquisition), or a mean of 19mW. For continuous tracking (such as would be used in a Sat Nav), it's still only 72mW.

                This matches the Canmore GT-730FL that I have, and that quite happily logs GPS once every 5 seconds all day long. It's a pretty small thing, with a pretty small battery.

                For a Google Pixel XL with a 3450mAHr battery, it'd take 7.3 days to run down the battery logging once every 5 seconds, and 1.9 days of continuous tracking, ignoring everything else running in the handset. Hungry that GPS chip is not. And that's before considering how else the phone might be learning position by means other than running a GPS receiver. Listening into WiFi networks, which is all location services does with regard to WiFi skyhooking, takes far less power than transmitting on WiFi.

                The power is certainly being used up by something other than running a GPS chip.

                Location services is only of any use to Google if positional data is uploaded promptly. It's no good calculating where the traffic jams are a few hours after they've developed for display on Google Maps. So it's in Google's interests to upload that data ASAP, which requires an Android mobile's modem to be running quite regularly, taking a chunk of power with it. Things are of course a lot better if the phone is camped on a WiFi network. But still, that 0.5W 3G or 0.1W WiFi needed to convey location data back to Google is where the power goes.

                However, if Location Services were simply a way for a phone to know where it is and not a means for Google to get data on where you are, that 0.5W or 0.1W wouldn't be used anything like as much, because the phone wouldn't be constantly phoning home to Google.

              2. heyrick Silver badge

                Re: @bazza

                "Still, I remain sceptical of this "GPS drains battery" meme.

                Currently using a Samsung S7, but had similar behaviour with a Sony Xperia.

                Using Google Maps navigation, I'm not sure if it is the GPS chip, constant chatter to the mothership, or a lot of graphics grunt, but the activity heated up the phones appreciably. In the case of the S7, I'd be tempted to say "dramatically". That much heat, you can imagine what that did to battery life...

                So I use GPS only when needed and keep it off otherwise. Same with WiFi, that's only on when I'm at home. And Bluetooth is only on when required. It's common sense, surely?

    2. Anonymous Coward
      Anonymous Coward

      "I presume"

      Presume nothing...

      After 2 years family Android phone suddenly has started activating all 'Location Access'. Now GPS / Wi-Fi randomly turns on, especially whenever a call is made / received.

      But everything was locked-down with no apps except built-in Chrome for infrequent net access etc. So how did that happen? Can't jailbreak it, as there's no non-brick option for this model.

      1. LeoP

        Re: "I presume"

        You have an oldish MTK SoC and a carrier, that has recently converted old 2G frequencies to 3G (or 4G). You stumble over a hardware bug (as did my oldish father, my tech-challenged wife ...).

        Manually turning 3G off (2G only) fixes it, but there is no way to have 3G data without GPS on former 2G frequencies.

        While I do not at all want to down-talk the surveillance state (far be it from me!), this special incident ist just a plain old bug, (C) MediaTek ca. 2010.

    3. Anonymous Coward
      Pint

      @ZSn

      "I presume that if you turn the WiFi on your phone off none of this works and you are secure?"

      Exactly.

      This is also why I made sure to get Internet access through my broadband provider instead of having to rely on wifi. Wifi, per definition, is a power drain. I recently set up wifi on my FreeBSD powered laptop (it was a bit tricky) and read a lot about the whole thing.

      Basically every broadcast you make will consume power. When looking for hotspots (so trying without being able to connect) will gobble up even more power. And then there are the hidden SSID's, which can be even worse.

      And let's also not forget risk assessment. I once had a few customers who refused to use encryption on their tablets because it was so difficult. They went to Italy on vacation and guess what happened next? Yups: happily used open wifi spots and a few days later my servers spotted weird connections originating from Italy and trying to send out viagra advertisements through these accounts.

      Open wifi is a major security risk. Yet it seems no one bothers to stop to think about that. Which makes sense of course: larger broadband providers make money out of it, so obviously we need to be told that "open wifi = good" and "paid open wifi = better".

      I'm also leaving things turned off.

    4. Terry 6 Silver badge
      FAIL

      Re: off

      Most ordinary users probably don't even realise that WiFi is optional.

      Even the best of us probably don't always remember - or, in my case, tend to remember when the battery is already a bit low.

    5. ElReg!comments!Pierre

      Re: off

      There's something else. People who wander around with the WiFi on at all time usually do so because they have tracking-oriented apps running at all times (Pokemon Go, foursquare equivalents, "OMG look at that dump I just took" apps like twitter etc).

      So really, the network-level tracking is only useful for the most mundane of applications, like "do people stop longer in the dairy section when we put a scantily-clad luscious student paid half minimum wage to have them sample the products", and all that sort of mischief. "They" are already using CCTV for that, too.

      Not that it's a good thing, mind, but if you're going to wander around with an always-connected device, there's no technical way to avoid being tracked to some extent. That's how the network connectivity is brought to you to begin with. Packets have to have a way of reaching your handset.

      1. David Nash

        Re: off

        I have a question: I tend to leave WiFi enabled but not connected to anything. This is because I have WiFi at home and at work. When I am in between it's on but not connected. Is this just as bad?

        My battery mostly easily copes with this so I don't bother turning it off.

        Unlike GPS and Bluetooth, which are off all the time except when needed.

  3. Jared Vanderbilt

    Really, we tried to implement MAC-RAND, but the H/W wasn't working as advertised, so ...

    ship it and phuck the users, they'll never notice.

  4. aberglas

    Surely the 4G/Simm provides good tracking anyway?

    So why all the fuss about wireless. Just a bit harder to listen in to the 4G traffic.

    1. Mephistro Silver badge

      Re: Surely the 4G/Simm provides good tracking anyway?

      "So why all the fuss about wireless"

      Because of the granularity provided by the Wi-Fi signals. Stores and shops can set up their Wi-Fi networks in such a way that the phone's position is known within a few square meters, e.g. which particular departments a customer is visiting at a given instant.

      On the other hand, mobile broadband's granularity is in the range of several hundreds of square meters. Which makes it a less than ideal tool for blackmailingcommercial tracking.

      1. My Coat

        Re: Surely the 4G/Simm provides good tracking anyway?

        More than that - the mobile broadband info is held by the phone company. The wifi info is held by the local shop you're in. It's probably easier and cheaper for the local shop to set up a wifi access point to get the information than to try to buy it from the mobile provider.

        1. ElReg!comments!Pierre

          Re: Surely the 4G/Simm provides good tracking anyway?

          > granularity

          > the mobile broadband info is held by the phone company.

          technically you can set up private "phone" cells all over the place and track your customers with much more accuracy (within a few square centimeters) than any WiFi would allow you to -and without having to bribe the cell phone company-, through triangulation. It's a tad more expensive than using WiFi tracking, and the increased accuracy is not needed by most, so marketters tend to use WiFi tracking instead (as the "free WiFi" is often seen as a bonus by unsuspecting marks anyway). But Cell tracking is both more granular and harder to escape thant WiFi.

    2. kryptylomese

      Re: Surely the 4G/Simm provides good tracking anyway?

      To identify a phone by its signal, you need to get force the phone to switch down to 2G because anything higher than that is encrypted. Sure the phone company can do this but if you want to build a system yourself then you have to deploy a base station which is illegal in some countries. BTW systems to do this are VERY expensive but WiFi tracking system are very cheap and are legal!

      1. phuzz Silver badge

        Re: Surely the 4G/Simm provides good tracking anyway?

        "BTW systems to do this are VERY expensive"

        Much more expensive than a wifi tracker, sure (you could build one with just a RPi and a wireless dongle), but a GSM base station can be set up for about $1500, maybe less these days. So it's well with in range of an individual's budget, to say nothing of a shop or law enforcement etc.

        1. kryptylomese

          Re: Surely the 4G/Simm provides good tracking anyway?

          Just having the base station is not enough - you need to be able to perform trilateration..... Like is said it is VERY expensive $10,000 - $20,000

  5. thames

    Since the phone can be tracked anyway, why bother?

    Perhaps the reason that most of the Android manufacturers didn't bother implementing MAC randomisation is because as the story states, that doesn't help since it's possible to track it anyway using another technique. It's inherent in the chip sets.

    Without addressing all the other tracking methods MAC randomisation just becomes security theatre. All it will do is give some easily pleased people a warm fuzzy feeling and a sense of self justification for having bought the phone they intended to buy anyway.

    The answer is to turn WIFI off until and unless you intend to use it right then and there. Doing that tends to save battery life as well, so it's worth doing anyway. Making it easy to turn WIFI on and off as desired is something that is under OS control, so that's where a phone maker could make a difference if they wanted to.

    1. Anonymous Coward
      Anonymous Coward

      making it easy

      +1 because my phone pops up a confirmation & elaboration dialog every single time I try to drop to airplane mode. (it's that one that also notifies "battery is full, unplug to save power" probably because burning through charge cycles helps sell more batteries)

      1. Gene Cash Silver badge

        Re: making it easy

        Hm. My Nexus 6P running 6.0.1 just requires I swipe down to open the "quick settings" and tap the little airplane icon. I don't even need to unlock the phone. No confirmation, it just does it. It turns off Bluetooth, cell, and wi-fi.

        1. Anonymous Coward
          Anonymous Coward

          Re: making it easy

          Noted; this is the LG G Stylo. If that's a stock feature then here we have LG going in the wrong direction and carefully making it harder. Yes, even on the poweroff/restart screen. This is 6.0.0, and it seems they like to do some annoying things with their phones' firmware-- at least, that's what I gathered while trying to find a way to neuter that notification.

          P.S. I did finally find an app that eats notifications, aimed it at SystemUI's spam-- and of course there are apps to quickly handle airplane mode, and of course adding yet another app is exactly why I got out of bed today isn't that weird how did they know.

    2. Ogi

      Re: Since the phone can be tracked anyway, why bother?

      > The answer is to turn WIFI off until and unless you intend to use it right then and there.

      Indeed, there was a nice open source Android app on f-droid which would use your GPS location to decide whether to turn on the wifi or not. That way I could tell it to turn on wifi only when I am at my home, or a friends place, otherwise it just turns off.

      Having pure GPS on was not that much a battery drain. It is also passive so nobody can track you with it, and my Android phone was a custom ROM without any Google stuff, so they were not tracking me either.

      However, I am noticing that it is getting harder and harder to get decent working custom ROMs for phones, especially after Cyanogenmod got sold. Lots of half hearted buggy attempts though, usually by a single dev who gives up shortly after the first couple of versions, when bugs are actually raised.

      1. Dave 126 Silver badge

        Re: Since the phone can be tracked anyway, why bother?

        >Having pure GPS on was not that much a battery drain.

        Whoah, that's never been my experience, so I'm curious as to what accounts for that. Could it be a a matter of your environment i.e your phone has a clear view to the sky, so uses less juice to listen for the satellites?

        I usually drive a small van with metal sides, so my phone can only see 180º of horizon through glass (whereas most cars would offer mostly glass through 360º.) I don't know if this could account for a high battery drain.

        1. Brewster's Angle Grinder Silver badge

          Re: Since the phone can be tracked anyway, why bother?

          There are a lot of people complaining about this. But I understood it was a myth.

          So how are you determining the actual GPS power consumption? And more importantly how (on Android 6) do you disable GPS? Because I can only see the ability to control "Location Services" (which can use WiFi and other cues).

          I did find this this paper, which measured power consumption for a really old phone, and found GPS used 166mW -- more than the background task, but far less than surfing with WiFI or have the screen on. And apparently real GPS requires the phone be awake a long time, rather than go into sleep mode. But I write a location aware app and I don't notice the power drain.

        2. Ogi

          Re: Since the phone can be tracked anyway, why bother?

          > Whoah, that's never been my experience, so I'm curious as to what accounts for that. Could it be a a matter of your environment i.e your phone has a clear view to the sky, so uses less juice to listen for the satellites?

          Well, I am in London, so mostly buildings in the way, and generally poor GPS signal.

          > I usually drive a small van with metal sides, so my phone can only see 180º of horizon through glass (whereas most cars would offer mostly glass through 360º.) I don't know if this could account for a high battery drain.

          I don't see how tbh. The GPS does not transmit anything, so all it has to do is sit idly and wait for a satellite to come into view. This might use some CPU and memory, but not a noticeable amount. How much it uses shouldn't be affected by whether it has a lock or is still searching for satellites, because even when it has a lock, it is still constantly looking for more satellites, so that if one drops out of view, it can carry on seamlessly.

          One thing might be is that I use Samsung phones, which can use both NAVSTAR and GLONASS systems, so generally I can always get enough satellites for a lock, even through cars (Although admittedly have not tried with a van). In comparison when I use my dedicated NAVSTAR bluetooth GPS device, I don't get as good a lock, if I get a lock at all.

          1. katrinab Silver badge

            Re: Since the phone can be tracked anyway, why bother?

            Pretty much every phone supports both GPS and GLONASS these days. They avoid a much higher import tax in Russia if they support GLONASS, and if they configure the chip to support GLONASS in Russia, it is cheaper for them to use the same chip everywhere else.

      2. Anonymous Coward
        Anonymous Coward

        Re: Since the phone can be tracked anyway, why bother?

        You can track active GPS receivers using the RF leakage from the local oscillator.

        Its really obvious too as it won't drift much unlike many cheaper (eg crystal) units with temperature.

        Re. OP I did wonder if a device could be built that simply connects to lots of networks simultaneously on random channels and combines it into a single coherent data stream?

        Might be fiddly though and need a wodge of dongles (tm) or possibly just use a single chip with simple round-robin system via a radioisotope random number generator?

        A few years back there was an article published in IIRC EW&WW suggesting that the frequency hopping on Bluetooth was basically insecure because it wasn't random enough.

        With advances in technology its entirely possible to hijack a BT stream and then insert arbitrary data.

        This goes for any network using random numbers so watch out if you own a car/bike/etc with one of those "smart" keyfobs.

  6. Charles 9 Silver badge

    Is there a reason RTS isn't spoofed? Is there some requirement for this in wireless certification?

  7. Ken Moorhouse Silver badge

    Persistence between MAC changes

    Surely there's a problem at the point when the MAC address changes?

    Let's say that you are in the middle of a banking transaction when the change occurs (just being logged in to a bank site, for example): the session drops which means it has to be restarted from scratch, so the app being used (say a browser) that was hosting the session will have to provide persistence in order to ensure a seamless handover - a cookie.

    But that cookie can identify that handset, so then we go round in a circle.

    Such behaviour could also cause the handset to login to a "dangling" connection - one that is not currently connected to anything, but has snooped your settings and enables a connection to take place, picking up your session.

    Then there's the possibility of MAC address collisions. What happens if two devices dish out the same MAC address at the same time? This could happen during an Android Lover's Convention perhaps where hundreds of Android fondlers have got together to discuss their devices. The whole idea of MAC addresses is to provide a method of ensuring uniqueness.

    Oh, and what about DHCP servers that bind MAC addresses to IP addresses? that won't work anymore.

    1. Richard 12 Silver badge

      This isn't when the phone is connected

      When wifi is on, your smart device regularly checks whether there is a wifi hotspot it can connect to - for example, as you get home it automatically connects to your home wifi.

      When you open the "list of wifi", it also does this search and shows you the ones it found and their approx. signal quality.

      Smartphones also use the visible wifi hotspots to determine their location without a GPS fix.

      In order to do all this, it sends out wifi probe requests, asking for hotspots to answer with their MAC, SSID etc.

      Those probe requests could have a randomised MAC, because they aren't used to connect anything. They are simply an "Is anybody there? Tell me about yourself please."

      Once your phone decides that it will connect to a hotspot, it changes over to the "real" MAC address and attempts to connect to it.

      The problem with the randomisation idea is that the hotspot can also send a "Tell me about yourself", and gets the real answer.

    2. Named coward

      Re: Persistence between MAC changes

      The MAC address doesn't change at random times. It changes per network/per connection/when scanning (depending on the implementation). Once you are connected to a network there is no point to change the MAC mid-session.

      If someone can track your cookie then that's another kettle of fish. Just by being connected to the network should not make your cookies to another site visible (if it does, you have other, bigger, problems than handset identification)

      If a MAC collision occurs - tough luck, one or both of the connections will probably stop working. You have to choose your battles.

      DHCP - some implementations (windows 10) will use the same MAC when reconnecting to the same network so this is solved in that manner (this allows a store to know that the same user went into the store at certain times, but at least it hinders tracking across networks) - another case of Privacy vs Convenience

  8. kryptylomese

    MAC address changes are pointless because

    I built a tracking system after investigating with a commercial system!

    The tracking systems use a combination of MAC address and SSID probes to create a key in a database. Each device is associated to a unique set of SSIDs so it is trivial to collect both the MAC and SSID probes and then just check if those same set of SSID probes match another MAC address in the same area over a time period. One thing to note is that device manufacturers implementation of MAC changing only randomises the non OUI part of the MAC address i.e the last 3 octets (they are proud of their label) and the change only happens at certain times rather than constantly. However it makes no difference with regards to tracking if the entire MAC address is changed.

    1. Anonymous Coward
      Anonymous Coward

      Re: MAC address changes are pointless because

      So are you saying the phone actively sends out requests looking for SSIDs it knows about? Like if I had an SSID "DougSSID" at home and went to the mall with my wifi enabled, my phone is going to send out probes looking for "DougSSID", it is possible to make my phone send a list of the SSIDs it knows about? If so, that would rather defeat the point of MAC randomization. On the other hand, presumably that is possible to fix in software by making the phone no longer do that.

      1. An nonymous Cowerd

        Re: the phone actively sends out requests

        Yes, all phones that I tested in a previous 'privacy lab' test environment were radiating at maximum power ~ 100mW @ 2.412Ghz 'can you hear me - come in please':- "Trump_Massage_Parlor_Party_WiFi_HotSpot";"Kremlin_OpenWiFi";"Fort_Meade_Hotel";"Vauxhall_Cross_Secret_WiFi";"Palace_Hotel_Tehran" etcetera, really!

        I congratulate the , er. . . consultants, who put that in the WiFi spec! "Known networks will be joined automatically" (Laptops obviously do the same, check - for macOS - in Networks/Advanced/Preferred Networks and [-] those that you don't wish to advertise)

        and wrt a previous comment, I was able to build an OpenBTS 4G->3G/2G for not that much (€500) for testing inside my indoor double walled screened tent, I think there are hundreds of similar very basic GSM basestations sold every year, according to a Dutch radio-ham who sold me mine.

        Currently a russian group has developed a decent open source SDR £800 h/w for 3G/2G here http://umtrx.osmocom.org/trac/ which could easily do the WiFi 'business intelligence' market but with a bit of coding would also cover UMTS/GSM.

        Other h/w is available, I think I even got a €25 RTL-SDR to sniff GSM fairly well, as in Kraken, 2TB rainbow tables and successful recovery of keys! Thank goodness I was doing this in a government lab as part of my day job. Interestingly, I found that several essential files , widely available on the internet had been appropriately 'adjusted' - to avoid the script-kiddie usage, more of those hard-working 'consultants' at work behind the scenes.

      2. Johndoe132

        Re: MAC address changes are pointless because

        Yes - if you have set the phone up to connect to a WiFi network with a hidden SSID, then the device will constantly be looking for it when not connected. This is why it's generally considered to be a bad idea to hide the SSID of a wireless network on security grounds; it's trivial to discover anyway and it just causes configured devices to broadcast it's existence everywhere they go.

        Re MAC collisions etc, this should not be an issue as once a device connects properly to a wireless network it will reveal and use the globally unique MAC.

        1. Anonymous Coward
          Anonymous Coward

          Re: MAC address changes are pointless because

          OK, I see why my phone is going to have to broadcast SSIDs if I have it set to connect to a hidden one, but if Trump_Massage_Parlor was a public SSID, why would my phone be broadcasting that SSID trying to find it? Shouldn't it simply listen passively and if it sees an SSID it recognizes it tries to connect?

          I don't care what's in the wifi spec, I hope Apple fixes this issue even if it breaks the wifi spec so long as it doesn't break wifi actually working. Otherwise even if you forgot all SSIDs except for home and work, the two (even just one, at home) would be enough to identify the majority of people.

          A lot of people nowadays use those autogenerated SSIDs from their router that are unique, and if they set their own they usually come up with something a lot more original than the typical password, making them rather unique. I doubt many are using the SSID I use at home, but since it isn't hidden there's no reason it should EVER be broadcast by my phone. If it is, that is just stupid software that needs to be fixed, regardless of what the standards say they require.

          1. Cryptizard

            Re: MAC address changes are pointless because

            It doesn't, it only broadcasts hidden SSIDs like you have said. Many people will not have any direct probes at all because they never connected to a hidden SSID.

        2. GruntyMcPugh Silver badge

          Re: MAC address changes are pointless because

          "Re MAC collisions etc, this should not be an issue as once a device connects properly to a wireless network it will reveal and use the globally unique MAC."

          Er,... so if an establishment has an open WiFi hotspot that doesn't require authentication, and a phone connects to that, it reveals it's unique MAC?

          1. Anonymous Coward
            Anonymous Coward

            Re: MAC address changes are pointless because

            Yes, once you actually make a decision to connect to an AP, it uses its real MAC address. The fake address is only used for packets that are sent out when not associated. So if you don't want your real MAC address leaking out, don't go connecting to random hotspots.

          2. Cryptizard

            Re: MAC address changes are pointless because

            "Er,... so if an establishment has an open WiFi hotspot that doesn't require authentication, and a phone connects to that, it reveals it's unique MAC?"

            Yep. This currently has to happen because it is the only way to guarantee that there is definitely not a collision between two devices using the same MAC address.

            1. Charles 9 Silver badge

              Re: MAC address changes are pointless because

              And is that why RTS can't lie, because at some point the AP has to know the real MAC and there's no way in the spec to prevent it asking early?

            2. Ken Moorhouse Silver badge

              Re: MAC address changes are DANGEROUS because

              The concept of a MAC address is that it is a Hardware address. It shouldn't be readily changeable. If you let Software tinker with that address in an automated way, especially across a network link of some sort, then you are setting the scene for security woes. In a similar way (in fact in a much more versatile way) to ARP Poisoning a malicious device could set itself up to receive traffic from another device, while at the same time disabling the device by setting its MAC address to something else. The potential for mischief is limited only by the imagination of a competent hacker.

              1. anonymous boring coward Silver badge

                Re: MAC address changes are DANGEROUS because

                "If you let Software tinker with that address in an automated way, especially across a network link of some sort, then you are setting the scene for security woes. "

                A MAC address can't be the base for any kind of real security.

                1. Charles 9 Silver badge

                  Re: MAC address changes are DANGEROUS because

                  But without a guaranteed unique identifier, there's NO WAY to prevent Mallory or Gene posing as you. Which basically means the whole network model (wired AND wireless) is not trustworthy because ANYTHING that runs on top of it can be hijacked from the outset (at First Contact, IOW).

                  Which puts us back into DTA Mode.

                  1. Ken Moorhouse Silver badge

                    Re: MAC address changes are DANGEROUS because

                    Which is why I'm saying that there's no point adding layers of complexity which do not add any materially useful function, and which decrease reliability.

  9. Anonymous Coward
    Anonymous Coward

    Just a thought...

    "It's strange that Android was so vulnerable," he said. "It's just really bad at doing what it was supposed to do."

    An OS designed by the world largest tracking agency fails to implement methods of making it harder to track a phone.

    And they are surprised?

    1. Anonymous Coward
      Anonymous Coward

      Re: Just a thought...

      To be fair, Google only cares about not making it harder for Google to track you. While they may be ambivalent about letting others track you, in the long run they'd probably be better off if ONLY they are able to track you. Then instead of stores being able to track shoppers around the place with their own system, they'd have to pay Google for that information!

    2. David Nash

      Re: Just a thought...

      I thought it was odd that the main argument for why MAC Randomization was apparently broken, on Android, was that it wasn't implemented on most Android devices.

      Maybe it is broken, but not being implemented doesn't mean that it is.

  10. Anonymous Coward
    Anonymous Coward

    I don't understand their complaint about the iOS 10 information element

    This is just something Apple has added that tells them it is an iOS 10 device, not something that uniquely identifies my specific phone, right?

    Given that by now there are at least half a billion iOS 10 devices, I don't see it being a problem that someone can put me in a category with 7% of the world's population. Maybe it would be a problem in a poor country where iPhones are rare and people might use that information to target you for robbery (even if activation lock makes the phone worthless except as parts, they can assume you probably have cash / other valuables) but here in the US it narrows me down to like 40% of the population...

  11. Anonymous Coward
    Anonymous Coward

    Apple frequently turns on WiFi after I explicitly turn it off... luckily I get a prompt to join some network, so I just go back in and turn it off again. Still annoying...

    Apple probably bundled the "feature" when pushing Apple Pay to retailers.

    Normally Apple is pretty good with security/privacy but they definitely have egg on their face (with this one).

    1. Anonymous Coward
      Anonymous Coward

      trouble is

      you are sniffed out and identified at network level regardless of joining a network or choosing not to. That's the issue. Joining random networks as you wander round town simply makes the devices vulnerable to other data sniffing and MiM attacks, rather than just watching your route.

    2. Anonymous Coward
      Anonymous Coward

      If you are turning off wifi, WHY IN THE WORLD have you not disabled automatically joining networks? I leave my wifi on all the time, but I have disabled that so I have never been asked to join some random network as I'm passing by.

    3. Anonymous Coward
      Anonymous Coward

      Honestly never had this happen on an apple device and I'm not saying you're lying but if your not then it's Aliens.

  12. sitta_europea

    "Put those six bytes together, and you've got a 48-bit MAC address that should be globally unique for each device."

    I've seen the odd collision, and I've often wondered how a MAC address can be "globally unique".

    When I checked once (in about 1965), the 24 bits remaining after the OUI gives you just under 16.8 million unique numbers.

    Which models of mobile have LESS than 17 million examples in circulation??

    1. Paul Crawford Silver badge

      Its a physical layer thing - how many wifi spots can see anything even approaching 16M devices to worry about collisions?

      1. Charles 9 Silver badge

        While even a class A network has the same 24-bit subnet limit, consider the Birthday Problem.

        1. Paul Crawford Silver badge

          Good point. If you do the birthday problem approximation for 16.8M address you get 1% probability of a clash at 579 addresses. That is still big by most single-point wi-fi coverage regions.

          1. Anonymous Coward
            Anonymous Coward

            Which is probably why Apple is using fake MAC addresses using all 48 bits, which the authors call them out for since that leaves them potentially using other people's MAC prefixes. But the chances of a collision in a 48 bit space with the legitimate owner of that 48 bit MAC (or with another "faked" 48 bit MAC from another iPhone) are so remote that it isn't even worth thinking about.

            Even if such a collision with the legitimate owner occurred, it isn't going to have any lasting impact because it is only used for probing, and only once. Next time a new 48 bit MAC will be chosen.

            1. Anonymous Coward
              Anonymous Coward

              "Which is probably why Apple is using fake MAC addresses using all 48 bits, which the authors call them out for since that leaves them potentially using other people's MAC prefixes. "

              Seem to recall when back in the early days of the Pre that Palm sent responses on their USB interface that spoofed an iPhone/iPod so that iTunes would sync with it (think this was back in the days where iTunes only synced with iThings) and Apple got extremely "litigious" about this and, I think, threatened to get Palm's USB licenses revoked for breaking fundamental rules of how devices shoudl respond witth correct manufacture ids etc.

    2. Cryptizard

      Manufacturers own many OUIs though, and spread out the MACs from the same model over multiple of them.

    3. Down not across

      Manufacturers have more than one OUI

      For example:

      $ grep -i samsung ethercodes.dat | wc -l

      463

      $ grep -i apple ethercodes.dat | wc -l

      531

      So just for apple multiply your number by 531 (as of mid February's oui.txt).

      Also the uniqueness is only really an issue with regards to the AP you're associating with (ok, yes DHCP server, switch/router comes to play as well)

  13. oiseau Silver badge
    Facepalm

    Joke?

    "It's strange that Android was so vulnerable,"

    Surely you jest ...! (No, you can't call me Shirley).

  14. W4YBO

    Off topic, but...

    The CAT S60 is a slick phone! FLIR camera in it (I suppose no IR selfies.)

    1. Anonymous Coward
      Anonymous Coward

      Re: Off topic, but...

      The only "gimmick" feature I wish Apple would add to the iPhone is a FLIR camera. It would be so handy, and while FLIR sensors are pretty pricey today, I'm sure they could drive the price down to under $10 merely by committing to ordering 100 million next year and 200 million a year after that.

      Its something I could see getting integrated into a phone's image sensor (between the visible light CCD pixels) if there was demand, but it has too narrow of a market for anyone to commit to the huge order volumes that would be needed to make it cheap. Chicken and egg.

      1. GruntyMcPugh Silver badge

        Re: Off topic, but...

        I can see a slick marketing campaign, 'Lost your children on a hike? Want to find them before a Bear does? The new Iphone, with FLIR'

  15. Andy 97

    Wagamama

    Blimey, this really is the stuff of nightmares.

    I took my daughter to Wagamama on the Thames Embankment last week.

    When I got home I had an email from them asking for NPS ratings.

    I thought I must have used my phone for something and logged into their free wifi, but no...

    Phones off from now-on.

    1. Anonymous Coward
      Anonymous Coward

      Re: Wagamama

      Just wait until you start getting the "can you answer 3 quick questions" requests from Google Maps!

      N.b. think Wagamam use TheCloud Wifif so if you may have got logged in automatically if you use that service (or one it is ISP branded versions) .... I've had a few emails from Wagamama as a "recent visitor" when I've actually been logged into their Wifi from Nando's next door!

  16. anonymous boring coward Silver badge

    "effects every phone"

    Affects

  17. Tom Paine Silver badge
    Alien

    Let's face it....

    We all know how this came to pass.

    ALIENS!

  18. Anonymous Coward

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020