If you were tracking, one of the nice features allegedly added to iOS8 was a MAC address randomization for unassociated iPhones looking for wifi service. Independent testing by AirTight Networks reported that the feature works, but in narrow way and not in a way that’s entirely useful for privacy purposes, let alone on the full gamut of Apple hardware. Given my own interest in wireless security, I was much more excited about this than the promise of using third-party keyboards or slow-motion video capture.
What’s a MAC Address?
A MAC (Media Access Control) address is a 48-bit hexadecimal number used in computer networks to help identify individual pieces of hardware. It usually looks something like this:
12:34:56:78:9A:BC, where the first six characters usually identify the manufacturer while the second set identifies the device. Every networking interface has its own MAC, so your wireless has a different one than your wired. In addition to making sure that the right traffic goes to the right computer on the right interface, wifi also uses it to identify potential (or unassociated) clients for authentication and service. No matter how encrypted a connection is, the MAC address of the source and destination are always passed in the clear and can potentially be used by an exploiter for device tracking.
What Would Randomization Fix?
Marketers have recently been using this to sniff the MAC addresses of unassociated wifi-capable handsets walking into certain stores to get survey data on what kind of devices their customers are using. Exploiters have been building tools for tracking devices as long as there has been wifi. While there may not be a way to get around using a static MAC once associated with a trusted wireless access point, the MAC really shouldn’t be necessary when probing for service. Since MACs only have 48 bits, the chances for collision (finding another device with the same MAC) are reasonable; the identifier just isn’t that unique. Regular computers have long had the ability to change (or even randomize) your MAC, while mobile devices rarely do without some workarounds. From a security standpoint, implicit randomization of the MAC of an unassociated client would help improve privacy while not impacting the device’s ability to get service.
Back on the Apple Thing
So imagine my excitement when I read that MAC randomization was going to be a feature in iOS8! I should have known better, having only read about it through third-party sources and not seeing much on Apple.com except a few developer discussions and a technical support document. According to the published trials by AirTight Networks, they found it worked, but under extremely strict conditions:
The wifi is on, but unassociated with an access point
The device is in sleep mode; the screen is turned off
Location Services are turned off under the Privacy Settings
The cellular data services are turned off
The device is an iPhone 5s or better; No luck for iPads
So in short, if you have a newer iPhone that you never use for location services or cellular data and are keeping it in your pocket, your privacy is improved. For virtually all others, the feature doesn’t exist.
In the spirit of trusting, but verifying, I attempted to get my own recently-updated iPhone5 to randomize its MAC. Unsurprisingly, nothing I did worked according to my own wireless sniffing. No matter what, I saw my handset probing for service with its regular MAC. One interesting thing I noticed that improves privacy a bit is changing how the probe request is broadcasted. Usually, when an unassociated device probes for wifi service, it also broadcasts all of the SSIDs (the broadcasted name of the wifi network) of networks it has previously been associated with. Apple devices are normally very chatty in this regard, yet I didn’t see a single SSID listed in the probe request, despite having at least two unique networks stored in my iPhone’s memory. I would be interested to see if this is just me or other folks report a similar change with different Apple devices.
Privacy in the Future
The honest question to have at some point is just how private can we make these sorts of things? If you want Google Now to know what you’re going to search for before you search for it or ask Siri to provide you more useful information based on your location, a concession might have to be made. Instead of expecting connected devices and services to be private things, it may be wiser to concede that they fundamentally aren’t private, and start managing the information we release. Just as not participating in social networking doesn’t make you any more private, not participating in using a smart phone’s capabilities doesn’t make you less exploitable by malicious hackers or marketers; it just changes the vector.