Every network connected device has a MAC address which is used to uniquely identify that device on the network. By itself, a MAC address doesn’t pose any tracking concerns; MAC addresses are a fundamental necessity for device communications.
The problem is that when you’re strutting down the street with your iDevice in your purse or pocket, you’re passing through various signals emitted by public Wi-fi hotspots. And you may not realize it but you’re unwittingly exposing yourself to the world when you do this.
Think of it like being caught with your pants down…
Throughout the day, our phones are continuously trying to communicate with Wi-fi hotspots through a process known as an active scan.
Any access points in proximity to your phone periodically send self-identifying beacons, SSIDs, so potential network clients can identify the network and connect to it.
Your phone watches for these probes and even actively broadcasts its own probe requests so that nearby access points can automatically associate your device.
The probe request typically includes the SSIDs of your home and work networks and also your MAC address. This stuff is sent in cleartext so anyone monitoring the airwaves can filch the data.
Incidentally, you can view an actual packet capture of the probe request frame in the University of Maryland’s slide presentation. Check out slide 39 of 48.
You might be wondering what’s the big deal? Who cares if someone has your MAC address right?
Consider this: did you know that someone can buy inexpensive stalking devices that monitor your every move? They can surreptitiously monitor your actions from the comfort of their living room couch.
These cyber stalkers can passively cull your email address, calendar data and almost anything else interacting with your mobile device.
You’ve heard of CreepyDOL right? If not you should definitely watch Brendan O’Connor’s 60 minute demonstration at the BlackHat USA 2013 conference.
But not everyone has the time to watch an hour long technical video – so here’s the bottom line:
Picture something so small and so benign in appearance that anyone could furtively plug it in a wall outlet without anyone noticing.
Picture something so smart that it automatically scans the room for all adjacent mobile devices and then starts passively gathering and recording analytics on the movements of those devices?
CreepyDOL tracks your every move; from the exact time you left the coffee shop last Friday to how often you visit that coffee shop. It can even tell what websites your browsing, from dating websites to your newsreader application.
This isn’t science fiction.
Brendan O’Connor is the creator of this disconcerting device and he actually tested it out on himself to see what sort of the data it could gather.
The results were startling.
The above is a screenshot from an webinar O’Connor launched demonstrating the spying capabilities of CreepyDOL. At a glance you can easily discern a wealth of information from subjects in the vicinity of the CreepyDOL network.
The reason this works is because most mobile devices are always communicating with Wi-fi access points even when they’re not actually connected to any access points. The Wi-fi protocol specification allows mobile devices and access points to broadcast MAC address information.
When you saunter into Starbucks, your phone and the nearest access point immediately being trying to exchange information. As you walk toward the counter to pay for your frapaccino, you walk away from that first access point and cross into the the signal range of another access point which also attempts to exchange information with your phone.
The scary part is that this data can be scrutinized to build a profile of your eating habits. For example, an attacker could analyze the various probe requests, responses and your location information to determine exactly when you enter and leave that Starbucks and how often you visit. If the manageament team could thoretically install sensors throughout the store that use your MAC address to figure out how long you’ve been lingering in a particular section of the store. If the sensors reveal that you spend most your time in front of the pastries, they could send you targeted advertising or even sell that information to third parties.
The real issue here is that O’Connors research has already demonstrated that we already have the technology to do this. That’s what the CreepyDOL does: it gathers reams of personal information from subjects based on MAC address probes and requests.
So what can we do?
Apple is trying to protect customers against these privacy attacks. In fact, any devices running iOS 8 will automatically randomize their MAC addresses after about 2 minutes after the device screen is locked.
Initially this looks like an effective tool to protect user privacy; however, closer examination reveals its specious at best.
Bhupinder Misra of Airtight Networks discovered that in order for this work, two things have to happen:
- Cellular Data needs to be disabled
- Location Service needs to be disabled
Then Misra asks the million dollar rhetorical question:
Who turns OFF location services AND turns OFF cellular data connection while using their iPhone. That is why I now call it “iOS8 MAC RandomGate”.
So ultimately, the way Apply implements it, MAC randomization is impractical and users can still be tracked. It looks like we have to wait until a vendor create a practical solution to this problem…
What do you think about this? I’m curious.
Please share your thoughts in the comments below. Thanks.