Defeating MAC Address Randomization Through Timing Attacks

  title={Defeating MAC Address Randomization Through Timing Attacks},
  author={C{\'e}lestin Matte and Mathieu Cunche and Franck Rousseau and M. Vanhoef},
  journal={Proceedings of the 9th ACM Conference on Security \& Privacy in Wireless and Mobile Networks},
  • Célestin MatteM. Cunche M. Vanhoef
  • Published 18 July 2016
  • Computer Science
  • Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks
MAC address randomization is a common privacy protection measure deployed in major operating systems today. It is used to prevent user-tracking with probe requests that are transmitted during IEEE 802.11 network scans. We present an attack to defeat MAC address randomization through observation of the timings of the network scans with an off-the-shelf Wi-Fi interface. This attack relies on a signature based on inter-frame arrival times of probe requests, which is used to group together frames… 

Figures and Tables from this paper

Valkyrie: a generic framework for verifying privacy provisions in wireless networks

Valkyrie (Verification of Addresses LinKabilitY in address Randomization ImplemEntations), a software tool that verifies that a given sequence of frames generated by a device does not compromise the address randomization scheme.

Wi-Fi Tracking: Fingerprinting Attacks and Counter-Measures. (Traçage Wi-Fi: Attaques par Prise d'Empreinte et Contre-Mesures)

It is shown that this mitigation, in its current state, is insufficient to prevent tracking, and presents two tools: an experimental Wi-Fi tracking system for testing and public awareness raising purpose, and a tool estimating the uniqueness of a device based on the content of its emitted signals even if the identifier is randomized.

Device Identification in the Presence of MAC Randomization

  • Ihab ZhaikaDavid Hay
  • Computer Science
    GLOBECOM 2022 - 2022 IEEE Global Communications Conference
  • 2022
This work presents methods to ensure the functionalities of firewalls, parental control, and similar applications, even when the MAC address is changed every time the device connects to the network, even if the latest MAC randomization techniques are applied.

Defending wi-fi network discovery from time correlation tracking

It is shown how adding random jitter to probe request transmissions renders a timing correlation attack infeasible to track devices during network discovery.

Three Years Later: A Study of MAC Address Randomization In Mobile Devices And When It Succeeds

This work revisits MAC address randomization by performing a cross-sectional study of 160 models of mobile phones, including modern devices released subsequent to previous studies, to determine whether it uses randomization, under what conditions it randomizes its MAC address, and whether it mitigates known tracking vulnerabilities.

When Good Becomes Evil: Tracking Bluetooth Low Energy Devices via Allowlist-based Side Channel and Its Countermeasure

It is found that the current MAC address randomization scheme specified in Bluetooth protocol is flawed, suffering from a replay attack with which an attacker can replay a sniffed MAC address to probe whether a targeted device will respond or not based on its allowlist.

Quantifying the Information Leak in IEEE 802.11 Network Discovery

This paper quantifies the information leak that is present in the current network discovery protocol, and introduces a way to measure the uniqueness of an entity, which is based on the set of leaked SSIDs, to show how unique SSID names backfire against attempts to obfuscate user devices.

Privacy issues in wireless networks, Every frame you send, they'll be watching you

A study of privacy features of the two major wireless network standards: Wi-Fi and Bluetooth-Low-Energy and focuses on address randomization mechanisms, a recently adopted anti-tracking measure, and identifies several issues related to implementation as well as standard specifications.

Five Years Later: How Effective Is the MAC Randomization in Practice? The No-at-All Attack

It is shown that the effectiveness of this solution, five years after it was introduced for the first time, is insufficient to prevent Wi-Fi users from tracking, and the solution itself is not even widely used.

A Billion Open Interfaces for Eve and Mallory: MitM, DoS, and Tracking Attacks on iOS and macOS Through Apple Wireless Direct Link

This work uncovers several security and privacy vulnerabilities ranging from design flaws to implementation bugs leading to a man-in-the-middle (MitM) attack enabling stealthy modification of files transmitted via AirDrop, denial-of-service (DoS) attacks preventing communication, privacy leaks that enable user identification and long-term tracking undermining MAC address randomization, and DoS attacks enabling targeted or simultaneous crashing of all neighboring devices.



Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms

We present several novel techniques to track (unassociated) mobile devices by abusing features of the Wi-Fi standard. This shows that using random MAC addresses, on its own, does not guarantee

802.11 user fingerprinting

It is shown that even a single implicit identifier is sufficient to distinguish many users, and it is argued that design considerations beyond eliminating explicit identifiers, must be addressed in order to prevent user tracking in wireless networks.

How talkative is your mobile device?: an experimental study of Wi-Fi probe requests

This work quantify Wi-Fi probe requests' threat to privacy by conducting an experimental study of the most popular smartphones in different settings, and evaluates a commercially deployed MAC address randomization mechanism and demonstrates a simple method to re-identify anonymized probes.

Passive Data Link Layer 802.11 Wireless Device Driver Fingerprinting

A unique fingerprinting technique is developed that accurately and efficiently identifies the wireless driver without modification to or cooperation from a wireless device.

Privacy in inter-vehicular networks: Why simple pseudonym change is not enough

The granularity and the amount of location information IVC protocols divulge, enable an adversary that eavesdrops all traffic throughout an area, to reconstruct long traces of the whereabouts of the majority of vehicles within the same area.

Android 6.0 changes Retrieved from marshmallow/android-6.0-changes

  • Android 6.0 changes Retrieved from marshmallow/android-6.0-changes
  • 2015

Experience with mac address randomization in windows

  • 2015

Privacy and your app

  • In Apple Worldwide Dev. Conf. (WWDC),
  • 2015

ios8 mac randomization

  • 2014