Defeating MAC Address Randomization Through Timing Attacks

  title={Defeating MAC Address Randomization Through Timing Attacks},
  author={C{\'e}lestin Matte and Mathieu Cunche and Franck Rousseau and M. Vanhoef},
  journal={Proceedings of the 9th ACM Conference on Security \& Privacy in Wireless and Mobile Networks},
  • Célestin MatteM. Cunche M. Vanhoef
  • Published 18 July 2016
  • Computer Science
  • Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks
MAC address randomization is a common privacy protection measure deployed in major operating systems today. It is used to prevent user-tracking with probe requests that are transmitted during IEEE 802.11 network scans. We present an attack to defeat MAC address randomization through observation of the timings of the network scans with an off-the-shelf Wi-Fi interface. This attack relies on a signature based on inter-frame arrival times of probe requests, which is used to group together frames… 

Figures and Tables from this paper

Valkyrie: a generic framework for verifying privacy provisions in wireless networks

Valkyrie (Verification of Addresses LinKabilitY in address Randomization ImplemEntations), a software tool that verifies that a given sequence of frames generated by a device does not compromise the address randomization scheme.

Wi-Fi User Profiling via Access Point Honeynets

  • F. RyanM. Schukat
  • Computer Science
    2019 30th Irish Signals and Systems Conference (ISSC)
  • 2019
This paper presents an access point honeypot system that works around MAC address randomization and scanning for known networks, therefore allowing tracking and profiling of the public with little effort or expense.

Wi-Fi Tracking: Fingerprinting Attacks and Counter-Measures. (Traçage Wi-Fi: Attaques par Prise d'Empreinte et Contre-Mesures)

It is shown that this mitigation, in its current state, is insufficient to prevent tracking, and presents two tools: an experimental Wi-Fi tracking system for testing and public awareness raising purpose, and a tool estimating the uniqueness of a device based on the content of its emitted signals even if the identifier is randomized.

A Study of MAC Address Randomization in Mobile Devices and When it Fails

This paper presents the first wide-scale study of MAC address randomization in the wild, including a detailed breakdown of different randomization techniques by operating system, manufacturer, and model of device.

Defending wi-fi network discovery from time correlation tracking

It is shown how adding random jitter to probe request transmissions renders a timing correlation attack infeasible to track devices during network discovery.

Three Years Later: A Study of MAC Address Randomization In Mobile Devices And When It Succeeds

This work revisits MAC address randomization by performing a cross-sectional study of 160 models of mobile phones, including modern devices released subsequent to previous studies, to determine whether it uses randomization, under what conditions it randomizes its MAC address, and whether it mitigates known tracking vulnerabilities.

Efficient Association of Wi-Fi Probe Requests under MAC Address Randomization

  • Jiajie TanS. Chan
  • Computer Science
    IEEE INFOCOM 2021 - IEEE Conference on Computer Communications
  • 2021
This work proposes Espresso, a simple, novel and efficient approach which establishes probe request association under MAC address randomization and outperforms the state-of-the-art schemes in terms of discrimination accuracy and V-measure scores.

When Good Becomes Evil: Tracking Bluetooth Low Energy Devices via Allowlist-based Side Channel and Its Countermeasure

It is found that the current MAC address randomization scheme specified in Bluetooth protocol is flawed, suffering from a replay attack with which an attacker can replay a sniffed MAC address to probe whether a targeted device will respond or not based on its allowlist.

Quantifying the Information Leak in IEEE 802.11 Network Discovery

This paper quantifies the information leak that is present in the current network discovery protocol, and introduces a way to measure the uniqueness of an entity, which is based on the set of leaked SSIDs, to show how unique SSID names backfire against attempts to obfuscate user devices.

Privacy issues in wireless networks, Every frame you send, they'll be watching you

A study of privacy features of the two major wireless network standards: Wi-Fi and Bluetooth-Low-Energy and focuses on address randomization mechanisms, a recently adopted anti-tracking measure, and identifies several issues related to implementation as well as standard specifications.



Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms

We present several novel techniques to track (unassociated) mobile devices by abusing features of the Wi-Fi standard. This shows that using random MAC addresses, on its own, does not guarantee

802.11 user fingerprinting

It is shown that even a single implicit identifier is sufficient to distinguish many users, and it is argued that design considerations beyond eliminating explicit identifiers, must be addressed in order to prevent user tracking in wireless networks.

How talkative is your mobile device?: an experimental study of Wi-Fi probe requests

This work quantify Wi-Fi probe requests' threat to privacy by conducting an experimental study of the most popular smartphones in different settings, and evaluates a commercially deployed MAC address randomization mechanism and demonstrates a simple method to re-identify anonymized probes.

Passive Data Link Layer 802.11 Wireless Device Driver Fingerprinting

A unique fingerprinting technique is developed that accurately and efficiently identifies the wireless driver without modification to or cooperation from a wireless device.

Privacy in inter-vehicular networks: Why simple pseudonym change is not enough

The granularity and the amount of location information IVC protocols divulge, enable an adversary that eavesdrops all traffic throughout an area, to reconstruct long traces of the whereabouts of the majority of vehicles within the same area.

iwlwifi: mvm: support random MAC address for scanning. Linux commit effd05ac479b

  • iwlwifi: mvm: support random MAC address for scanning. Linux commit effd05ac479b

Android 6.0 changes Retrieved from marshmallow/android-6.0-changes

  • Android 6.0 changes Retrieved from marshmallow/android-6.0-changes
  • 2015

CRAWDAD dataset sapienza/probe-requests

    Experience with mac address randomization in windows

    • 2015