MAC address randomization

R_1200_RR_1200_R Member, Beta Tester Posts: 4
Some device manufactures are implementing MAC address randomization on their NICs. I came across this "feature" when I tried to integrate my Wahoo Fitness bike computers in to my network. My network is protected by white listing (known MAC addresses only) on the router and a Fing Box. I contacted Wahoo support on that issue and this is their reply (which I understand as a major misunderstanding of the security recommendations and the implications/impact of that approach):
"We do not recommend using the ELEMNT computers on MAC-address filtered networks because they use MAC address randomization, so this address will change each time the ELEMNT is connected to WiFI. This is in line with the IEEE’s current guidance for security on WiFi connected devices. For more information on MAC address randomization please see the link below.
https://www.csoonline.com/article/2945044/cyber-attacks-espionage/ieee-groups-recommends-random-mac-addresses-for-wi-fi-security.html
I don't believe that there are any plans to address this in future firmware updates."

As the article cited points out: "For example, Apple's latest iOS update includes privacy features for when the devices are scanning for wireless networks -- but the update only works while scanning, not for
after the device is connected, and it only works on the most recent iPhone models."
While scanning I think it is fine to use random MAC addresses, but not while connecting to known networks. That seems to be a proper implementation.
Have you come across other devices using such a flawed implementation?
How do you manage these situations? Set up of a separated "temporary guest network" using a second router?
cu,
  R_1200_R
Tagged:
VioletChepilCiaran

Comments

  • CPKokoskaCPKokoska Member, Beta Tester Posts: 8
    My limited understanding (per the 802.11-2016 standard) is that MAC randomization IF AND WHEN SUPPORTED BY A DEVICE AND AP is only for use during device association (Pre-Association Service Discovery) on a "per SSID" basis. In other words, for devices that fully and properly implement the standard, a randomized MAC address would be generated during service discovery on an unrecognized SSID. Once authenticated to that SSID, the SSID would be recorded by the client device to insure the authenticated MAC was used again during each subsequent authentication. This implementation theoretically eliminates numerous issues which would otherwise result from completely random MAC address generation for each authentication effort.

    Here is a more recent article which BRIEFLY summarizes the concept as it is "supposed" to be implemented: https://www.cablelabs.com/mac-address-randomization-how-user-privacy-impacts-wi-fi-and-internet-service-providers

    So, at least superficially, it sounds like your vendor's implementation is more than just "flawed" - it's in violation of published standards. Good luck trying to get them to update their firmware to bring their equipment into line.    
    R_1200_RVioletChepilHronoseJonyBoombies
  • R_1200_RR_1200_R Member, Beta Tester Posts: 4
    CPKokoska said:
    "So, at least superficially, it sounds like your vendor's implementation is more than just "flawed" - it's in violation of published standards. Good luck trying to get them to update their firmware to bring their equipment into line. "

    Which standards are valid at this time? I see that they are developed further, so I lost track of which one actually is the one all vendors are requested to follow.
    N.B. Yes I regard that behaviour also as non compliant. But I believe, that Wahoo will only update their firmware if multiple users complain or they agree on a violation of existing standards.

    Hronos
  • VioletChepilVioletChepil London, UKMember Posts: 2,474 admin
    edited November 29
    Anything to add on this topic? @Hronos @Marc @kltaylor @Pooh

    Community Manager at Fing

  • CPKokoskaCPKokoska Member, Beta Tester Posts: 8
    My limited understanding (per the 802.11-2016 standard) is that MAC randomization IF AND WHEN SUPPORTED BY A DEVICE AND AP is only for use during device association (Pre-Association Service Discovery) on a "per SSID" basis. In other words, for devices that fully and properly implement the standard, a randomized MAC address would be generated during service discovery on an unrecognized SSID. Once authenticated to that SSID, the SSID would be recorded by the client device to insure the authenticated MAC was used again during each subsequent authentication. This implementation theoretically eliminates numerous issues which would otherwise result from completely random MAC address generation for each authentication effort.

    Here is a more recent article which BRIEFLY summarizes the concept as it is "supposed" to be implemented: https://www.cablelabs.com/mac-address-randomization-how-user-privacy-impacts-wi-fi-and-internet-service-providers

    So, at least superficially, it sounds like your vendor's implementation is more than just "flawed" - it's in violation of published standards. Good luck trying to get them to update their firmware to bring their equipment into line.    
  • CPKokoskaCPKokoska Member, Beta Tester Posts: 8
    My limited understanding (per the 802.11-2016 standard) is that MAC randomization IF AND WHEN SUPPORTED BY A DEVICE AND AP is only for use during device association (Pre-Association Service Discovery) on a "per SSID" basis. In other words, for devices that fully and properly implement the standard, a randomized MAC address would be generated during service discovery on an unrecognized SSID. Once authenticated to that SSID, the SSID would be recorded by the client device to insure the authenticated MAC was used again during each subsequent authentication. This implementation theoretically eliminates numerous issues which would otherwise result from completely random MAC address generation for each authentication effort.

    Here is a more recent article which BRIEFLY summarizes the concept as it is "supposed" to be implemented: https://www.cablelabs.com/mac-address-randomization-how-user-privacy-impacts-wi-fi-and-internet-service-providers

    So, at least superficially, it sounds like your vendor's implementation is more than just "flawed" - it's in violation of published standards. Good luck trying to get them to update their firmware to bring their equipment into line.    
Sign In or Register to comment.