MAC address randomization

R_1200_R
R_1200_R Member, Beta Tester Posts: 4
Photogenic Name Dropper First Comment
Some device manufactures are implementing MAC address randomization on their NICs. I came across this "feature" when I tried to integrate my Wahoo Fitness bike computers in to my network. My network is protected by white listing (known MAC addresses only) on the router and a Fing Box. I contacted Wahoo support on that issue and this is their reply (which I understand as a major misunderstanding of the security recommendations and the implications/impact of that approach):
"We do not recommend using the ELEMNT computers on MAC-address filtered networks because they use MAC address randomization, so this address will change each time the ELEMNT is connected to WiFI. This is in line with the IEEE’s current guidance for security on WiFi connected devices. For more information on MAC address randomization please see the link below.
https://www.csoonline.com/article/2945044/cyber-attacks-espionage/ieee-groups-recommends-random-mac-addresses-for-wi-fi-security.html
I don't believe that there are any plans to address this in future firmware updates."

As the article cited points out: "For example, Apple's latest iOS update includes privacy features for when the devices are scanning for wireless networks -- but the update only works while scanning, not for
after the device is connected, and it only works on the most recent iPhone models."
While scanning I think it is fine to use random MAC addresses, but not while connecting to known networks. That seems to be a proper implementation.
Have you come across other devices using such a flawed implementation?
How do you manage these situations? Set up of a separated "temporary guest network" using a second router?
cu,
  R_1200_R
Tagged:
VioletChepilCiaran

Comments

  • CPKokoska
    CPKokoska Member, Beta Tester Posts: 8
    5 Likes First Answer Photogenic First Comment
    My limited understanding (per the 802.11-2016 standard) is that MAC randomization IF AND WHEN SUPPORTED BY A DEVICE AND AP is only for use during device association (Pre-Association Service Discovery) on a "per SSID" basis. In other words, for devices that fully and properly implement the standard, a randomized MAC address would be generated during service discovery on an unrecognized SSID. Once authenticated to that SSID, the SSID would be recorded by the client device to insure the authenticated MAC was used again during each subsequent authentication. This implementation theoretically eliminates numerous issues which would otherwise result from completely random MAC address generation for each authentication effort.

    Here is a more recent article which BRIEFLY summarizes the concept as it is "supposed" to be implemented: https://www.cablelabs.com/mac-address-randomization-how-user-privacy-impacts-wi-fi-and-internet-service-providers

    So, at least superficially, it sounds like your vendor's implementation is more than just "flawed" - it's in violation of published standards. Good luck trying to get them to update their firmware to bring their equipment into line.    
    R_1200_RVioletChepilHronoseJonyBoombiesTristan
  • R_1200_R
    R_1200_R Member, Beta Tester Posts: 4
    Photogenic Name Dropper First Comment
    CPKokoska said:
    "So, at least superficially, it sounds like your vendor's implementation is more than just "flawed" - it's in violation of published standards. Good luck trying to get them to update their firmware to bring their equipment into line. "

    Which standards are valid at this time? I see that they are developed further, so I lost track of which one actually is the one all vendors are requested to follow.
    N.B. Yes I regard that behaviour also as non compliant. But I believe, that Wahoo will only update their firmware if multiple users complain or they agree on a violation of existing standards.

    Hronos
  • VioletChepil
    VioletChepil London, UKMember Posts: 2,471
    100 Answers 500 Likes 1000 Comments 100 Agrees
    ✭✭✭✭✭✭
    edited November 29, 2019 #4
    Anything to add on this topic? @Hronos @Marc @kltaylor @Pooh

    Community Manager at Fing

  • CPKokoska
    CPKokoska Member, Beta Tester Posts: 8
    5 Likes First Answer Photogenic First Comment
    My limited understanding (per the 802.11-2016 standard) is that MAC randomization IF AND WHEN SUPPORTED BY A DEVICE AND AP is only for use during device association (Pre-Association Service Discovery) on a "per SSID" basis. In other words, for devices that fully and properly implement the standard, a randomized MAC address would be generated during service discovery on an unrecognized SSID. Once authenticated to that SSID, the SSID would be recorded by the client device to insure the authenticated MAC was used again during each subsequent authentication. This implementation theoretically eliminates numerous issues which would otherwise result from completely random MAC address generation for each authentication effort.

    Here is a more recent article which BRIEFLY summarizes the concept as it is "supposed" to be implemented: https://www.cablelabs.com/mac-address-randomization-how-user-privacy-impacts-wi-fi-and-internet-service-providers

    So, at least superficially, it sounds like your vendor's implementation is more than just "flawed" - it's in violation of published standards. Good luck trying to get them to update their firmware to bring their equipment into line.    
  • CPKokoska
    CPKokoska Member, Beta Tester Posts: 8
    5 Likes First Answer Photogenic First Comment
    My limited understanding (per the 802.11-2016 standard) is that MAC randomization IF AND WHEN SUPPORTED BY A DEVICE AND AP is only for use during device association (Pre-Association Service Discovery) on a "per SSID" basis. In other words, for devices that fully and properly implement the standard, a randomized MAC address would be generated during service discovery on an unrecognized SSID. Once authenticated to that SSID, the SSID would be recorded by the client device to insure the authenticated MAC was used again during each subsequent authentication. This implementation theoretically eliminates numerous issues which would otherwise result from completely random MAC address generation for each authentication effort.

    Here is a more recent article which BRIEFLY summarizes the concept as it is "supposed" to be implemented: https://www.cablelabs.com/mac-address-randomization-how-user-privacy-impacts-wi-fi-and-internet-service-providers

    So, at least superficially, it sounds like your vendor's implementation is more than just "flawed" - it's in violation of published standards. Good luck trying to get them to update their firmware to bring their equipment into line.    
  • MarcoNL
    MarcoNL NLMember Posts: 23
    10 Comments Name Dropper Photogenic
    Apple has introduced random MAC addresses since iPad/iOS 14.
    Directly after updating 2 devices, FingBox noticed new MAC-addresses in my network and the addresses change frequently. Apple says it is to protect you from being followed.
    Annoying, especially since it is Apple that follows me everywhere. (Ever experience your iPhone saying 'Hello [Owner] to you when in an Apple store is nearby? I did.)
    However, it can be switched off via: Settings > Wifi > (Click the Info button next to your WiFi SSID) > Uncheck 'Private address'.
    Strangely enough, Apple turns it on after some time. I expect that to be a bug.

  • daluu
    daluu Member Posts: 2
    First Comment
    FYI, since Android 10 (and Android 9 with developer mode), and in recent versions of Windows 10, those devices can also have MAC randomization enabled (per SSID). Windows 10 even has option to rotate the random MAC daily. And Android 11 developer mode has option to randomize per connection/reconnection (if that works properly). So more devices are being affected going forward.
    Does this random MAC stuff break the Fing functionality in fingerprinting? I've not used Fing before but came across this thread doing online search.
  • daluu
    daluu Member Posts: 2
    First Comment
    By the way, as an industry, IEEE, IETF, WBA don't mention anything about MAC randomization here being non-compliant, but that the breakage to certain functionalities they introduce need to be addressed while preserving privacy that MAC randomization enables. There are preliminary discussions of it in the IEEE Random and Changing MACs Study Groupg (RCM SG), and IETF 109 MADINAS Birds Of a Feather (BOF) meeting. It will be quite some time before the standards committees have guidelines and best practices on how to apply MAC randomization for industry compliance.
  • JoelB
    JoelB Member Posts: 11
    First Anniversary First Comment Photogenic
    edited December 18, 2020 #10

    MAC filtering should not be considered a “security” mechanism for your network. Any determined hacker can bypass it with simple scanning tools in minutes while sitting in a parked car down the street. You need to implement as strong of an auth/access solution as the WiFi clients can handle and segment off or replace those that can’t at least do WPA2-PSK with AES encryption.

    1000ouzBitsy
  • BK303
    BK303 Member Posts: 23
    10 Comments Name Dropper 5 Likes First Anniversary
    ✭✭
    In my recent experience, devices that poorly implement MAC randomization by randomly changing their MAC addresses every day (or more frequently) even when connected to a known private WiFi network, can and do cause problems with Fingbox's network monitoring and alerting by creating multiple instances of the same device being and cause repeated notifications of "new device joined network" as the device gets different DHCP assigned IP addresses with different MACs.  I observed that Fing has adopted some automatic strategies for dealing with Apple devices that default to MAC randomization on a Fing monitored network, so hopefully Fing will continue to evolve with the technology changes and develop smarter algorithms to automatically consolidate devices with similar MAC patterns based on other information like the device's self-reported Bonjour Name, or Fing could add mechanisms that allow Fingbox users to setup MAC masking rules to workaround poor implementations of MAC randomization.  

    Please also see related thread under topic "Fingbox Feature Requests",  "A way to suppress repeated device detection for MAC randomization". 
    Bitsy
  • matthewathom
    matthewathom Member Posts: 4
    First Comment Photogenic
    JoelB said:

    MAC filtering should not be considered a “security” mechanism for your network. Any determined hacker can bypass it with simple scanning tools in minutes while sitting in a parked car down the street. You need to implement as strong of an auth/access solution as the WiFi clients can handle and segment off or replace those that can’t at least do WPA2-PSK with AES encryption.

    It surprises me how many people take this stance.  It would be like saying any good burglar knows how to pick a lock so you should not consider locking your door to be a security mechanism.  MAC filtering in and off itself won’t secure your network but it is another security mechanism that can be utilized to provide defense in depth on your network.
    MarcoNL
  • MarcoNL
    MarcoNL NLMember Posts: 23
    10 Comments Name Dropper Photogenic
    Securing a network is a continuous task, not something you do ‘every now and then’.
    Shure, MAC addresses can be spoofed easy, but not using an access filter keeps the door wide open, just like matthew points out. Fing is basically just a ‘first alert’ kind of security that can help notifying strange things, it does not prevent anything. There’s an easy way to block-out fing also, the same way as fing does it’s blocking.
  • JoelB
    JoelB Member Posts: 11
    First Anniversary First Comment Photogenic
    Fing should have a better mechanism to block/allow known devices rather than the MAC address since every mobile vendor is going to implement MAC randomization in their OS. Fing can already interrogate the device and retrieve other info, like IMEI, but the primary signature is still the MAC address so every time a new virtual MAC address is used, you get a new device in Fing and that is unmanageable.
  • MarcoNL
    MarcoNL NLMember Posts: 23
    10 Comments Name Dropper Photogenic
    edited January 8, 2021 #15
    IMEI is most unlikely to be shared, it would reveal private information everywhere. Besides that, if FING could negotiate it, everybody can. If everybody can, it makes the information influenceable/spoofeable and thus useless again for security.