
iOS 8 randomises the MAC address while scanning for WiFi networks - DavidChouinard
https://twitter.com/fredericjacobs/status/475601665836744704
======
brunnsbe
If this becomes the trend (which in my opinon would be nice) it will become a
big problem for companies that specialise in customer tracking e.g. for
supermarkets and big department stores. Previously it was quite easy to track
a customer, how long he or she spends time in the store, which floors he or
she visits, etc. by putting up dummy WiFI-networks that the customers phones
find by giving out their MAC-addresses.

~~~
userbinator
It's disturbingly creepy to think that stores would even think of doing this,
but on the other hand it's also an indication of how clueless the general
population is about the amount of identifiable data they're unconsciously
"leaking" through personal, (nearly) always-on devices. My laptop is setup
with a random MAC precisely to prevent this sort of tracking.

Interestingly, the unbranded Android phones I have (one looks very much like
an iPhone, ironically enough) all came with this "feature" of a random MAC
every time the WiFi is turned on/off, although that was more likely the
manufacturer not bothering to give each one a unique MAC.

All the more reason to keep the WiFi turned off unless you're actually using
it, and this might be a bit on the paranoid side, but I do the same for the
cell radio (airplane mode) - it's on only when I'm expecting a call or making
one.

At the other end of the scale, this tracking via MAC almost invites making
them think several million customers have suddenly entered the store...

~~~
bsimpson
I'm a technologist and I didn't know that devices advertise their MAC
addresses when scanning for WiFi until someone in that business told me. I
always thought it was the other way around (base stations advertise themselves
and devices affiliate with ones they recognize).

Though accurate, "clueless" is a bit harsh. I don't expect the general public
to know the implementation details of WiFi any more than I expect them to
understand how a catalytic converter works. The beauty of an abstraction is
that you get to reap its benefits without understanding precisely how it
works.

~~~
userbinator
_The beauty of an abstraction is that you get to reap its benefits without
understanding precisely how it works._

...and get to be manipulated and screwed over by the people who do.

While I don't expect the general public to know the details of WiFi down to
e.g. the level of the 802.11 spec, I think that some general ideas, like the
difference between passive/active scanning, are both simple enough to be
understood by analogy and critical to privacy that they should be known more
prominently.

------
IBM
It's pretty clear that Apple is positioning themselves in stark contrast to
Google, they want to be the privacy/security company. Internet companies with
advertising business models are a dime a dozen so that is a real advantage
that differentiates Apple.

~~~
JumpCrisscross
The FT brought up a similar contrast two weeks ago when discussing Apple and
Google's smart home strategies. They speculated that Apple is likely "to
emphasise the privacy protections built into its smart home system... Apple
considers privacy a key advantage over Google...since Google relies on
targeted advertising as its main source of income" [1].

This will be an interesting competition. Google, for openness and
transparency; Apple, for control and privacy.

[1]
[http://www.ft.com/intl/cms/s/0/1bef71b8-e433-11e3-a73a-00144...](http://www.ft.com/intl/cms/s/0/1bef71b8-e433-11e3-a73a-00144feabdc0.html)

~~~
jwr
> Google, for openness and transparency

I'm not entirely sure what you mean — that Google openly and transparently
tracks user behaviors so that they can make money on targeted advertising?

If you try to compare the two companies, I'd say the difference is that Apple
charges you a premium for their devices (thus making money), while Google
gathers data about you so that it can be sold to advertisers (thus making
money). Theoretically, each company could do both, but recently Apple started
differentiating itself by actually emphasizing privacy and limiting access to
data about users, in many places.

I do agree that it will be interesting, though.

~~~
bsimpson
I suspect OP is comparing the way the companies embrace technology. Google has
been an big proponent of the open web and of supporting the same standards as
everybody else. Apple has been pretty single-mindedly focused on being
proprietary whenever possible. (They support open standards on the web, but
the rest of their platform is only inner-operable with itself.)

------
qq66
This is Apple forcing the in-store analytics companies like Euclid to use
iBeacon rather than WiFi. With the market share numbers the way they are,
though, for all but the highest-end stores what Android does matters more.

~~~
bbatsell
I feel like this comment might give a mistaken impression, so I'd like to
clarify.

Simply rolling out iBeacons does not replicate the copious data that one can
currently get by monitoring WiFi probe requests. iBeacons, as designed,
broadcast packets at a set rate using Bluetooth LE, and devices scan for those
broadcasts. There is no two-way communication, and no probe requests from
client devices.

In order for a company to use information from an iBeacon installation, they
must have software running on the client scanning for unique iBeacon UUIDs,
optionally filtered by "major" and "minor" uint16s to represent separate
locations and nodes. Apple limits iOS apps to scanning for 20 UUIDs at any
given time.

If the user does not have software that in some way scans for and does
something with data from a particular iBeacon UUID, then the implementer gets
no information. Thus, iBeacons move control over location and identity data
from third parties to users. If a user installs, say, a Target iOS app, it can
now scan for an iBeacon UUID that Target generates and can roll out across the
country. Only once the user has made that affirmative choice can Target
acquire information about that user or device.

~~~
djb_hackernews
> iBeacons, as _currently_ designed, broadcast packets at a set rate using
> Bluetooth LE, and devices scan for those broadcasts.

It is possible that iBeacons will provide the copious amounts of data
themselves, and this is the first step to that end, as the parent points out.

------
twistedpair
It's about time. I quite intentionally keep my wifi mode off for this reason
until I intend to use a network. No doubt someone is tracking and selling
every transmission you make.

FWIW, once you read about a PoC of an attack/tracking vector on HackaDay, you
can be sure it's already in production tracking you.

[http://www.tomsguide.com/us/how-to-bluesniper-
pt1,review-408...](http://www.tomsguide.com/us/how-to-bluesniper-
pt1,review-408.html)

[https://www.schneier.com/blog/archives/2008/04/tracking_vehi...](https://www.schneier.com/blog/archives/2008/04/tracking_vehicl.html)

~~~
twistedpair
For the click averse, the above links are

* BlueTooth Sniper Rifle

* Tracking people by air pressure chips in car tires

------
A_COMPUTER
MAC address ranges are assigned to device manufacturers, I wonder if they'll
only randomize inside the Apple device range or if they'll go outside of it.
Analytics companies might start seeing people carrying their sparcstations
into the grocery store.

~~~
yuubi
_Globally administered_ MAC address ranges are assigned to manufacturers. The
slide said "random, "locally* administered" addresses, which aren't assigned
that way. There's a bit in the first octet to distinguish them; see
[https://en.wikipedia.org/wiki/Ethernet_address#Address_detai...](https://en.wikipedia.org/wiki/Ethernet_address#Address_details)
.

~~~
maguirre
excuse my ignorance but does that mean if one is to use a locally administered
address a device is free to take whatever they please? What would be advantage
of paying to the IEEE for a universally administered block?

~~~
yuubi
> does that mean if one is to use a locally administered address a device is
> free to take whatever they please?

I think those have traditionally been set by network admins, not randomly
chosen by devices, but pretty much: nobody apart from local admin coordinates
addresses with the local bit set.

> What would be advantage of paying to the IEEE for a universally administered
> block?

The promise that no device built by other legit companies will have an address
from that assigned block, so customers won't have to worry about MAC address
conflicts, provided they use only widgets from those who honor the assignment
scheme.

~~~
eli
Legit devices have had duplicate Mac addresses even though they're not
supposed to. In practice a totally random MAC is probably safer than the one
assigned to a cheap network card.

~~~
ciupicri
Speaking of practice, I've found recently this: "Five thin client machines
with same MAC Address?" (
[http://superuser.com/q/760238/2357](http://superuser.com/q/760238/2357) )

------
thrownaway2424
This is interesting. If _I_ did this while trying to find an open network, I'd
probably be described by the FBI man who tries to charge me with unauthorized
network access as using countermeasures learned from al Qaeda's IT guys. If
Apple does it on behalf of users though I'm sure it would be fine.

And yes, I've been involved in a criminal proceeding where the government
tried to claim that changing a wifi MAC was evidence of malice.

~~~
octo_t
well changing the MAC _can_ be evidence for this:

imagine you get banned from your university network for breaking the terms of
use (lets say torrenting) - you change your MAC address so you can get back on
the network. you know you've been banned and you've made the conscious
decision to bypass the security of the network.

------
yuubi
We learned during the prosecution of Swartz that MAC addresses are the analog
of VIN number numbers, and that tampering with them is a sign of ill intent. I
await the federal case against Apple or an Apple customer with bated breath.

~~~
TazeTSchnitzel
>VIN number numbers

PNS syndrome _plus one_?!

~~~
pbhjpbhj
What number numbers in VIN number numbers convinces you to number it as a
number of numbers that numbers highly enough to be PNS syndrome?

------
therobotking
There's a great app for rooted Android devices called Pry-fi that generates
random MAC addresses while you're not connected to a network.

edit:
[https://play.google.com/store/apps/details?id=eu.chainfire.p...](https://play.google.com/store/apps/details?id=eu.chainfire.pryfi)

~~~
andor
Thanks for the tip!

In reaction to the iOS news, the developer of Pry-Fi wrote this post about the
state of the application:

[https://plus.google.com/+Chainfire/posts/Y4fjP6cH45v](https://plus.google.com/+Chainfire/posts/Y4fjP6cH45v)

Since the phone-specific Wifi stacks/drivers seem to be the main compatibility
problem, I guess MAC randomization could be implemented as a Cyanogenmod
feature on the device level.

------
i_am_ralpht
Many Bluetooth LE devices (including iOS 7) do something similar -- otherwise
you'd be able to track people by all of their BT LE devices which are
constantly advertising their existence. They cycle their advertised MAC
addresses every 15 minutes or so (and some provide a "random resolvable
address" which you can use to find out the physical BT MAC address after
pairing for easier reconnection).

From my office in downtown Los Altos, I can currently see a FitBit Flex, a
FitBit One and a couple of phones -- the randomized MAC address is all that
prevents someone bad from tracking them (BTLE scanners/phones are cheap!).

I guess you could still use the 15 minute MAC to track people through a train
station or other semi-public space (to gather metrics on where people are
coming from and going to). If you had a lot of antennas then you could
circumvent the MAC cycling by linking devices in the same area with the same
name and similar RSSI...

~~~
stephen_g
Yeah, our road authority uses anonomised Bluetooth tracking to calculate
performance measures for particular routes (Automated numberplate recognition
cameras are also used sometimes).

With Bluetooth, not just phones, but a lot of car stereos advertise their
MACs.

------
captn3m0
Is there something like this available for Linux desktops?

~~~
tombrossman
There is a package called macchanger which is said to have the ability to
spoof a random MAC address at each reboot. I have a new laptop with Ubuntu
14.04 freshly installed and I can't get it to work though. It's not a high
priority but I would like to have this working soon. I used to do this about
ten years ago on a laptop running XP and whatever program I was using worked
flawlessly. I'm thinking it should be even easier in Linux but haven't found
an 'it just works' solution yet.

~~~
kyboren
IME the most reliable way to do this is with a udev rule.

Here's my setup (Fedora, so YMMV). /etc/udev/rules.d/51-macchanger.sh:

    
    
        SUBSYSTEM=="net", ACTION=="add", DRIVERS=="iwlwifi", RUN+="/usr/local/bin/change-mac.sh wlp0s1"
    

/usr/local/bin/change-mac.sh:

    
    
        #!/bin/bash
        (
            if [ "$#" != "1" ] 
            then
                echo "mac changer script must be given iface name as argument: $@"
                echo "Using default of wlp0s1 instead." 
                iface="wlp0s1"
            else
                iface=$1
            fi
    
            /usr/sbin/ifconfig $iface down
            /bin/macchanger -r -b $iface #change to any random MAC address
            /usr/sbin/ifconfig $iface up
        ) >/var/log/change-mac
    
    

Note that you would need to specify the correct interface name in the udev
rule (or figure out a way to get it dynamically--I never bothered). This also
only works for Intel WiFi cards that use the iwlwifi driver; other cards with
different drivers need their udev rule changed appropriately.

------
sirdogealot
If you're wanting to accomplish this on your desktop/laptop... check out Arch
Linux:
[https://wiki.archlinux.org/index.php/MAC_Address_Spoofing](https://wiki.archlinux.org/index.php/MAC_Address_Spoofing)

Every single time my laptop boots up, it randomizes it's MAC address.

------
schoen
The FTC held a workshop this spring about location tracking, particularly the
retail analytics kind that this is calculated to thwart. I spoke there and was
the person on the panel categorically opposed to the tracking (though I placed
the blame on the wifi device makers for leaking a tracking identifier, rather
than the people taking advantage of the tracking opportunity).

[http://www.ftc.gov/news-events/events-
calendar/2014/02/sprin...](http://www.ftc.gov/news-events/events-
calendar/2014/02/spring-privacy-series-mobile-device-tracking)

You can also read the comments that various organizations filed about this:

[http://www.ftc.gov/policy/public-
comments/initiative-516](http://www.ftc.gov/policy/public-
comments/initiative-516)

------
antman
If only they thought of that a few years ago [1]
[http://blog.erratasec.com/2013/01/i-conceal-my-identity-
same...](http://blog.erratasec.com/2013/01/i-conceal-my-identity-same-way-
aaron.html)

I hope all the people with IOS8 won't be charged with wire fraud.

------
esbranson
I've asked the HostAP mailing list about this as a feature request for
wpa_supplicant.[1] From what Jouni Malinen says, it should be relatively
straightforward.[2] (I think. I used a poor choice of words in my request.)

BTW AFAIK Android uses hostapd/wpa_supplicant.

Its beyond by technical abilities, but hopefully someone submits some patches.
(Or Jouni graciously does the deed. Because he is awesome.) HINT HINT WINK
WINK.

[1]
[http://lists.shmoo.com/pipermail/hostap/2014-June/030405.htm...](http://lists.shmoo.com/pipermail/hostap/2014-June/030405.html)

[2]
[http://lists.shmoo.com/pipermail/hostap/2014-June/030406.htm...](http://lists.shmoo.com/pipermail/hostap/2014-June/030406.html)

------
ColinDabritz
I wonder what effects this has on law enforcement. It seems probable that if
stores are using systems to track people by WIFI Mac, then law enforcement is
probably doing the same. An interesting trade off.

Also, does this apply to the other ID being broadcast, the Bluetooth MAC?

~~~
bengali3
Im thinking this wont affect LEOs as they go through cell towers which is not
wifi or bt. see: [https://www.aclu.org/blog/national-security-technology-
and-l...](https://www.aclu.org/blog/national-security-technology-and-
liberty/us-marshals-seize-local-cops-cell-phone-tracking-files)

------
michaelmior
I hope it still connects with the real MAC address. Otherwise that could get
very problematic.

~~~
Karunamon
Why is that? The only good use that comes to mind is MAC filtering, and that's
easily defeated anyways.

~~~
0x0
DHCP with static (reserved) IP addresses comes to mind.

~~~
ams6110
Yes, I do this at home because it resolves the problem of a duplicate IP
addresses on the network caused by a device assuming it still has the same IP
address (Apple devices seems to do this in particular) while meanwhile another
one has taken it.

~~~
craigyk
What? IME Apple devices are extremely polite about refusing/deactivating IP
addresses that are already in use.

~~~
ams6110
My experience is I get home, open my laptop, and it seems to by default assume
it has the same IP as last time it was on my home network. Meanwhile my kid's
2DS game is using that IP, and I have a few minutes of chaos. I just assign
fixed IPs to all the regularly connected devices and I don't encounter that.

~~~
rsynnott
Are you sure this isn't a router problem? A number of routers have an issue
where they occasionally drop their table of DHCP allocations and just start
again; this mostly only manifests when a new device connects.

------
circa
This will probably throw Ruckus for a loop -
[http://www.ruckuswireless.com/products/smart-wireless-
servic...](http://www.ruckuswireless.com/products/smart-wireless-
services/spot)

------
jonemo
I don't know if anyone does that, but if you are making your access point only
discoverable to known devices (i.e. known MAC addresses) then this would be a
problem, right?

~~~
rsynnott
I think that's rare enough now that strong encryption is readily available for
wireless, but yes, it would be a problem.

------
stove
Has anyone stopped to ask if this is confirmed/true? TechCrunch/Gizmodo/etc...
all picked up on this from Frederic's tweet but is a tweet really a definitive
news source? Apple has been historically taciturn about documenting these
things but does anyone have any more docs or sources for this issue?

------
rsync
Depressing that this is not done for OSX as well, but par for the course as
iOS remains the focus of apple.

------
elwell
RIP Density [0].

[0] - [http://www.density.io/](http://www.density.io/)

------
zaroth
I think this is a _feature_ for stores implementing WiFi tracking systems, not
a hindrance. If I own a store, I _really_ want to understand traffic patterns.
If I can do that without causing a privacy shitstorm, I think that's a
benefit.

~~~
nolite
You can't understand patterns from random data. Am I missing something you're
seeing?

~~~
jackcarter
They can still understand when anonymous shoppers arrive and when they leave.
However, I think zaroth is underestimating how much more useful it is to track
an individual shopper's visits over time.

~~~
nolite
If the devices now send a random address for each probe request, you can't
even do that anymore... all you'll have is a database full of single requests
for a ton of random macaddress

------
Solok
I've got a new iPod touch that I've upgraded to the iOS 8 beta and I'm still
seeing probe requests with the real MAC address. I wonder if this feature
isn't turned on yet, or if it only works in certain conditions.

------
nitrogen
Is it randomized using Dual_EC_DRBG? Seriously though, it's something that
should have been done a long time ago, and for Bluetooth too. Hopefully no
iOS8 users get arrested for changing their MAC addresses.

------
cpeterso
Here is the bug requesting this feature in Firefox OS:
[https://bugzilla.mozilla.org/show_bug.cgi?id=1022444](https://bugzilla.mozilla.org/show_bug.cgi?id=1022444)

------
savrajsingh
Princeton's guest network allows users to join for up to 3 days a month. I
guess this change will nullify that restriction. :)

~~~
Robadob
Once connected the devices will use their actual mac address (else how would
mac address filtering work with iphones?), so nothing will be different to
usual.

But generally yes changing a mac-address can avoid limitation restrictions
like this.

------
Scoundreller
Couldn't they just have my device spoof the first smartphone MAC that I see
inside the store? That would be a lot more fun.

------
benmarks
Great tech, but am I the only one who noticed "administrated"?

------
ashah
they also randomize bluetooth mac address fyi

------
snowplay
If only Yosemite would do the same.

~~~
bluedino
You can do it with spoofmac -
[http://feross.org/spoofmac/](http://feross.org/spoofmac/)

It should be easy to wrap some Applescript around it to make it automatic.

------
infra178
What about Bluetooth?

