

iOS8 MAC Address Randomization Update - 0x0
http://blog.airtightnetworks.com/ios8-mac-randomgate/

======
gr2020
This article seems to do a better job explaining what's actually happening,
and contradicts the OP:

[http://www.imore.com/closer-look-ios-8s-mac-
randomization](http://www.imore.com/closer-look-ios-8s-mac-randomization)

~~~
lstamour
For those tl;dr, what Nick's writing about here is that you don't need to turn
off cellular data or location services -- the requirement that the phone as to
be asleep is instead too restrictive, because your phone is rarely asleep for
long. (Those two settings let your phone sleep longer.)

> Unfortunately, the requirement of the phone being asleep makes this feature
> nearly useless, albeit within the description of what Apple advertised at
> WWDC. In order to get random MACs to be used I had to turn off notifications
> for multiple apps, turn off push email, and stay up late at night when there
> was a greater chance of my phone getting to sleep, uninterrupted, for more
> than a minute or two. Even under these circumstances, I would only encounter
> one or two rounds of probe beacons (which seem go to out every couple of
> minutes) with a random MAC before seeing my phone blast a bunch of probes
> with my real MAC. My best guess is this would happen when some process of
> push had woken the device up. With cellular data turned on, only about 50%
> of the probes I saw go out had a randomly assigned MAC.

But there's a worse problem, as mentioned in the last paragraph below from the
iMore article:

> Rendering this feature even more useless, when the probe requests went out
> with a random MAC, the probes contained SSIDs of 5 networks that the phone
> had previously connected to. This means even when my MAC is random, the
> SSIDs it's broadcasting can act as a fingerprint for my phone. My MAC can be
> different every time probes go out, but if it broadcasts the same set of 5
> network names every few minutes, it may still be possible for monitors to
> track my device.

------
efields
Feels like a bug. Any technical reason why this wouldn't be doable with all
antennas firing?

~~~
scott_karana
No hardware reasons, and probably no software ones. :/

Wi-Fi MAC is unrelated of the IMEI of the phone. It's on a different chip, and
uses different antennae.

(Eg, you can browse over Wi-Fi while talking on your cell connection)

------
kefs
If anyone is looking for an Android equivalent, root required:

[https://play.google.com/store/apps/details?id=eu.chainfire.p...](https://play.google.com/store/apps/details?id=eu.chainfire.pryfi)

------
mmagin
I wonder if the MAC being fixed while cellular data is on has anything to do
with Hotspot 2.0 operation: [http://en.wikipedia.org/wiki/Hotspot_%28Wi-
Fi%29#Hotspot_2.0](http://en.wikipedia.org/wiki/Hotspot_%28Wi-
Fi%29#Hotspot_2.0)

------
ancarda
Isn't it easier to turn off Wi-Fi and Bluetooth?

~~~
sp332
With randomization, you can keep using wifi and bluetooth _and_ not be
tracked.

~~~
tkinom
If you're BT mac address is randomized, does it means you have to re-associate
the BT HEADSET all the time?

What's the triggering event for new randomized address for both BT and WIFI?
reboot, screen on?

~~~
dsl
Randomization happens when probing for new wireless networks or bluetooth
devices. Existing connections use your actual mac.

~~~
tkinom
In that case, can they just design some equipments to sniff the existing any
connections to correctly ID a repeat customer?

~~~
sp332
Bluetooth is fairly hard to sniff because it has encryption and frequency-
jumping built in. It can be done though, maybe with an UberTooth One or
similar. [http://ubertooth.blogspot.com/](http://ubertooth.blogspot.com/)

------
archagon
I can't help but see it from the other perspective: if I disable cellular data
and location services, I can randomize my MAC address on my iOS device?
Awesome! (As long as it works over Wi-Fi...)

~~~
lstamour
Well, that's just it. It was announced as, and should only work as, the
ability to scan for wifi hotspots using a random, untraceable MAC address.
This is because advertisers and other third-parties were beginning to use wifi
hotspots as passive ways of collecting unique IDs for devices (their MAC
addresses). So under this system, when it works, walking by a hotspot
shouldn't identify you to it if you don't auto connect, while actually
connecting would.

Edit: from their previous post:

In iPhone 5s, MAC randomization happens only under the following conditions:
Phone is in sleep mode (display off, not being used); Wi-Fi should be ON but
not associated ...

I would argue that the phone needing to be in sleep is also a bug. It should
"just work"... Ideally even when scanning for new networks while associated.

~~~
Someone1234
One of the use cases I've read about is retail shops would record all devices
within range (1 MAC = 1 user) and could get a good guestimation of:

\- How many customers current in-store?

\- How many are repeat customers?

\- How often does [repeat customer] come in? List of dates and times.

\- Manufacturer of their cellphone (e.g. Apple. Samsung, etc)?

Obviously this type of data collection has limitations (e.g. people without
cell phones, with WiFi disabled, etc). They also cannot likely tie purchases
to unique MACs (because cellphones scan infrequently, so detecting them as
they leave through a register is difficult/unlikely).

However they can somewhat work around these problems by harvesting additional
information from "apps" (e.g. install our app get a coupon!). The app grabs
the MAC and now they can tie that customer's shopping behaviour directly back
to the customer.

~~~
0x0
iOS apps are sandboxed away from reading the wifi mac since iOS7, by the way.

~~~
Someone1234
I wasn't aware of that. Unfortunately Android apps have no such restriction
[0] and don't require any special permissions [0]. That iOS 7 change is likely
along the same vein as Apple's addition of MAC randomisation: trying to
disrupt such tracking.

I'd wish Google to follow suit, but let's be frank: Tracking people is
Google's bread and butter. They're more likely to sell MAC addresses to
advertisers than they are to randomise or otherwise restrict access to them.

[0] [https://stackoverflow.com/questions/6064510/how-to-get-ip-
ad...](https://stackoverflow.com/questions/6064510/how-to-get-ip-address-of-
the-device/13007325#13007325)

~~~
scintill76
It does appear to require permissions, as documented in that answer.
Apparently it only needs INTERNET[0], which could qualify as "don't require
any special permissions" as you say. INTERNET is disappointingly broad.

[0]
[https://stackoverflow.com/questions/16127263/networkinterfac...](https://stackoverflow.com/questions/16127263/networkinterface-
getnetworkinterfaces-throws-exception-with-null-message-strin)

------
sl1e
So randomization means, one different address for each association or random
through out the association?

~~~
0x0
I think it was only supposed to be random when not associated at all (only
during probing)

------
KerryStill
It really doesn't matter what they come up with! Android is leading it all the
way.

~~~
hellbanner
This was downvoted but I feel this is an important counter-argument (open
source vs closed systems), even if not articulated well.

