Header Ads

Shielding MAC addresses from stalkers is hard and Android fails miserably at it

Only an estimated 6% of Android phones randomize MACs, and they do it poorly.

In early 2015, architects of Google's Android mobile operating system introduced a new feature that was intended to curtail the real-time tracking of smartphones as their users traversed retail stores, city streets, and just about anywhere else. A recently published research paper found that the measure remains missing on the vast majority of Android phones and is easily defeated on the relatively small number of devices that do support it.

Like all Wi-Fi-enabled devices, smartphones are constantly scanning their surroundings for available access points, and with each probe, they send a MAC—short for media access control—address associated with the handset. Throughout most of the history of Wi-Fi, the free exchange of MAC addresses didn't pose much threat to privacy. That all changed with the advent of mobile computing. Suddenly MAC addresses left a never-ending series of digital footprints that revealed a dizzying array of information about our comings and goings, including what time we left the bar last night, how many times we were there in the past month, the time we leave for work each day, and the route we take to get there.

Eventually, engineers at Apple and Google realized the potential for abuse and took action. Their solution was to rotate through a sequence of regularly changing pseudo-random addresses when casually probing near-by access points. That way, Wi-Fi devices that logged MAC addresses wouldn't be able to correlate probes to a unique device. Only when a phone actually connected to a Wi-Fi network would it reveal the unique MAC address it was tied to. Apple introduced MAC address randomization in June 2014, with the release of iOS 8. A few months later, Google's Android operating system added experimental support for the measure. Full implementation went live in March 2015 and is currently available in version 5.0 through the current 7.1; those versions account for about two-thirds of the Android user base.

Newly published research, however, has found Android's MAC randomization to be largely absent. Of the roughly 960,000 Android devices that were scanned over a two-year period, fewer than 60,000 of them—and very possibly as few as 30,000 of them—randomized their addresses, even when running OS versions that supported the feature. (The researchers know only that they received about 60,000 randomized MAC addresses from Android phones. They presume that in at least some cases, two or more of the randomized addresses belonged to the same phone.) Equally alarming, of the six percent of Android phones the researchers saw providing randomization, virtually all of them periodically sent out probes using their unique MAC address, a flaw that largely rendered the measure useless. The only model researchers found to do randomization correctly was the Cat S60. In sharp contrast, virtually all of the iOS devices observed by the researchers provided robust randomization.

False sense of security


Travis Mayberry, a professor at the US Naval Academy and one of the authors of the paper, wrote in an e-mail:

"Our research contains two important results for the average user: 1) it turns out that most Android phones simply do not have this technology enabled, despite the fact that they are running new versions of the operating system that should allow for it and 2) there are many weaknesses in the way randomization is implemented that make it easy to circumvent. This leaves people with a false sense of security because they think this technology is protecting them from tracking when actually it is not."

The biggest problem with phones that have randomization enabled is that with the exception of the Cat S60, they regularly reveal their hardware MAC address even when they're not associated with the access point they're communicating with. It's not clear why this happens. In a paper titled "A Study of MAC Address Randomization in Mobile Devices and When it Fails," the researchers wrote:

"In our lab environment we observed that in addition to periodic global MAC addressed probe requests, we were able to force the transmission of additional such probes for all Android devices. First, anytime the user simply turned on the screen, a set of global probe requests were transmitted. An active user, in effect, renders randomization moot, eliminating the privacy countermeasure all together. Second, if the phone received a call, regardless of whether the user answers the call, global probe requests are transmitted. While it may not always be practical for an attacker to actively stimulate the phone in this manner, it is unfortunate and disconcerting that device activity unrelated to WiFi causes unexpected consequences for user privacy."

The researchers said the probes advertising that hardware-connected MAC addresses can be made even when Wi-Fi is turned off, for instance, when Wi-Fi-based location settings are enabled.

Even when Android devices aren't showing their global MAC address, the researchers found other ways to identify individual phones. One of the most effective methods is to fingerprint probe requests based on what are known as "information elements" that are included in addition to the randomized MAC address. These elements are used to advertise various attributes of a phone and are generally used to implement extensions and special features to run on top of the standard Wi-Fi protocol.

Since every model of phone has unique capabilities, the combination of these tags creates a unique signature that can single out the phone from a group of phones, even when it's using random MAC addresses. Even though the MAC address changes, the tags stay the same. The researchers said they borrowed the fingerprinting technique from an earlier research but also went on to refine it. In their paper, they wrote:

"We observe that most Android devices use different signatures when randomizing compared to when using a global MAC address. As such, previously described signature-based tracking methods fail to correlate the addresses. Using our decomposition of Android randomization schemes, and the derived knowledge of how distinct bins of devices behave, we properly pair the signatures of probe requests using global and randomized MAC addresses. Only by combining these signatures are we able to accurately and efficiently retrieve the global MAC address."

The researchers said the refined fingerprinting technique defeats randomization in 96 percent of Android phones that have the privacy feature implemented.

Other ways to defeat Android randomization included what's known as a Karma attack, in which an attacker access point uses the same SSID as one belonging to a Wi-Fi network that a target phone is set up to automatically connect to. Because randomization stops as soon as a device connects to an access point, the attacker is able to obtain the phone's global MAC address. Attackers have long been known to exploit this weakness by giving access points names such as attwifi, xfinitywifi, starbucks that many phones automatically connect to whenever the networks are available. In many cases, the attack is made worse by carriers or manufactures that automatically preconfigure phones to certain access points, the researchers said.

iOS randomization not completely safe, either


A final anti-randomization technique is notable because it works against both Android and iOS devices. It involves sending a Wi-Fi control message known as a request to send frame. Attackers who want to know if one or more known phones are within range can send an RTS frame to their global MAC address. The technique can also be used to brute force MAC addresses an attacker has never seen before by sending frames to different addresses and watching for responses from nearby devices.

The researchers said that RTS frame attacks work against all models, manufacturers, and OSes because of a flaw in the way Wi-Fi chips handle low-level control messages. As a result, the flaw won't be easy for Apple or Google to fix. As universal and long-lasting as this bypass is, it comes with a distinct disadvantage: it requires the attacker to actively send messages to the targeted devices. Unlike the passive attacks mentioned above, active techniques leave attackers open to being caught.
The researchers observed a second randomization imperfection that also affected both Android and iOS phones. All the devices they saw using randomization used incremental sequence numbers for their probe requests. In the event a device changed its MAC address five times, for example, the researchers would see the numbers change sequentially, for instance 1234 to 1235 to 1236 to 1237 and finally to 1238. There are only 4,096 possible sequence numbers, a limitation that with enough devices will cause numbers to "collide" with each other. That can diminish the effectiveness of the attack, but even then researchers often could track a phone while it was changing its MAC address simply by looking at the numbers. The researchers said the flaw would be hard to fix without a major overhaul of the Wi-Fi protocol.

The findings are based on more than 2.6 million distinct MAC addresses the researchers collected from January 2015 through December 2016. About half of the addresses were global ones linked to the hardware of the device. The other half were random, and because a single device may display many different local addresses, it's presumed that the random addresses belonged to a much smaller number of handsets. The researchers saw very few devices running Microsoft's Windows Phone OS in their traffic capture. It's possible that Windows Phone devices are included in a list of phones of unknown models that provided randomization. The two Windows phones that researchers manually inspected didn't do randomization.

All the Google-branded Android phones—including the Nexus 5X, Nexus 6, Nexus 6P, Nexus 9, Pixel—provide randomization. The full list of Android phones observed in the collected probes that randomize MAC addresses is:

BlackBerry STV100-1
BlackBerry STV100-2
BlackBerry STV100-3
Blackberry STV100-4
Google Pixel C
Google Pixel XL
HTC HTC 2PS650
HTC Nexus 9
Huawei EVA-AL00
Huawei EVA-AL10
Huawei EVA-DL00
Huawei EVA-L09
Huawei EVA-L19
Huawei KNT-AL20
Huawei Nexus 6P
Huawei NXT-AL10
Huawei NXT-L09
Huawei NXT-L29
Huawei VIE-AL10
LGE LG-H811
Sony 402SO
Sony 501SO
Sony E5803
Sony E5823
Sony E6533
Sony E6553
Sony E6603
Sony E6633
Sony E6653
Sony E6683
Sony E6853
Sony E6883
Sony F5121
Sony F5321
Sony SGP712
Sony SGP771
Sony SO-01H
Sony SO-02H
Sony SO-03G
Sony SO-03H
Sony SO-05G
Sony SOV31
Sony SOV32

Again, readers should remember that with the exception of the Cat S60, even the Android phones that did provide randomization suffered from flaws that largely rendered the protection meaningless. The takeaway of the findings is that the vast majority of Android users should assume their devices are probably leaving behind a trail of unique breadcrumbs any time they're turned on. That means with only a small amount of work it's possible for someone to prove an Android user was in a given vicinity at a given time. People who truly don't want to be tracked should use an iPhone or better yet, turn off their devices when they don't want to leak information about their location or movements.

https://arstechnica.com/security/2017/03/shielding-mac-addresses-from-stalkers-is-hard-android-is-failing-miserably/

No comments