# A Study of MAC Address Randomization in Mobile Devices and When it Fails

**Authors:** Jeremy Martin, Travis Mayberry, Collin Donahue, Lucas Foppe, Lamont, Brown, Chadwick Riggins, Erik C. Rye, Dane Brown

arXiv: 1703.02874 · 2017-04-03

## TL;DR

This paper conducts a comprehensive analysis of MAC address randomization in mobile devices, revealing widespread flaws that can be exploited to track devices despite privacy protections.

## Contribution

It provides the first large-scale study of MAC address randomization, identifying specific implementation flaws and demonstrating effective tracking methods across various devices.

## Key findings

- Many devices improperly use real addresses during randomization
- Passive techniques can defeat randomization in ~96% of Android devices
- A novel flaw allows tracking 100% of devices regardless of manufacturer

## Abstract

MAC address randomization is a privacy technique whereby mobile devices rotate through random hardware addresses in order to prevent observers from singling out their traffic or physical location from other nearby devices. Adoption of this technology, however, has been sporadic and varied across device manufacturers. In this paper, we present the first wide-scale study of MAC address randomization in the wild, including a detailed breakdown of different randomization techniques by operating system, manufacturer, and model of device.   We then identify multiple flaws in these implementations which can be exploited to defeat randomization as performed by existing devices. First, we show that devices commonly make improper use of randomization by sending wireless frames with the true, global address when they should be using a randomized address. We move on to extend the passive identification techniques of Vanhoef et al. to effectively defeat randomization in ~96% of Android phones. Finally, we show a method that can be used to track 100% of devices using randomization, regardless of manufacturer, by exploiting a previously unknown flaw in the way existing wireless chipsets handle low-level control frames.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1703.02874/full.md

## Figures

3 figures with captions in the complete paper: https://tomesphere.com/paper/1703.02874/full.md

## References

23 references — full list in the complete paper: https://tomesphere.com/paper/1703.02874/full.md

---
Source: https://tomesphere.com/paper/1703.02874