• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Qilin ransomware claimed responsibility for the attack on the beer giant Asahi

 | 

DragonForce, LockBit, and Qilin, a new triad aims to dominate the ransomware landscape

 | 

DraftKings thwarts credential stuffing attack, but urges password reset and MFA

 | 

Redis patches 13-Year-Old Lua flaw enabling Remote Code Execution

 | 

U.S. CISA adds Synacor Zimbra Collaboration Suite (ZCS) flaw to its Known Exploited Vulnerabilities catalog

 | 

GoAnywhere MFT zero-day used by Storm-1175 in Medusa ransomware campaigns

 | 

CrowdStrike ties Oracle EBS RCE (CVE-2025-61882) to Cl0p attacks began Aug 9, 2025

 | 

Discord discloses third-party breach affecting customer support data

 | 

Oracle patches critical E-Business Suite flaw exploited by Cl0p hackers

 | 

LinkedIn sues ProAPIs for $15K/Month LinkedIn data scraping scheme

 | 

Zimbra users targeted in zero-day exploit using iCalendar attachments

 | 

Reading the ENISA Threat Landscape 2025 report

 | 

Ghost in the Cloud: Weaponizing AWS X-Ray for Command & Control

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 65

 | 

Security Affairs newsletter Round 544 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

GreyNoise detects 500% surge in scans targeting Palo Alto Networks portals

 | 

U.S. CISA adds Smartbedded Meteobridge, Samsung, Juniper ScreenOS, Jenkins, and GNU Bash flaws to its Known Exploited Vulnerabilities catalog

 | 

ShinyHunters Launches Data Leak Site: Trinity of Chaos Announces New Ransomware Victims

 | 

ProSpy, ToSpy malware pose as Signal and ToTok to steal data in UAE

 | 

Google warns of Cl0p extortion campaign against Oracle E-Business users

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Uncategorized
  • Flaws in MAC address randomization implemented by vendors allow mobile tracking

Flaws in MAC address randomization implemented by vendors allow mobile tracking

Pierluigi Paganini March 12, 2017

Researchers devised a new attack method that can be leveraged to track mobile devices that rely on MAC address randomization mechanism.

The MAC address is a unique and an hardcoded identifier assigned to a device’s network interface. This characteristic makes it an excellent tool for the tracking of the devices. A group of researchers from the U.S. Naval Academy has devised a new attack method that can be leveraged to track mobile devices that rely on Media Access Control (MAC) address randomization mechanism used to protect the users’ privacy.

The MAC address randomization uses broadcasting a random Wi-Fi MAC address making difficult the monitoring of the MAC address.

Starting from a previous research, the researchers have demonstrated that MAC address randomization is not sufficient to protect the users.

The MAC address randomization was introduced by Google for Android devices in 2015 with the release of Android 6 Marshmallow.

The experts discovered that many device manufacturers that use Android, including Samsung, have not enabled MAC address randomization.

Apple introduced the feature in mid-2014 with the release of iOS 8, but experts found that iOS 10 makes it easy to identify and track devices regardless of their use of MAC address randomization.

U.S. Naval Academy researchers identified serious flaws in a majority of the Android implementations of MAC randomization, allowing them to break the protection in the case of roughly 96 percent of mobile devices they have tested.

“First, we show that devices commonly make improper use of randomization by sending wireless frames with the true, global address when they should be using a randomized address.” reads the paper published by the experts.

“We move on to extend the passive identification techniques of Vanhoef et al. to effectively defeat randomization in ∼96% of Android phones. Finally, we show a method that can be used to track 100% of devices using randomization, regardless of manufacturer, by exploiting a previously unknown flaw in the way existing wireless chipsets handle low-level control frames.”

The experts also analyzed so-called Karma attacks, a method that leverages on rogue access points (EvilAP attack) that pose as known and trusted networks.

They researchers devised a new method that relies on Request-to-Send (RTS) and Clear-to-Send (CTS) control frames to expose the global MAC address for any kind of device.

According to the IEEE 802.11 specification, the RTS and CTS control frames are used to avoid collisions, basically every time a node using the channel to send data, it transmits also an RTS frame to inform other nodes that the channel should not be used in order to avoid collisions. time a node in using the channel to send data, it transmits also an RTS frame to inform other nodes that the channel should not be used in order to avoid collisions. time a node in. time a node in

The recipient node responds with a CTS frame when it is ready to receive data.

The knowledge of this mechanism could be exploited by attackers that can send an RTS frame to IEEE 802.11 client devices, then analyzing the CTS response it can derive the global MAC address of the target. Once obtained the global MAC address, the attacker can use it to track the target device in the future by sending it RTS frames containing the global MAC.

The group of expert successfully tested the technique on several models from multiple vendors, including iPhone 5s, iPhone 6s, iPad Air, Google Pixel, LG Nexus 5X, LG G4 and G5, Motorola Nexus 6, Moto Z Play and OnePlus 3.

MAC address randomization flaws

Experts speculate RTS/CTS responses are managed within the 802.11 chipset, instead of the operating system, this means the only way to prevent the attacks is to develope a firmware patch that have to be distributed by manufactures.

“There are multiple scenarios in which a motivated attacker could use this method to violate the privacy of an unsuspecting user. If the global MAC address for a user is ever known, it can then be added to a database for future tracking,” added the researchers. “Conceivably, an adversary with a sufficiently large database and advanced transmission capabilities could render randomization protections moot.”

The experts highlighted the importance to adopt a universal randomization policy with clear requirements for the implementation of the protection mechanism.

“We propose the following best practices for MAC address randomization. Firstly, mandate a universal randomization policy to be used across the spectra of 802.11 client devices. We have illustrated that when vendors implement unique MAC address randomization schemes it becomes easier to identify and track those devices.” concluded the experts. “A universal policy must include at minimum, rules for randomized MAC address byte structure, 802.11 IE usage, and sequence number behavior,” 

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – MAC address randomization, hacking)


facebook linkedin twitter

Android iOS Mac MAC address randomization privacy surveillance tracking

you might also like

Pierluigi Paganini September 30, 2025
Broadcom patches VMware Zero-Day actively exploited by UNC5174
Read more
Pierluigi Paganini September 29, 2025
Despite Russian influence, Moldova votes Pro-EU, highlighting future election risks
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Qilin ransomware claimed responsibility for the attack on the beer giant Asahi

    Cyber Crime / October 08, 2025

    DragonForce, LockBit, and Qilin, a new triad aims to dominate the ransomware landscape

    Cyber Crime / October 08, 2025

    DraftKings thwarts credential stuffing attack, but urges password reset and MFA

    Security / October 08, 2025

    Redis patches 13-Year-Old Lua flaw enabling Remote Code Execution

    Security / October 08, 2025

    U.S. CISA adds Synacor Zimbra Collaboration Suite (ZCS) flaw to its Known Exploited Vulnerabilities catalog

    Hacking / October 07, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT