Android random MAC: Game over for WiFi analytics companies?
Android 6.0 may cause problems for WiFi Analytics companies. According to the official Android 6.0 Changes, the MAC address of Android Phones that run Marshmallow (Android 6.0) will be randomized. This will be a problem for applications that relay on capturing MAC addresses from WiFi packets like probe requests to identify smartphones. With this change android is following Apples iOS which introduces mac address randomization in iOS 8. That was 2014, and it caused a lot of trouble of the WiFi analytics companies. Apples market share on this time in middle Europe was about 25%. In 2-3 Years the majority of used android devices will run android 6. I would say that is time enough to change the business strategy.
Also Apps that used the MAC address as identifier need to say “Good Bye” to the method because in Android 6.0 you can not get mac address programmatically.
Note: When a device running Android 6.0 (API level 23) initiates a background Wi-Fi or Bluetooth scan, the operation is visible to external devices as originating from a randomized MAC address.
tcpdump -I -e -i en1 -s 256 type mgt subtype probe-req
3538260410us tsft 1.0 Mb/s 2452 MHz 11g -48dB signal -91dB noise antenna 0 BSSID:Broadcast DA:Broadcast SA:c0:ee:fb:xx:xx:xx (oui Unknown) Probe Request (I love Chicken) [1.0 2.0 5.5 11.0 Mbit]
Experiment 2 – Phone is searching for a WiFi network:
tcpdump -I -e -i en1 -s 256 type mgt subtype probe-req | grep c0:ee:fb:xx:xx:xx
Result:
61637532us tsft 1.0 Mb/s 2452 MHz 11g -56dB signal -91dB noise antenna 0 BSSID:Broadcast DA:Broadcast SA:c0:ee:fb:xx:xx:xx (oui Unknown) Probe Request () [1.0 2.0 5.5 11.0 Mbit]
Even though the note says that a device running Android 6.0 (API level 23) will send a randomized MAC address, I could capture a probe request that included my phones mac address. That good news for the WiFi analytics business but a bit confusing for us. The expectation was not fulfilled. Maybe one can observe the randomize MAC behaviour only on Google Phones ? What do you think…
Posted on March 4, 2016, in Uncategorized. Bookmark the permalink. 12 Comments.
a guy, named urban jack 
In my network I recently saw several randomized probe requests from a Google Phone (vendor: DA-A1-19). So probably you are right that this is only implemented on Google phones.
I’ve seen it happen from several non-Google Android phones: an LG G4, a Huawei phone (unknown model), and a OnePlus phone (unknown model).
Interestingly, on two LG G4 phones running the same version of Android, down to the same build number, one will randomise MACs for background scans but the other won’t.
On iOS random Mac addresses were locally administered address. (a nice illustration can be found here: https://en.wikipedia.org/wiki/MAC_address).
So either they randomize only the 2nd half of the mac and keep the vendor …or it’s just many devices.
Would be cool to hear if you find out more.
I think the randomization is mostly for the “Location services” aspect. If location detection is on, without the randomization, the phone will repeatedly send out it’s actual WiFi MAC address to get “hidden” APs to respond. So, for instance, a store could log all the MAC addresses it sees, and over time build a good database that links MAC addr A to person B.
(this is my understanding of why Apple made the change)
However, things would get messed up sometimes if the MAC address were constantly randomized. For example, our University wireless network uses the MAC address to identify computers and allow them open access. (not a very secure solution, but we’ve been doing it years and it hasn’t been a big enough problem to change – the first time you use a wifi device on the net, you use other credentials to register it – I suppose 99% of the people using the system don’t know what a MAC is). And some people will lock down their home wifi to only allow connections from certain MACs, if an Android 6 device keeps changing the MAC that would break their system.
You’re correct that if a MAC address were constantly randomised, it would cause issues with wireless networks. However, the majority of vendors implementing MAC randomisation don’t actually randomise the MAC for the connection — just for background scanning / probe requests.
This of course means that you can leak somebody’s real MAC if they’re connected to a wireless network by looking at the MACs on the data packets; if you’re a shopping centre looking for analytics on your customers you can even take it a step further by providing free wireless internet, thus knowing where connected customers are (in relation to your access points, at least).
I believe Windows 10 randomises MACs through generating an entirely random MAC address and even using that for the connection — but it’s randomly generated per SSID, which means in that case of your uni wireless network being called “UniWifi” or whatever, it would have a consistent (albiet random) MAC whenever connecting.
I’ve seen this MAC randomisation happening on Android; it only happens during background scans, and so in a normal use case you’ll be seeing a lot of the non-randomised MAC for a given device alongside randomised ones.
I’m not sure if I can post a picture/link here, but here’s some nice data I gathered of my LG G4 phone sending out probe requests: http://i.imgur.com/rQE7Abz.png
It shows that I collected 821 probe requests from my phone’s original MAC between 11:10 and 16:29, but also bursts of probe requests from clearly-randomised da:a1:19:xx:xx:xx MACs too.
Hey is this a software you are using. Please let me know how to record & keep this log.
Hi,
I’m doing research on MAC address randomization. Do you have a capture file of these probe requests using random MAC addresses? That would be very helpful
Thanks,
MAC address randomisation indeed must not be used when actually establishing a connection because (for example) the IP address assigned by DHCP might depend on the MAC address. On my private wifi network the WPA2-PSK (wifi password) is even different for each device, so my phone wouldn’t even be able to connect if it tried with a MAC address other than its own.
You might be interested to know that the vast majority of Androids are not “implementing MAC address randomization ” http://www.theregister.co.uk/2017/03/10/mac_address_randomization/
And Apple screwed themselves in ios 10 from doing a better job previously.
so… does it already happen? I’d like to know all of android mobiles are using implementing MAC address randomization as we speak.
@jang. Partly. People are clever enough to dont switch it on or put it in trash cause there
wifi connection is instable.
Be happy if you dont have a randomization device.
Cause a) they disturb wifi network by sending much more probe request than usual phones b) drains battery c) sends out wifi networks password in plaintext (probe request dont only contain SSID, it contains to passwords).
Its pretty useless too, you can identify devices by the SSID (MyRouterName)/ MyRouterPassword and the Framenumber that it sends out.
There is no reason for the wifi function to send out packets before a known wifi is in range, thats a design error.