WiFi MAC Randomization

WiFi MAC Randomization – Praneeth's Blog

Before we learn about this feature , lets see how the MAC address look like. Most of us know about it, So I am just showing the same in the below figure.

Figure 1 : MAC Address Format

MAC address consists total 6 bytes. First 3 bytes are organization OUI and it identifies the manufacturer of the device , and next 3 bytes uniquely identifies the device and it is NIC Specific.

Now we will learn about this feature and we will see the sniffer captures for different MAC Randomization settings.

Before we learn about the WiFi MAC Randomization, we will first check the locally administered MAC Addresses range that devices will be generating as a random MAC Addresses. If any device is generating the random MAC Address then it should set the locally administered bit.

Locally Administered MAC Addresses

There are 4 ranges of Locally Administered Address Ranges that can be used
x2-xx-xx-xx-xx-xx
x6-xx-xx-xx-xx-xx
xA-xx-xx-xx-xx-xx
xE-xx-xx-xx-xx-xx
Where x can be any hex value

I have used wpa_supplicant to test the scenarios and the post refers to Random MAC implementation in WPA supplicant.

MAC Randomization is a technique that protects WiFi enabled devices being tracked. If this feature is enabled , the device will not be shown its reals MAC in the air. All the MAC layer operations will happen with the random MAC.

Some places, for example shopping malls, stores, or other public areas, might use the unique MAC address to track the visitor movement in that area. Frequently changing the a device’s MAC address will have a negative impact on the location tracking and for the data analytics.

Few devices will generate the different random MAC every time based on the random MAC life time in the scanning phase, and they will generate the different MAC every time while connecting to the AP. And few devices will generate the same random MAC every time they connect the same SSID.

There will be multiple settings that will be enabled with the MAC Randomization. And the implementation is dependent on the vendors. But the idea will be not to show up the real mac.

There are two different ways that MAC Randomization happen.

1. MAC Randomization at Scanning Phase
2. MAC Randomization at Association Phase.
3. MAC Randomization at Scanning+Association

MAC Randomization at Scanning Phase

In the Passive Scanning there are multiple ways that Vendors implement the MAC Randomization.

1. Maintain Real MAC for Scanning
2. Maintain Random MAC for Scanning [Locally Administered MAC Address]
3. Maintain Random MAC for scanning, but still maintain the same OUI [But locally Administered]

1. Maintain Real MAC for Scanning

There is nothing new with this one, because the same real MAC will be used for scanning.

2. Maintain Random MAC for Scanning [Locally Administered MAC]

Here based on the life time of a random MAC, the scanning will happen based on the generated MAC. Once the life time of a Random MAC is expired the new Random MAC will be generated. The new Random MAC should be from the locally administered address space.

Default Random MAC life time

60 Seconds is the Default Random MAC life time. It can be changed based on the vendor requirement. In the sniffer captures time may vary because the probes may not be sent exactly at 60 seconds. Still you will see the changed MAC address.

Observe the below sniffer capture for this scenario. You have to properly capture the required probes, you can easily identify the frames in the RF Chamber. If you are doing it in a open air then you should properly note the Interface address that is getting changed by using ifconfig , and then properly analyze the air packets.

Figure 2 : Random MAC gets generated for every 60 seconds

3. Maintain Random MAC for scanning, but still maintain the same OUI [Locally Administered MAC]

This is also similar to the above one, but the only difference is that we will still maintain the same OUI, but the NIC address will be changed. Observe the below capture to check this scenario. I have filtered only the required frames. Here the real OUI of my device is “e8:de:27”. But in the sniffer you can observe that OUI is taken from the locally administered address space.

The random MAC that wpa_supplicant generated is “ea:de:27”.

Real MAC of the device is “e8:de:27:a9:94:fb“.

When we are going to maintain the OUI, then the supplicant will only chanage the 1st octet of OUI to locally administered MAC Address.

So the generated Random MAC is “ea:de:27:66:8f:ed”

 Figure 3 : Random MAC for every 60 seconds in scanning phase , but Still Maintain the same OUI

Till now we have seen about the MAC Randomization in the Discovery Phase , now we will check the MAC randomization in the Association.

MAC Randomization at Association Phase

At the time of Association there are multiple ways that Vendors implement the MAC Randomization.

My Device Real WiFi MAC Address is given below for reference

e8:de:27:a9:94:fb

1. Maintain Real MAC for Association
2. Maintain Random MAC for Association [Locally Administered MAC Address]
3. Maintain Random MAC for Association, but still maintain the same OUI [Locally Administered MAC Address]

1. Maintain Real MAC for Association

There is nothing new with this one, because the same real MAC will be used for scanning. This was the implementation that used to be.

2. Maintain Random MAC for Association [Locally Administered MAC]

Here the vendor uses the Random MAC for Association instead of the Real MAC.

Observe the below capture and check that the Random MAC is used for Association. Observe that the MAC Address is within the range of locally administered mac address space.

Figure 4 : Observe Random MAC for Association Request

3. Maintain Random MAC for Association, but still maintain the same OUI [Locally Administered MAC]

Here the Association happens using the random MAC , but the OUI will be still maintained, but the 1st octet should be locally administered.

Here the MAC Address of my device is “e8:de:27:a9:94:fb”. Generated Random MAC Address is ea:de:27:a9:94:fb [ 1st Octet is locally administered]

Figure 5 : Observe the Random MAC, but still the OUI is maintained

Till now we have seen the Discovery phase and Association phase differently. Now we will see them together.

MAC Randomization at Scanning+Association

Below are the different implementation scenarios. And it will be based on how the vendor implements it.

There are multiple combinations that can be implemented for the MAC Address randomization. Below are the scenarios that can be implemented. And it all depends on the vendor to select the any method that he wants.

Figure 6 : Random MAC implementation scenarios

If we combine Random MAC Maintaining the OUI with Random MAC, then the above table will be summarized as below.

 

Figure 7 : Random MAC Summarization table

Few Vendors implement different MAC every time they associate to the AP. Few Vendors always use the same Random MAC every time they associate to the same SSID.

And in the scanning phase, vendors can make use of the Random MAC Address life time , so that the Scanning happens with the particular MAC based on the life time of a MAC, and then it changes to some other MAC for every X seconds.

Now lets see the sniffer captures for the scenarios that are shown in the Figure 7.

Implementation 1

Figure 8 : Scenario 1

In this scenario, Scanning will happen with Random, Association also happens with Random MAC.

If you have to check this scenario, you should properly note down the MAC Address of the device at the time of scanning and note down the MAC Address of the device at the time of Association.

In the clear air environment you will be able to get the sniffer capture properly, in the open air you have to properly note down the mac address and filter in the wireshark properly. Observe the capture below for this scenario. Observe that random mac at the scanning phase is based on the locally administered address pool, and the random mac at the association is also locally administered random MAC.

Figure 9 : Scenario 1 Sniffer Capture

Implementation 2

Figure 10 : Scenario 2

In this scenario, Scanning will happen with Random MAC, Association happens with Real MAC.

If we have to check this scenario , we should note down the Device MAC Address at the time of the scanning and note down the device MAC Address at the time of Association. After that filter the wireshark capture to check the behavior.

Observe the below sniffer capture to check the behavior. Huawei device is scanning with the real MAC based on the locally administered random mac range, but the association is happening with the real MAC.

Figure 11: Scenario 2 Sniffer Capture

Implementation 3

Figure 12 : Scenario 3

There is nothing new with the scenario. We always see the real MAC at the time of scanning and Association. It is normal scenario that we used to see before.

Implementation 4

Figure 13 : Scenario 4

In this scenario Scanning happens with the real MAC and Association happens with the Random MAC [Locally administered]. We should properly check the changing MAC addresses and filter the captured sniffer capture to check this.

Figure 14 : Scenario 4 Sniffer Capture

Connecting a MAC to the AP Which does n’t maintain OUI any OUI, and not Locally Administered

 Now lets connect a client with random MAC by not maintaining the locally administered address space. And the following is the MAC Address that I have used. Here I have still observed that the client is able to connect to the AP.

Random MAC Used which does not maintain OUI, and not locally administered : 1c:e4:56:34:de:de.

Here the above MAC is also able to connect to the AP without any issues.

Observe the below successful 4-way handshake below in the capture for this MAC.Random MAC which doesn’t have OUI, And which does not maintain locally administrated MAC

Figure 15 : Succesful handshake for the MAC Which doesn’t maintain OUI , and not locally administered

This is all about the WiFi MAC Randomization , and the implementation depends on the vendors. They can implement any of the above scenarios based on the implementation needs and demands.

Still few devices will use the Real MAC for sending the ANQP queries in HS2.0. The real identity of those devices can be easily known if stations use their real MAC address for querying the AP. So, the real MAC address of a client can still be identified by using Hotspot 2.0 Honeypot. So, implementing the random MAC For ANQP requests are also vendor dependent.