Thread Links			Date Links
Thread Prev	Thread Next	Thread Index	Date Prev	Date Next	Date Index

[STDS-802-Privacy] Guidelines proposition for correct implementation of MAC address randomization

To: STDS-802-PRIVACY@xxxxxxxxxxxxxxxxx
Subject: [STDS-802-Privacy] Guidelines proposition for correct implementation of MAC address randomization
From: Matte Célestin <celestin.matte@xxxxxxxxxxxx>
Date: Tue, 5 Dec 2017 18:23:54 +0100

Hello all,

I'm about to finish my PhD on Wi-Fi tracking [1]. In this thesis, Istudied various methods that can render MAC address randomizationinsufficient to prevent tracking. I've been supervised by MathieuCunche, who already made several talks on the topic here.

Based on our observations, we produced a series of guidelines regardinga correct implementation of MAC address randomization. I would like toshare these guidelines to this list, as they could be used as a draftfor a recommendation to the industry.


The guidelines are the following:
1. The MAC address must be changed in every burst of probe requests.
2. Probe requests must be devoid of unnecessary Information Elements.

3. In particular, SSIDs must always be null (see below for the hidden APcase).4. Sequence numbers must be randomized at the beginning of every burstof probe request, or maintain a fixed value (0).5. The function generating the random addresses must be of cryptographiclevel so as to guarantee unlinkability between frames, as its purpose isto protect privacy-sensitive information. It must have a reliableentropy source, as MAC address changes can be very frequent.6. It must be ensured that the global address is never used for activescanning.7. The OUI part of the MAC address should preferably be randomized aswell. To do so, randomized OUI should have their LA bit set to 1 andshould not be registered by a company.8. Efforts must be done to break timing patterns of probe requests: forinstance, random delay can be added between bursts.Additionally, we advise dropping the support of hidden Access Points.They hinder a correct implementation of randomization, as devices needto add identifying SSIDs to their probe requests to discover them. Theyconstitute a bad security practice anyway, as they're based on thebroken security-by-obscurity concept. They should be replaced withAccess Points using a strong encryption scheme and strong passwords.

These guidelines can be compared to those produced by Martin et al. [2],which notably also add a countermeasure against an active attack theydiscuss in their paper.


[1]: https://ploudseeker.com/files/these.pdf
[2]: https://arxiv.org/abs/1703.02874v1

Regards,
--
Célestin Matte

Prev by Date: [STDS-802-Privacy] Continuation of privacy discussions at this meeting (802 plenary in Chicago)
Next by Date: Re: [STDS-802-Privacy] Reaching out
Previous by thread: [STDS-802-Privacy] Task Group ballot of P802E/D0.7 Recommended Practice for Privacy Considerations for IEEE 802 Technologies
Next by thread: [STDS-802-Privacy] Continuation of privacy discussions at this meeting (802 plenary in Chicago)
Index(es):
- Date
- Thread