Questions about WiFi-based "MAC Address de-randomization"

Hello.

For those of you that don’t know, your Wi-Fi MAC address can be “de-randomized” even if its set to change per SSID or new connection request. This works much like how browser fingerprinting works by creating a hash of all the Information Elements (IEs) your WiFi card provides to a router for connection purposes (which comes at a privacy cost). Some of these IEs may include:

1. Previously Connected SSIDs
2. Supported Data Rates
3. Device Vendor Specific Information
4. RSN (Robust Security Network) Information
5. QoS (Quality of Service) Capability
6. Incrementing Sequence Numbers from the last WiFi Access Point you connected to
7. many more

The feasibility and accuracy of this type of attack has been quite well documented in academic papers [1, 2, 3]

Randomization of these elements occur at the hardware level and currently the only devices I can see which support this are Google Pixel devices (includes GrapheneOS) and Apple devices (includes macOS and iOS)

I have some questions for people who are more well-read in this topic than I:

1. What is the actual feasibility of surveillance occurring in this way? As I am aware, this information is likely stored on the router and not sent to ISPs or governments who can actually make use of this mass data as people change location e.g. going from their home to a friends house to a shopping mall and then to a coffee shop
2. Has there been any evidence of ISPs or governments performing this type of analysis?
3. Other than the Google Pixel and Apple products, are there any other devices or workarounds to being able to implement randomization of these IEs?

[1] Why MAC address randomization is not enough: An analysis of Wi-Fi network discovery mechanisms
[2] Pintor, Lucia, and Luigi Atzori. “A dataset of labelled device Wi-Fi probe requests for MAC address de-randomization.” Computer networks 205 (2022): 108783.
[3] Uras, Marco, et al. “MAC address de-randomization for WiFi device counting: Combining temporal-and content-based fingerprints.” Computer Networks 218 (2022): 109393.

Much like browser fingerprinting, it is just not possible to fully randomize things that are inherently non-random. Getting rid of the things that are explicitly designed to be identifiers, like MAC addresses, is still a very useful endeavor for privacy, even if pseudo-identifiers can be cobbled together from other pieces of data. It’s about raising the bar of effort.

To my knowledge there are not commercially available networking products that do this, so it’s rather unlikely your ISP or corporate IT networks would be doing so.

Whether the government or just some network admin with too much time on their hands is doing this with custom solutions I guess we can only speculate.

And yes, this data would typically be confined to a single network.

Something else to consider is that very often fingerprinting that can occur in a lab is very challenging to pull off accurately in the real world, and especially at a scalable level. Threats presented in research are very rarely an immediate crisis for mass surveillance, but it’s something to keep an eye on.

This would not be anywhere near the top of my list to worry about though.

Hi Jonah, thanks for the response.

Like yourself, I think MAC address randomization has been highly useful and significantly raises the bar for WiFi tracking between sessions or Access Points. I do however think that this type of advanced WiFi tracking would be extremely useful to track people between WiFi sessions for governments (e.g. terrorism detection/prevention) or ISPs (e.g. marketing), even if it is at a massive privacy cost to everyone.

Due to the fact that most routers are effectively “internet routing boxes” that are administered by ISPs, (from my understanding) there is the technical capability for ISPs to install software which sends back router data to their servers which could later be used by ISPs or governments to train ML/AI algorithms which could Wi-Fi fingerprint every device through previously mentioned pseudo identifiers e.g. previously connected SSIDs, sequence numbers, etc.

I understand this idea may be far-fetched on initial reading. However, in the past the NSA did have a system that tracked the movements of mobile devices in a city by monitoring MAC addresses. Although this city wasn’t named and details about the analysis weren’t disclosed, it doesn’t seem quite out of the realm of reality that they (or other governments) may use this pseudo-identifier data to fingerprint devices if they can’t monitor MAC addresses. As discussed, given the fact that both Apple and Google have both implemented protections for this, it makes me think that they also don’t think that this is outside the realm of reality either. Furthermore, GrapheneOS also has randomization of these elements as a requirement of any future device: “Wi-Fi anonymity support including MAC address randomization, probe sequence number randomization and no other leaked identifiers”.

Having done Wi-Fi based tracking about a decage ago, I am doubtful of this.
The big issue would be having many radios to monitor all the channels and do so at scale across many places (stores/office buildings/etc.) and mingle that data across from them.
That is not to say that there aren’t companies doing this, there are, but there are far easier and more reliable ways to track people such as via the cell network.

Hi SkewedZeppelin, thanks for responding.

Upon doing some research, I found out that routers/modems state they “phone home” device-level information to their servers for analytics purposes. Take for example Netgear’s analytics privacy policy which states it sends MAC address and other “connected client device” information for performance purposes. Technically, an ISP could also access this router/modem information and send it home for them or another third party to analyze for Wi-Fi fingerprinting purposes.

Yes, its definitely far easier to track via the cell network