Hello.
For those of you that don’t know, your Wi-Fi MAC address can be “de-randomized” even if its set to change per SSID or new connection request. This works much like how browser fingerprinting works by creating a hash of all the Information Elements (IEs) your WiFi card provides to a router for connection purposes (which comes at a privacy cost). Some of these IEs may include:
- Previously Connected SSIDs
- Supported Data Rates
- Device Vendor Specific Information
- RSN (Robust Security Network) Information
- QoS (Quality of Service) Capability
- Incrementing Sequence Numbers from the last WiFi Access Point you connected to
- many more
The feasibility and accuracy of this type of attack has been quite well documented in academic papers [1, 2, 3]
Randomization of these elements occur at the hardware level and currently the only devices I can see which support this are Google Pixel devices (includes GrapheneOS) and Apple devices (includes macOS and iOS)
I have some questions for people who are more well-read in this topic than I:
- What is the actual feasibility of surveillance occurring in this way? As I am aware, this information is likely stored on the router and not sent to ISPs or governments who can actually make use of this mass data as people change location e.g. going from their home to a friends house to a shopping mall and then to a coffee shop
- Has there been any evidence of ISPs or governments performing this type of analysis?
- Other than the Google Pixel and Apple products, are there any other devices or workarounds to being able to implement randomization of these IEs?
[1] Why MAC address randomization is not enough: An analysis of Wi-Fi network discovery mechanisms
[2] Pintor, Lucia, and Luigi Atzori. “A dataset of labelled device Wi-Fi probe requests for MAC address de-randomization.” Computer networks 205 (2022): 108783.
[3] Uras, Marco, et al. “MAC address de-randomization for WiFi device counting: Combining temporal-and content-based fingerprints.” Computer Networks 218 (2022): 109393.