iOS8 MAC Randomization – Analyzed!

In June of this year, at WWDC#14, Apple announced that the Wi-Fi scanning behavior of their devices would change starting with iOS8. They would start using randomized and locally administrated Wi-Fi MAC addresses in the probing state. The touted rationale was that such an approach would hide the real MAC addresses of the devices and make MAC address based analytics difficult.

I didn’t find any instances of randomized MAC addresses in iOS8 beta releases.  Apple made iOS8 generally available as part of their September 2014 launch.  Accordingly, it was time for me to take out the packet sniffing gear and clock some hours to dig into the workings of randomized MAC addresses.  Read on and familiarize yourself with how they work in iOS8 on iPhone 5, iPhone 5s and  iPad mini (iOS8 is supported on iPhone 4s and onwards). I’ll do a follow up post if anything different is found in iPhone 6 and iPhone 6 Plus.

My investigation started out with Probe Request captures in 2.4 GHz  (Ch 11) and in 5 GHz (Ch 165) as well in different device states as follows:

• Actively probing and not associated (looking for Wi-Fi network)
• Active and connected to Wi-Fi (connected and browsing)
• Sleep mode (display off) and not associated (phone in pocket scenario)
• Location services ON and OFF
• Phone charging or not

In all of these scenarios 30 to 60 minutes of traces were analyzed for Probe Requests.

My findings:

• I found MAC randomization in iPhone 5s (details below), but not in iPhone 5 and iPad Mini.   I suspect that this has to do with the OS architectural difference between old and new generations of iPhones.

• In iPhone 5s, MAC randomization happens only under the following conditions:
  • Phone is in sleep mode (display off, not being used)
  • Wi-Fi should be ON but not associated
  • Location services should be OFF in privacy settings

• Under the above conditions iPhone5s will use randomized MAC in Probe Requests with the following characteristics:
  • The randomized MAC is a locally administered MAC. See packet capture screens below.
  • Roughly 120-150 seconds after the phone’s display is turned off the phone will transmit the first batch of Probe Requests with randomized MAC.
  • The same randomized MAC address is used for all Probe Requests within a batch and on all channels, in both 2.4 GHz and 5 GHz bands.
  • The next batches of Probe Requests come with escalating interval between the batches, up to maximum interval of about 385 seconds, and then the next batch comes again at roughly 120-150 seconds as the initial one. The trace duration was 1 hour.
  • All of these Probe Requests use the same randomized MAC address.
  • The randomized MAC address used in the Probe Request changes every time the phone is activated and subsequently put to sleep mode.  Meaning that every new sleep cycle uses a new randomized MAC.
  • The Probe Requests in sleep mode do not ask for a specific SSID (this is called null probe). This seems to be an additional privacy feature to prevent SSIDs in the phone’s wireless profile to be revealed in sleep mode.
  • MAC randomization happens irrespective of whether the phone is charging or not.

Real MAC address of iPhone 5s F4:37:B7:6E:38:20. Randomized MAC. Null probe.

The randomized MAC address used in the Probe Request changes every time the phone is activated and subsequently put to sleep mode.  Meaning that every new sleep cycle uses a new randomized MAC.

 Is this behavior adequate to meet its original intent? Are there other implications of this on Wi-Fi functions? Time will tell, but at least now we know how MAC randomization works!

Read part II of this blog series:  iOS8 MAC Address Randomization Update

Related Information:

• About the security content of iOS 8  via Apple Support.

• Apple’s new feature to curb phone tracking won’t work if you’re actually using your phone | by Ashkan Soltani and Hayley Tsukayama via Washington Post

• iOS 8’s location-tracking protections aren’t as powerful as predicted | by Russell Brandom@russellbrandom via The Verge

• Locally Administered MAC Addresses

Wi-Fi clients like tablets, phones and laptops periodically probe for Wi-Fi networks and will typically automatically connect to Wi-Fi if the network matches the one already saved in the devices. Devices will send their real MAC address during the probes (called probe request) and Wi-Fi monitoring tools can detect and register the MAC addresses in a data base to compile a list of unique visitors.  More info.