Random Mac OS
MAC Randomization is not a new term in the network industry. It has existed for several years and involved randomizing client MAC addresses when sending Probe Requests to prevent location tracking of devices that are not associated to the network. During association, a device would have used its “real” hardware MAC address. This however is changing with the upcoming release of iOS 14 / WatchOS 7, Android 10+, and even a few recent versions of Windows 10. The new shift in the mobile device industry is to randomize MAC addresses not only during the network discovery phase, but also during association phase. Let’s find out what these changes entail for enterprises and networking vendors.
Why MAC Randomization?
World's simplest random MAC generator. Just press Generate MAC button, and you get an MAC addresses. Press button, get MACs. No ads, nonsense or garbage. The MAC Address Generator is used to generate a random MAC address, in lower or upper case for your convenience. The tool can generate four most commonly used types of MAC address formats and it is also allowed to specify your preferred MAC address prefix (specific OUI –. Note: The headings on this list indicate the Macintosh System bundle names; the bullet points indicate the version of the System File included in that bundle. This is to make it clearer for people searching for specific bundle versions as opposed to System File versions. Finder File versions are not indicated. 1 Classic Mac OS 1.1 Macintosh System Software (0 - 0.3) 1.1.1 System File 1 1.1.2. MAC Address Randomization in macOS. You’re now watching this thread and will receive emails when there’s activity. Click again to stop watching or visit your profile to manage your watched threads. You’ve stopped watching this thread and will not receive emails when there’s activity.
The intent from device manufacturers like Google and Apple is to “reduce a privacy risk” associated with an ability to track a device from a network usage or location perspective using a device unique MAC address. This problem can certainly be looked at from different angles (MAC Address from Google or Apple’s perspective provides different tracking options versus a typical enterprise or even a home user).
The new MAC randomization algorithm applies to network connectivity and is now used for all communications.
How to Identify a Randomized MAC Address?
Fortunately it is easy to identify randomized MAC addresses. There is a bit which gets set in the OUI portion of a MAC address to signify a randomized / locally administered address. The quick synopsis is look at the second character in a MAC address, if it is a 2, 6, A, or E it is a randomized address. In the iOS screenshot above, we know Wi-Fi Address 92:B1:B8:42:D1:85 is a randomized address, because the second character is a 2.
How will the new MAC Randomization logic work?
There are a number of resources that will provide details on the MAC Randomization algorithm specifics, which you can find in the references. This blog will focus on practical elements of the randomization logic.
The following table provides a summary of how different mobile devices will implement MAC randomization logic by default. By default is a crucial piece here, as unless these devices will be managed by an enterprise, these default settings will likely persist, as no one would likely to change them.
| OS | MAC Randomization Supported | Enabled by Default | Enabled per SSID / Hotspot2.0 profile | Randomise Daily |
|---|---|---|---|---|
| Windows 10 | Yes | No | Yes | Optional* |
| iOS 14 / WatchOS 7 | Yes | Yes | Yes | No |
| Android 10+ | Yes | Yes | Yes | Optional (Android 11 only) |
| macOS | No (as of 9/20) | No | No | No |
Note: for any Android device that was upgraded to Android 10, existing saved Networks (SSIDs) will not have Private MAC enabled by default
References
- Windows 10 –https://support.microsoft.com/en-us/help/4027925/windows-how-and-why-to-use-random-hardware-addresses
- iOS –https://support.apple.com/en-us/HT211227
- Android (10) –https://source.android.com/devices/tech/connect/wifi-mac-randomization
Which network services might be affected by this change?
Since the beginning of the network industry, every network infrastructure device operates by looking at the MAC address as the single L2 device identifier. Think broadly starting from MAC tables on the switch, ARP tables on the router, DHCP Binding list on the DHCP server and so on. With the new changes which elements would be affected?
- MAC Association Lists – This is something customers should have planned to stop using a long time ago, enabling MAC randomization on a per SSID level today will not directly affect MAC ACLs functionality, unless a user would enable daily MAC rotation in the device settings. Still, this is an item to consider in the future should random MAC rotation become a norm.
- Banned Client List – Many InfoSec systems today rely on client banning or quarantine functions that are typically tied to a MAC address of a client. To overcome a ban, a user could just forget and rejoin a network to get a new MAC address generated, thus overcoming any restrictions. Potential security issue.
- Guest Portals with MAC Registration – Most Guest Captive Portals leverage MAC based registration to prevent frequent browser re-login and smoothen user experience by only requiring “one time sign up”.If a user would enable daily MAC randomization (currently available on Windows and Android 11, and is turned off by default), a guest user would see a captive portal sign up page on a daily basis. A potential long term solution to this issue would be to move to Hotspot 2.0, which not only provides a secure end-to-end communication for the user and automated network discovery, but also a more granular user-based identification. This however goes against the original notion of “more privacy with random MAC enabled”.
- DHCP Servers – It is probably time to start using shorter DHCP lease timers, just to be safe whenever somebody decides to turn on periodic MAC rotation. DHCP Lease time should not be higher than 24 hrs, rather aiming at the lower timers.
- Wi-Fi Analytics and Troubleshooting – With the current default behavior we should not be too worried about randomized MAC addresses for analytics, unless a client is switching SSIDs frequently, in which case it will be more difficult to identify SSID hopping. However, should a user enable Daily MAC Address rotation, troubleshooting a client historically or looking at network analytics for a specific client would be much more challenging. It would require user-based device identity tracking and correlation techniques to combine multiple random MAC addresses into a single device connection experience history. Typically a MAC is used to identify a user when any connectivity problems are reported, so instead of a typical “can you tell me your MAC address, please?” you may hear “do you happen to know your MAC address at the time when the issue occured?”
- Wi-Fi-based Location Tracking and Analytics – With the previous randomized MAC for Probe frames, it was already difficult to use Wi-Fi based Locationing for passive location analytics. Now with new randomized MAC addresses implementations it might be even harder to track a device just relying on Wi-Fi alone. This is yet another reason for BLE based user engagement via a mobile app.
How can enterprises react to this change? Should they?
Overall, for any enterprise managed mobile device park (iOS, Android) it is possible to disable Private MAC Address functionality for a given SSID, for example by using an existing MDM solution. Also, in Android 10/11 for any existing SSID or Network profile the “real” hardware MAC addresses will be used as before. Only new Network profiles will have randomized MAC turned on by default. In iOS 14, randomization is turned on for existing SSIDs upon upgrade.
Ok, now it sounds like it will not really have any dramatic effect, so why the blog post?
The fact that this time we got away with randomized MACs on a per-SSID basis without daily or even per-session randomization, does not mean that it will not happen in the future. As our prior testing showed earlier beta versions of both Android 11 and iOS 14 did randomize MAC address in a much more aggressive manner (up to a point of randomizing it on a per-session basis). These early betas showed a potential glimpse into the future, which is to randomize the MAC as often as currently possible. Most likely we are not too far away where device manufacturers would choose to randomize MAC addresses on a daily basis by default. Which would mean that all the items outlined above will matter even more.
Is there anything good out of this change?
Finding your current MAC address has never been easier. Both iOS and Android now provide information on the current random MAC used for a given SSID:
What can vendors do about it?
In general, vendors should provide better correlation techniques between usernames, client hostnames (for example supplied in DHCP option 12) and actual client MAC addresses. In general user-based identification will provide better network visibility. It is in a sense ironic that by providing a seemingly better privacy by enabling randomized MAC addresses, this change will slowly force everyone to move to a user-based identification, which may cause an opposite effect on privacy, especially with Guest networks.
By Chris Spencer, CTO, GlobalReach Technology
When Apple announced that it would be putting MAC randomisation in place in its keynote at WWDC 2020, it started to cause ripples through the Wi-Fi technology community. The feature has now been available to its beta community for a few weeks, with beta 3 now available. Time enough for us to consider the implications and our advice.
I’m playing an industry liaison leadership role between the Wi-Fi industry and Apple, and have been lucky enough to have access to the beta feature. That’s given us the opportunity to develop a guide to help our customers and partners to understand the impacts of this new development when it happens.
What is MAC randomisation?
MAC randomisation prevents listeners from using MAC addresses to build a history of device activity. Simply put, a randomised MAC address puts a privacy guard on a device. Any listeners can’t use your iPhone, iPad (or Mac’s) MAC address to understand your activity and location. By doing this, your device’s security and privacy increases.
We don’t know when, but we suspect that Apple will universally release this feature close to the release of iOS 14 on all iPhones and iPads. It’s expected, but not yet implemented for users of its new operating system Big Sur affecting MacBook (Pro), MacBook Air and MacMini users. When you consider that 70-90% of all phone users have upgraded to an iPhone 6Plus or a more recent device, this will be an issue for most of your Wi-Fi service users.
Random, Just how random?
Apple’s implementation of MAC randomisation uses a unique reserved range of MAC addresses, referred to as ‘Locally Administered Address Ranges’, comprising four unique ranges reserved for this type of application.
x2-xx-xx-xx-xx-xx
x6-xx-xx-xx-xx-xx
xA-xx-xx-xx-xx-xx
xE-xx-xx-xx-xx-xx
The second digit in the MAC address is the significant digit, and it will always be a 2, 6, A, or E, the rest of the MAC address is entirely random. So, just how random could that be? Well, if MAC addresses are 12 digits long and the second digit is reserved (for one of the four characters I mentioned above), the remaining 11 digits can be one of the valid 16 HEX characters.
16 x 16 x 16 x 16 x 16 x 16 x 16 x 16 x 16 x 16 x 16 or (16^11) = 17,592,186,044,416.
And remember there are 4 of those ranges, 2, 6, A or E so we have (16^11)x4.
So operating systems randomising the MAC address have over seventy trillion (70,368,744,177,664) MAC addresses they could make use of.
So, how random is ultimately down to Apple’s random generator, but we can see they have a large enough space to work with?
How’s this different?
Currently, iOS anonymises the MAC address during probe requests, but both platforms still use the true hardware MAC address when connecting to the network.
MAC randomisation completely overhauls the process.
- Devices generate a new private Wi-Fi MAC address per Wi-Fi network.
- It regenerates this MAC address every 24 hours.
Windows 10 has had an option to enable MAC randomisation for a few years now, but it is off by default and a user has to navigate to the correct menu and actively enable it.
Android is also testing changing MAC addresses more often, a developer option ‘enhanced MAC randomisation’ when enabled generates a new MAC address more frequently. This is currently a developer option and only available on a device used for development, but this shows where the industry is going to add more privacy features.
‘More privacy you say’ Sounds good to me. Well yes, but…
Let’s say you’re a business commuter, using the same three networks most days on your train journey, morning coffee shop, and office. Your behaviour was pretty predictable. This new feature wipes the device’s MAC history and every day is a clean sheet.
Industry and user impact
This is a significant change and will have a major impact on Wi-Fi authentication, data collection, and customer experience. The impact is slightly different depending on how your users are authenticated to a network, but all traditional authentication methods are impacted.
Your biggest concern should be the effect on the Wi-Fi user experience. Enterprises and operators typically want smooth, painless Wi-Fi registration and onboarding journeys to match their brand experience, to give them a communication channel and opportunity for customer engagement.
But when users are effectively forgotten every day, many of these methods will see considerable disruption, and potentially customer dissatisfaction.
Your second concern, if you’re a business that relies heavily on Wi-Fi analytics, will be the loss of user data. An organisation will be able to track customer behaviour within a 24 hour period, however, when the MAC address is wiped after this window, each device is treated like a new device every day. So returning customers can’t be identified or differentiated from first time shoppers, passengers, or guests for example.
If you rely heavily on this data for your marketing database, MAC randomisation will markedly reduce your data.
If you’re a venue with a high returning footfall and you want to collect data about your users and customers, our advice is to make the move to Passpoint (Hotspot 2.0) Wi-Fi.
To understand why here’s our impact summary across the different user journeys:
Any onboarding journey with data capture
When MAC randomisation is enabled any Wi-Fi registration process that requires form filling – or even simple email capture – will start from scratch every day. The device will appear as new, requiring the user to re-enter details like their email address and to confirm marketing opt-in and T&Cs acceptance (if these exist).
That’s a frustrating process and a backward step if you work from the same coffee shop most days, or have a gym membership, are a frequent flyer or other loyal consumer habits.
One-time sign-up
Random Mac Address Generator
Hmmm. This now becomes not so ‘one time.’
Again, because devices have been forgotten, they are treated like new devices every day, meaning that users will be required to re-register every 24 hours.
Plan or policy-based access
Random Mc Seed
Any plan lasting longer than 24 hours will need the user to login every 24 hours.
SMS, or token-based registration
Any codes sent to a user and not used within a 24-hour window will become obsolete.
Custom authentication journeys
Any journey where the MAC stores a code or other piece of information that verifies the user will be compromised by MAC randomisation.
The solution
If you still want to communicate, engage, and understand your customers, the good news is that there’s a way forward using secure Passpoint (Hotspot 2.0). However, Passpoint may not be right for every venue now, and there are other options which, as Wi-Fi authentication experts, we’re happy to explain to customers and partners.
Wi-Fi onboarding options following MAC randomisation: GlobalReach Technology
The bottom line is that we see MAC randomisation as an opportunity for retailers, transport providers, cities, enterprises and other venues to leap forward in terms of security and user experience.
The table below shows which operating systems support MAC randomisation:
*1 A developer option called enhanced MAC Randomisation introduces time-based.
*2 Correct at time of publication (macOS 10.16 is still in beta phase).
Random Mc Seed Generator
We suspect (but don’t know for sure), that Apple will release the feature to iPhone and iPad users in September and Android in the next year. So there’s also time to mitigate the issue and put a better experience in place.
Random Mc Server
We’ve analysed and are consulting now on the best technical approach to manage this disruptive new feature.
Talk to your account manager or get in touch today.
Download our MAC Randomisation whitepaper here.