The last couple of days I've been looking into WiFi-Security. It came into my perspective by looking at Spacehuhns WiFi Deauther. I already knew a little bit about WiFi-Security before, and heard that Wifi devices send out Probe Requests. My first intention was to build a little Device Monitor that counts how many devices are currently sending WiFi packages in my vicinity.

Probe Requests

So I've setup my network card in monitor mode and started airodump-ng. It also shows all the devices which are not connected to an WiFi access point. What I observed were Probe Requests from devices in my neighbourhood. But also Probe Requests, which send out my SSID from my own Wifi. It came from my iPhone, and it looked like this:

12:34:56:78:9A:BC  E4:E4:AB:AB:CD:EF   -4  0e-24   0     24   myWifi

Obviously I've changed the MAC so: 123... is my Access Point and E4:E4:AB:AB:CD:EF is my iPhone. First I thought, well that's no MAC address randomization. And actually in this case, there is no MAC address randomization.

When you're using iOS. the MAC randomization is only active when your phone is not associated with an Access Point.

So I deactivated my Access Point and looked at the probe requests from my iPhone and from my iPad:

Randomized Probe Requests from my iPhone.

Apple is using a locally administered address here. You can distinguish  a locally administered address when the second-least-significant bit of the first octet is 0. If it's 1 it's a universal administered address.

for example:

62:EF:92:92:46:F0

//so in binary:
0110 0010 : 1110 1111 : ...
       ^
       |------ this one

So basically if you encounter MAC addresses which begin like:

0xX2 --> 0b0010
0xX6 --> 0b0110
0xXA --> 0b1010
0xXB --> 0b1011
0xXC --> 0b1100
0xXD --> 0b1101
0xXE --> 0b1110
0xXF --> 0b1111

than the MAC address is locally administered. As it turns out you also could use an randomised MAC address for the WiFi when you're connected. This is done by Microsoft in Windows 10. They do this with a SHA-256 which looks like this:

addr = SHA-256(SSID, macaddr, connId, secret) (Source)

In my opinion this is the best way to go.

Good things

The good thing is, that the iPhone doesn't send out all the known SSIDs. And it does MAC address randomization when probing for WiFis. (unassociated)

Bad things

When your phone sends out a probe requests with an SSID, you could not only identify the user, but also locate him where he lives. Especially if he was really creative with his WiFi-SSID. You could do this with a database query at wigle.org. On wigle.org users upload MAC address surveys from their laptop or phone. Just search for his 'unique' WiFi address. And even on Android phones which do MAC randomization but send out the SSIDs, you could just create an fake AP with one of those SSIDs and the device will automacially connect to it. This even works with RADIUS.

Prevent tracking

So how to prevent tracking? Flight Mode and turning off your device would work ;) But you could also make it a little bit harder. For example by naming the SSID from your WiFi at home to some really common WiFi name. There is actually a gist on github with the most common 5000 WiFi names. Choose one of these. Delete WiFis you don't need from your Wifi-List. Especially if it was a unsecured WiFi. To summarize:

  • Delete unused wifis on your phone
  • Use an common SSID for your wifi at home.
  • Turn WiFi off whenever you don't need it.

Off course you will be trackable by your mobile provider. But not by some company which tracks users not only in certain stores but over many stores you visit.  

Conclusion

So the MAC randomization is good, but it could be better. If your iPhone already knows a WiFi, it will connect to it. In my case it's always the University WiFi. Some of you guys know eduroam? It's practically everywhere. And now I know why so many fast food restaurants, Swedish furniture stores, coffee shops etc. offer free wifi. Your iPhone will connect to it, and the owner will know when and how often you're visiting his store.