Mathy Vanhoef, PhD

Postdoctoral Researcher in Computer Security at NYU Abu Dhabi / KU Leuven - @vanhoefm

Home Publications Tools About

Monday, 7 March 2016 Popular Posts

WhatsApp Considered
How MAC Address Randomization Works on Windows 10 Insecure
When Apple announced its devices would use random MAC addresses when searching for Wi-Fi Understanding the Heap &
networks, it received extensive media attention. And rightly so. It prevents companies from tracking Exploiting Heap Overflows
your movements, and Apple was the first major player to start doing this. Windows and Android are
quietly trying to catch up. As a result, some devices running Windows now support MAC address How MAC Address
randomization, and we will discuss how it's implemented, and where it fails. This information is a small Randomization Works on
selection from the recent paper Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Windows 10
Network Discovery Mechanisms.
Exploiting 'INSERT INTO' SQL
Injections Ninja Style
Update: we have contacted Microsoft, and they are in the process of addressing the vulnerabilities we
discovered. Reversing and Exploiting ARM
Binaries: rwthCTF Trafman

How it works
Microsoft first added support for MAC address randomization in Windows 10. Unfortunately, it's only Other Blogs
available if you have a WiFi card and driver that support it. For example, the Intel 7265 AC, when using
the latest driver, supports randomization [1]. You can see if your hardware supports MAC address Arne Swinnen
randomization by going through the following menus:
Tom Van Goethem

Subscribe To

Posts

Comments

Blog Archive

► 2019 (1)
► 2018 (3)
► 2017 (1)
▼ 2016 (1)
▼ March (1)
How MAC
Address
Randomization
If your hardware supports MAC address randomization, you will see the following option at the top of the Works on
window: Windows 10

► 2015 (3)
► 2014 (2)
► 2013 (5)
► 2012 (9)
► 2011 (5)

As you can see, I have it enabled on my laptop. So far it's been working quite well. What's very
interesting about Microsoft's approach is that it also uses random MAC addresses when connecting
to a wireless networks. In contrast, Apple only uses random addresses when searching for nearby
networks, and it falls back to its original address when connecting to a network. In this aspect Windows
10 offers better privacy than Apple.

Using a random MAC address to connect to a network can cause problems if users are authenticated
(i.e., recognized) based on their MAC address [2]. Interestingly, Windows avoids this issue by always
using the same random address every time it connect to a specific network. For example, let's say
you want to pay for Wi-Fi access, and they authenticate you based on your MAC address. Then this is
not a problem. The first time you connect, Windows will generate a random MAC address. And if you
reconnect to this network at a later point in time, Windows will reuse the previously generated address.
Therefore the system can still recognize you, and you don't have to pay twice. There's one downside to
this approach: since you always use the same address when connecting to a particular network, an
adversary can learn when certain devices connect to specific networks. Nevertheless, compared to the
old situation where you'd always use the original MAC address, it improves your privacy.

Technically, the random MAC address that is used to connect to a network is calculated as [5]:

address = SHA-256(SSID, real MAC address, connectionId, secret)[:6]

Here SSID is the name of the network you are connecting to, real MAC address the original address of
your network interface, and connectionId is a value that changes every time the user removes (and re-
adds) the network (i.e., this value is updated if you "forget" the network under Windows 10). The secret
parameter is a 256-bit cryptographic random number, generated during system initialization, and kept the
same across reboots. Every interface has a different value of the secret parameter, to assure each
interface gets different random MAC address. Finally, bits in the most significant byte of address are set
so it becomes a locally administered, unicast address. While the presentation by Huitema partly
described this process, our paper is the first to describe this formula in full detail.

It's also possible to disable randomization for certain networks. In this case Windows will use the original
address when connecting to a network. You can configure this through the following settings when you
are currently connected to the network:

Notice that the user has three options for each specific network:

On: the same random MAC address is always used when connecting to this network.

Off: the original MAC address is used.

Change daily: every day a new random MAC address is used.

Remark that if randomization is enabled, independent of the above options, Windows 10 will always use
random MAC addresses when scanning for nearby networks. This "scanning" address changes every
time you connect (and disconnect) from a network, and when you restart your device [3]. Hence it
doesn't change that frequently, but it's still sufficient to prevent tracking over extended periods of time.
In contrast, Apple changes the scanning address roughly every few minutes, which provides more
privacy.

Basic Security Analysis

Randomization as implemented in Windows 10 significantly improves your privacy. So enable it!
Unfortunately, it's not perfect, because there are still some ways to defeat or bypass it.

The first weakness is that the sequence number contained in WiFi frames is not reset when changing
the (random) MAC address. This sequence number, which is present in most Wi-Fi frames, is used to
detected retransmissions, and is incremented by one after successfully transmitting a frame. As shown
in the picture below, when the MAC address changes because the user connects to a network, the
sequence counter is not reset:

The last frame from ea:69:0a:* has the sequence number of 92, and the other address 7c:5c:f8:* has the
sequence number 94. Based on this an adversary can reasonably conclude that both frames are sent by
the same device. In other words, he learns that the same device was using both addresses, defeating
the purpose of address randomization.

The second problem is that Windows 10 reveals its real MAC address when interacting with Hotspot 2.0
networks. But what's Hotspot 2.0? Simply put, Hotspot 2.0 is a new standard to automatically and
securely roam between WiFi networks. No manual interaction is needed. Your device automatically
determines whether you have the appropriate credentials (passwords) to connect to a network. Think of
this like the cellular network: when you get off the plane, your phone automatically finds and connects to
a foreign cellular network. Hotspot 2.0 provides a similar experience for WiFi.

In order to accomplish automatic roaming, Hotspot 2.0 sends ANQP queries to the Access Point before
connecting to it. These ANQP queries request detailed information about the wireless network. This
information includes the credentials that are needed to connect with the hotspot, whether the hotspot
provides internet access or only local network access, etc. Unfortunately, Windows 10 sends these
ANQP queries using the real (original) MAC address:

In the first probe request it uses the random MAC address 2a:b3:e6:*. These probe requests are used to
detect the presence of networks. If there's a Hotspot 2.0 network nearby, Windows will send ANQP
requests using the real MAC address, in this case 7c:5c:f8:*. Therefore an attacker can obtain your
real MAC address by advertising a Hotspot 2.0 network. Thankfully, Windows 10 only sends ANQP
queries if at least one Hotspot 2.0 is configured. Since this standard is not yet widely deployed, few
users will have such a network configured [4].

Detailed Security Analysis

Want to know all flaws that are present in existing implementations of MAC address randomization? And
this specifically for Android, Apple, Linux, and Windows? Then read my paper Why MAC Address
Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms [5]! It has
everything explained in technical detail.

References and Footnotes

[1] If you have an Intel 7260 AC, you can also force Windows 10 to use the drivers of the Intel 7265 AC.
Your device will still work, and will support MAC address randomization.
[2] Even though authentication based on the MAC address is utterly insecure (an adversary can easily
spoof a MAC address), it's still used by many systems.
[3] C. Huitema. Personal communication, Nov. 2015.
[4] One notable exception is the Passpoint configuration provided by Boingo. Essentially Passpoint is a
synonym of Hotspot 2.0. If you have this configuration installed, you have a Hotspot 2.0 capable device,
and the Boingo configuration will use Hotspot 2.0. This means Windows will send ANQP queries to
nearby Hotspot 2.0 networks.
[5] M. Vanhoef, C. Matte, M. Cunche, L. S. Cardoso, and F. Piessens. Why MAC Address
Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms (AsiaCCS 2016).

Geplaatst door Mathy op 20:21

Labels: mobile, privacy, randomize mac address, wireless

Links naar dit bericht

Create a Link

Newer Post Home Older Post

Theme images by Jason Morrow. Powered by Blogger.