MAC Randomization

Introduction

The Apple and Google companies have developed new functionalities that provoke changes in the way devices access Wifi networks, specifically with the launch of new versions of Android 10 and iOS 14 Operating Systems. With this new implementation, by default, when devices connect to a new Wifi network and automatically, a random MAC is generated that is not the real one on the device, being the one visible on the network.  With more detail:

• On Android 10, the option "Use random MAC address" is enabled by default, although there is a possibility to set "Use device MAC address". On this operating system a different random MAC will be used per network and will not change by default. More information can be found at: https://source.android.com/devices/tech/connect/wifi-mac-randomization

• On Apple iOS 14, iPadOS 14 and watchOS 7, it also has the "Private address" option active by default and is configurable. These operating systems use a random MAC per network, but also rotate every 24 hours for each network (as long as you are not active on the network). More info: https://support.apple.com/en-us/HT211227

Other operating systems such as Windows 10 and MacOS have the option, but it is not enabled by default:

This has important implications for Wifi networks both legally and technically and is what will be discussed in the paper.

Data Conservation Law Compliance

In the Octopus Wifi Platform there is a possibility to configure multiple access methods in the captive portal to validate the wifi service. For each of these methods, at least one unique user-id is defined to identify the traceability of user connections and this way comply with the regulations "Law 25/2007 of 18 October on the conservation of data relating to electronic communications and public communications networks".

 Below is a table with the different access methods and associated identifier.

Due to the new versions of operating systems launched by Google and Apple with the objective of protecting the privacy of users, access through Accept Terms or Click-through is clearly affected, since in case the user has configured on his device the random MAC in access to the Wifi network, the connections would be without reliable and real identification.

MAC Authentication

This random MAC configuration measure adopted in new operating system versions also affects MAC Authentication validation on Radius servers, on which the MAC Caching functionality offered by Octopus Wifi is based.

On a technical level, there is not much of a problem with Android 10 devices, since the random MAC does not change within the same network or SSID, and the connection would be functionally cached so that users are automatically validated without going through the captive portal. However, in iOS 14 it would rotate this random MAC daily, then functionally the connection would only be cached for days.

Recommendations to be implemented

Blue Octopus recommends adopting a series of measures in the configuration of access in the captive portals for Wifi Guest access:

• Avoid the use of the "Accept Conditions" or "Click-through" validation method, since on the affected devices, the connections will not have a reliable user identification and consequently it is proposed to use other self-service access methods that leave some other type of user information, such as access via form (with or without pre-registration), social networks, vouchers/tickets, etc.

• As far as possible, avoid the use of the same ticket for massive groups without identifying users individually. Also promote the use of sponsored access, user accounts, etc.

• The accesses configured with Mac Caching, especially in corporate or very recurrent connections, inform users with iOS 14 to disable the random MAC functionality in the network of interest, otherwise the network access credentials must be entered daily.