Finding Solutions to Randomized Wi-Fi MAC Addresses

Luther Smith
Director, Wireless Technology

Oct 5, 2021

As Wi-Fi device and OS vendors move to implement Randomized and Changing MAC Address (RCM) to reduce or eliminate the ability to track users and their devices, related functionality costs on the Wi-Fi industry are emerging. This blog will discuss how the industry is enhancing users’ privacy while working to maintain legitimate functions that require a stable means of device identification. It will wrap up by discussing the effects of RCM on beneficial tools and industry efforts to address those impacts through innovation and new technology development.

Functionality Impacts of Wi-Fi MAC Randomization

As privacy has become an increasing priority, addressing unwanted tracking of individuals and devices has become central to enhanced privacy efforts. Device and OS vendors have started to implement RCM to negate this tracking risk for consumers. This shift was previously discussed in an earlier CableLabs blog post titled “MAC Address Randomization: How User Privacy Impacts Wi-Fi And Internet Service Providers.” 

When a user’s device is on a Wi-Fi network, the Wi-Fi MAC address is used as part of the transport protocol. Anyone with a Wi-Fi sniffer can identify the specific device and associate it with the user as he or she moves about (e.g., entering and leaving an area). At that point, the malicious entity can use the Wi-Fi MAC address to track the user at future locations based on previously correlating the user’s device to the user. RCM randomizes the MAC address, disabling the correlation between the device and the user because the same MAC address isn’t repeatedly used.

RCM implementations differ based on the device and OS vendor; these range from Wi-Fi sessions, time periods and associated SSIDs (network names), to name a few. Although RCM can help reduce and even potentially eliminate the ability of a third party to track a user, the capability comes at a cost. RCM impairs legitimate functions, features and services that rely on a static, non-randomized MAC address to identify that device. Several examples of functions hindered by RCM include captive portal authorization, parental controls, allow/deny access lists and lawful intercept.

The Wi-Fi Industry’s Solutions

Because of the impairments to legitimate functions that occur based on RCM, the Wi-Fi industry is working to develop alternative methods of identifying devices without exposing the device identity and creating the risk that a user might be tracked. The first step in this process is identifying use cases in which the device identity needs to be known for legitimate purposes. Several Wi-Fi industry organizations—including Institute of Electrical and Electronics Engineers (IEEE), Internet Engineering Task Force (IETF) and Wireless Broadband Alliance (WBA)—are working on identifying and detailing these use cases.

Although each organization is working independently, each also recognizes that cooperation and information exchange are critical to addressing the issue in a timely and unified manner. CableLabs is leading the effort and actively contributing across several organizations to ensure that consumers are protected while functions important to broadband network operators continue to operate. Through the collective support of a Wi-Fi industry composed of operators, device and OS vendors, and other vendors, innovative solutions are being explored and specified to ensure that a balanced solution emerges.

Get Involved

Some vendors are already considering device-identification solutions that don’t require a static MAC address and allow privacy risks to be mitigated without breaking key functionalities. One promising approach, known as fingerprinting, develops a unique device signature through evaluating radio frequency and traffic characterization. Similar solutions are being investigated to identify the presence of individual devices necessary for legitimate features to operate. However, even with these solutions, some may still allow a third party to identify and correlate devices to users, enabling the devices and users to be tracked.

The industry still needs a secure method of identifying devices without hobbling features, functions and services that depend on a static Wi-Fi MAC address while protecting data privacy concerns. To get involved in defining use cases and helping to create the right solution(s), you can join one (or more) of the industry organizations that are addressing RCM.

For more information, please contact Luther Smith (l.smith@cablelabs.com).