The media access control (MAC) address is a unique 48-bit identifier used by Wi-Fi radio signals that is assigned by a device manufacturer. These addresses are Layer 2 (L2) addresses used to identify the source and destination of frames by most 802 network technologies. The address uses a unique string of letters and numbers to identify the device on a network and allow it to communicate with other devices. Unlike IP addresses, MAC addresses do not change when moving from one network to another. Due to the ubiquity of the MAC address, it is widely used for purposes such as security, access control, and billing. Other uses include:
- MAC-based access to admit or deny wireless association based on the connecting device's MAC addresses. This includes authentication methods using the MAC address in lieu of a username and password, Pay Per Use (PPU) passes, and short-term complimentary services.
- Some accounting and billing systems use the MAC address as a unique device identifier.
- MAC address filtering is often used to add an extra layer of protection on the network (through white or black lists) to enforce policies such as parental controls.
- Lawful interception makes use of MAC addresses.
In 2013, privacy implications of targeted probe requests started to become widely publicized. Several companies were reported to be logging and tracking the addresses of nearby devices in unassociated states. Customers were not always notified up front that their movements would be tracked and historic location data was, in turn, used for marketing purposes. These concerns led to MAC address randomization to increase device anonymity. Most operating systems (including Android, iOS, and Windows) have implemented variations of MAC address randomization.
Most operating systems only use randomized MAC addresses when scanning for access points and SSIDs (these are known as probe requests), but they still use a consistent, genuine MAC address when connecting to the network. These network requirements have become more emphasized with the announcement that iOS 14 will rotate the MAC address of a device every twenty four hours. Migrating a device from iOS 13 to iOS 14 results in remembered WPA2 networks not being set to randomized, but new networks are set to randomize going forward in an effort to increase the device user's privacy and security.
The practice of MAC spoofing, which anonymizes and randomizes a device's MAC address, thereby obscuring the identity of a network user, is a concern for network providers, in that they may allow an imposter on a network that the network will be unable to recognize. For the privacy conscious though, MAC spoofing is used to maintain anonymity when connecting to a network for whatever reasons.
In order to identify devices on a network where a MAC address is randomized or spoofed, a network may have to look for other unique device tracking and identification techniques. For example, MAC address spoofing is not effective against tracking techniques that can inspect physical characteristics of a device, such as the unique characteristics of a Wi-Fi card. However, any viable solution to understanding who is on a network while preserving a device user's privacy could require manufacturers or device users to modify drivers or firmware of hardware products to provide privacy preserving mitigations.
Another proposed method to identifying a device on a network, developed by LEVL Technologies, is the company's LEVL-ID which would replace a device's MAC address. This would work to provide service providers with a solution to fix network reliability in the case of MAC randomization. The LEVL-ID is developed from the network, device radio waves, and device behavior, but is not stored on the device and is not supposed to rely on any user data. LEVL says the ID technology is site- and network-specific and works to preserve a device user's privacy. Because the user ID is zero touch and does not rely on user-data or PII identification and is not stored on the device, LEVL suggests the ID cannot be read by applications on a device or compromised by other third party observers.
Similar to LEVL Technologies, CUJO AI uses artificial intelligence and machine learning to de-randomize devices and merge historical usage records of these devices. In this way, CUJO AI is capable of identifying and classifying 75 percent of devices on a network in under five minutes, and the number reaches 92 percent in the next twenty four hours. Part of CUJO AI's intelligence product suite is Explorer's Device, a MAC-agnostic solution which uses a dozen unique identifiers to classify over 50,00 device models. CUJO AI says the company uses machine learning to identify device types but does not track particular devices. The company's capabilities allow NSPs to continue services. The NSPs are provided with content classification, aggregated network data, and a real-time API solution for network monitoring and security data.
Developed by a research team from the University of Wisconsin at Madison and Rutgers University, the PARADIS technique works to identify the source network interface card (NIC) of an IEEE 802.11 frame through passive radio-frequency analysis. The technique uses minute imperfections of transmitter hardware acquired during manufacturing, which create unique identities to otherwise identical NICs and they manifest themselves as artifacts of the emitted signals. The PARADIS technique differentiates the artifacts of individual wireless frames in the modulation domain, applies a machine learning-based classification tool for higher degrees of NIC identification accuracy, and can identify unique devices and users without use of a MAC address or other identifier that could be randomized or spoofed.
Jon Ellch proposed, in a research project, a method using the duration field of 802.11's virtual carrier sense system to reserve the wireless medium for a specified amount of time. This method of identification relies on each drive and chipset combination using a unique duration value. However, a shortcoming of the system is that an imposter using the same driver and chipset can be impossible to tell apart from a genuine device.
A different method proposed by Hall, Barbeau, and Kranakis works to achieve a unique identification by looking past the MAC layer and fingerprinting the device based on characteristics of their radio transmissions. The theory behind the method is that even devices sharing the same chipset and drive combination will have small variations in their transceiver circuitry that fall within manufacturing tolerance and therefore, no two devices will have the same fingerprint. This would make it possible to track RSSI averages rather than MAC addresses for identifying devices.
Another way of detecting and tracking devices on a network, or across multiple networks, is device fingerprinting. This is a way of combining certain attributes of a device to identify it as a unique device. The information included in device fingerprinting includes:
- IP address
- HTTP request headers
- User agent string
- Installed plugins
- Client time zone
- Information about the client device: this can include screen resolution, touch support, operating systems, and language settings
- Flash data provided by a Flash plugin
- List of installed fonts
- List of mime-types
- Timestamp
The providers of device fingerprinting services combine data points and assign a unique fingerprint ID to the device and its user. When used with other identifiers, the accuracy of tracking and attribution can be greatly improved. This method is computationally intensive, but the advantage for companies using device fingerprinting often outweigh the costs, especially as device fingerprinting is almost impossible to block.
Device fingerprinting uses
Largely because it is almost impossible to block or avoid, device fingerprinting has raised privacy and security concerns, especially as most of the information used for fingerprinting is basic information a website needs to load a page properly in a browser. Device fingerprinting was developed by the advertising community as an alternative to cookies, as the practice of cookies and related information collected through cookies came under increased scrutiny. Browser providers such as Apple, Google, and Mozilla have also announced they will be limiting fingerprinting within the companies' respective browsers.
Unlike cookies, which have been challenged by the GDPR's privacy laws along with other device and user-identity tracking methods, device fingerprinting seems in many ways exempt from GDPR privacy law as the practice collects data about a user's device, rather than the user's personal information. The exemption is under Article 4 of the GDPR where personal information relating to an identified or identifiable natural person using online identifiers is disallowed without the user's knowledge or consent.
Often part of, and sometimes separate from, device fingerprinting is a tracking technique capable of identifying individual users based on their browser and device settings. Once assembled, a digital fingerprint is persistently accurate. And with recent developments in cross-browser fingerprinting, the technique is capable of identifying users 99 percent of the time, regardless of if the user is masking their IP address or MAC address.
