Random MAC Addresses for Better Wi-Fi Security and Privacy
Internet privacy is becoming a large concern, as more and more devices are getting directly or indirectly connected to the Internet. Recently, the IETF and IEEE 802 announced the successful completion of three experimental mobile privacy trials – and an InterDigital engineer was a key part of it.
The IEEE 802 Privacy Executive Committee Study Group identified privacy issues related to the use of globally-unique media access control (MAC) addresses in over-the-air communications like Wi-Fi, and the risk that long-lived identifiers such as MAC addresses pose to the exposure of users to unauthorized tracking. Juan Carlos Zuniga, Principal Engineer at InterDigital’s Montreal R&D center, serves as chair of the study group, which proposed a solution to this privacy issue and embarked on experiments to study the implications of the solution. Earlier this week, Juan Carlos provided interviews to several wireless tech media outlets on the group’s work and recommendations for better security and privacy.
Concern arises from the fact that MAC addresses can become privacy risks by exposing users to unauthorized tracking. The uniqueness of the identifier and lack of encryption enables an easily made connection between the identifier and the user. “So you can identify the walking path, where they work, where they live, what their likely income is, what their age range is, in a scarily easy way,” Juan Carlos told CSO’s Maria Korolov. The IEEE Study group proposed the solution to update the Wi-Fi protocol to use randomly generated MAC addresses to increase security and privacy. Juan Carlos told Maria that he hopes to see his group’s recommendations incorporated in the next version of the 802.11 standard.
In the FierceWirelessTech article, “IEEE Study Group Recommends Improvements in Wi-Fi Security,” Juan Carlos explains that while the recommendation for randomized MAC addresses seems straightforward, there are still implications for commercial and enterprise networks. For example, a hotel may tie the identifier to an account so that the system can track that a guest has paid for their 24-hour Wi-Fi Service. If the identifier is changed, the system may try to charge a guest again. Juan Carlos clarifies that the IEEE group would want to avoid those types of things from happening.