An iPhone is seen on display at a kiosk at an Apple reseller store in Mumba: REUTERS
An iPhone is seen on display at a kiosk at an Apple reseller store in Mumbai: Photo: Reuters

With the release of iOS 14, Apple is following Google’s lead and turning on MAC address randomization by default. What is this? Why was it done? And what is the impact (both positive and negative)?

MAC addresses used for tracking 

A MAC (media access control) address is a network address assigned to a physical device. These are used on Ethernet ports, as well as Wi-Fi and Bluetooth endpoints. They are 48 bits in length (6 bytes) and often written as six pairs of hexadecimal numbers (such as 00:0a:95:9d:68:16).

The numbers themselves are administered by IEEE (Institute of Electrical and Electronics Engineers) organizations. Typically, the first 3 bytes are used to identify the organization and the remaining 3 bytes then sub-assigned by that organization to individual hardware components they manufacture. Every network device gets a unique MAC address for each networking technology/port.

As MAC addresses are used for physical addressing, they are most often sent unencrypted on the network, and are often used in protocol broadcast traffic (received by all nodes in the local network).

It is trivial for any node on the network to listen for and collate the MAC addresses of all other nodes on the same network. The manufacturer can then be identified, and as each MAC address is uniquely assigned to one hardware device, that device can be tracked. In particular, the device could also be tracked as it passes between different networks.

Let’s use, as an example, the Wi-Fi protocol. As you walk in and out of shops around a mall, your phone is listening for Wi-Fi networks and trying to connect. All this traffic involves MAC addresses, and it becomes possible to track you as you move between locations.

Randomized MAC addresses

The issue here is the MAC address assigned to your phone’s Wi-Fi module or network card. As the MAC address is fixed, it becomes something that uniquely identifies you (or at least your phone). 

In their latest operating systems, the workaround now implemented by both Google and Apple is instead to use randomized MAC addresses for each network being communicated with. Every time the phone tries to connect to the network, it uses a different randomly created MAC address – making it impossible (at least trivially) to track you. The identifier is no longer unique for any extended period of time or between different networks. 

The advantage here is clear. The solution offers a degree of protection for your privacy, with associated improvements in your security.

Why is this a problem? 

There are several drawbacks to this approach that we must be aware of. Here are a few of the most impacting.

First, the Dynamic Host Configuration Protocol (DHCP) is commonly used to assign IP addresses to connect workstations and phones, tablets, and other such devices. This assignment is based on the MAC address. It relies on the MAC address being associated with the hardware endpoint, to lease a stable IP address from a limited pool of available address space.

The issue with MAC randomization is that the MAC address is no longer stable and cannot be reused quickly, which leads to wasted address allocations and exhaustion of the pool of available addresses. MAC address randomization increases the workload on DHCP and wastes addresses. Administrative changes will have to be made to either increase the pool’s size or decrease lease allocation times to compensate. 

Second, while IEEE-assigned MAC addresses are guaranteed to be unique, randomized MAC addresses are not. It is possible for two devices to choose the same address independently randomly. Should that happen, they will interfere with each other and be unable to connect to the network or disconnect if already connected. 

Third, your company may need to track you. With the increase in the importance of approaches such as BYOD (Bring Your Own Device), or with static IP address allocations over DHCP, your phone’s MAC address is necessary for your company to be able to handle your device correctly when it enters their network. Upgrade to iOS 14, and things may break.

The solution to these issues is for IT personnel to be aware of the technology and the possible impacts on the networks they manage. DHCP settings can be adjusted, and for those cases where a physical MAC address is required, the user instructed to turn off the “private MAC address” (aka MAC address randomization) for that network.

MAC address randomization is a powerful feature offering improvement to both privacy and security. However, it is not without its drawbacks, particularly in corporate network environments.

Mark Webb-Johnson

Mark Webb-Johnson is the co-founder and chief technology officer of Network Box, a cybersecurity company in Hong Kong.