Using RF Power Levels to Defeat MAC Address Randomization Enabling Passive Device Tracking
I came up with a theory (based on science) that it may be possible to passively track wireless devices even though they are making use of the defense that is MAC Address Randomization.
The MAC Address Randomization defense exists to address privacy concerns and stop a wireless device from having a static, hardcoded value, which would otherwise allow the device to be tracked. Instead, this address value is randomized at random intervals, stopping the ability to track it across address cycles… or does it?
I theorized that it should be possible to utilize the properties of radio frequency (RF) power levels and time together to track devices across these address cycles, correlating the two together. I put my theory into practice and carried out a real-world proof of concept and confirmed that what I had thought was indeed correct. This research therefore has implications for privacy.
This bit of research applies to 802.11 Wireless, Bluetooth, and Bluetooth Low Energy (BLE), each with some slight differences around defenses, protocols, etc., however, the science is still the same. I have focused on BLE as a proof of concept.
Let’s begin
To be inclusive of all audiences, what is a MAC address?
Straight out of Google (Search) AI overview: “A MAC (Media Access Control) address is a unique 48-bit identifier assigned to a network interface controller (NIC) by the manufacturer, acting as a permanent physical address for devices on a network. Unlike changeable IP addresses, MAC addresses (e.g., 00:1A:2B:3C:4D:5E) are used for local communication in Wi-Fi and Ethernet, essential for network security, device identification, and managing connections.”
Each device which is ‘born’ is assigned a hardcoded static MAC address value by a manufacturer, which is the root cause of the problem here. Being hardcoded and also being detectable over the airwaves means it could be used to track devices and in-turn people – a privacy nightmare.
A lot of the focus on fixing this privacy problem was initially in the 802.11 Wireless arena. Many years ago (around 2014), MAC address randomization (or ‘randomisation’ if you’re British!) was introduced to address such privacy concerns. These wireless devices would now present a random MAC address, which would be recycled at a random interval (typically between 15-40 minutes) to stop this identifier from being used to track it wirelessly. Lots of progress and improvements have been made since; refining the concept, applying it to other components of the protocol, fixing security problems (such as sequential identifiers being present across wireless frames which allowed tracking), etc.
Moving on to Bluetooth Low Energy (BLE), much the same privacy defenses exist around the MAC address randomization. The Bluetooth specification recommends MAC addresses are recycled every 15 minutes. Manufacturers implement this differently and importantly, also randomly. Randomly because if you could tell when a device was going to cycle (e.g. a set offset from when it was first powered on), then you’d be able to use this value as a unique identifier of a device, so that set time wouldn’t be good.
The first thing I did with this research was check for myself how the devices I owned were behaving in terms of recycling their MAC addresses. I have said this before, and I’ll say it again. A lot of security vulnerabilities (in protocols at least) exist from not following exactly the implementation of how the RFC (or other documentation) states they should. If these devices cycle their MAC address at 15 minutes exactly then I’ve saved myself a lot further research…
However, I did a test of various devices over a specific time period and confirmed it was indeed ‘random’ enough. There were no set interval patterns (within my sample period anyway) which would allow me to predict when the next address cycle would occur. So that closed that route off… but I had to confirm this was the case.
So back to my theory, to track things (passively – not make any connection to the devices) you need to work off all the information which is sent out there into the airwaves already; the information being broadcast by the device – advertising packets, etc. Manufacturers have done a great job of limiting the information sent out in these types of frames and packets to stop you being able to fingerprint a specific device from using a constant value or some incremental sequence number, etc. MAC randomization got off to not a great start and researchers were able to utilize exactly these things to track devices, however, that’s been fixed.
So, I had to think outside of the box a little to find something constant that is unique to a device (for a moment in time – importantly, at the point of ‘rotation/cycle’) which I can use to link an old MAC address to a new MAC address.
This came to me during a mid-morning coffee break moment gazing out at some trees… what if we could use Radio Frequency (RF) Power Levels as our constant? Would that work?
Let me explain. Each wireless device sends and receives wireless signals (the data) and these signals have a signal strength (power) relative from the measuring source. This value fluctuates depending on walls, people, environmental conditions, etc. However, these fluctuations are usually very small – the signal may degrade, it may improve, but typically you can look at an average value.
When I talk about signal strength (power) relative from the measuring source, I am referring to something called ‘Received Signal Strength Indicator’ (or RSSI). RSSI is a negative value which represents the power received. It can seem a little confusing initially as closer to 0 means a stronger signal and further negative means weaker. For example:
Close range: -10 dBm to -30 dBm
Good range: -30 dBm to -55 dBm
Weak/Limit: Less than -90 dBm
It is measured in dBm which stands for decibel-milliwatts as a unit of power and note that it is logarithmic, so -60 dBm is 10 times more powerful than -70 dBm.
BLE class 1 has a range of 100 metres, class 2 – 10 metres, class 3 – 1 metre.
Anyway, back to my theory… if you were looking at the airwaves of a load of BLE devices (continuously scanning) then with MAC address randomization going on you would see new devices (but these are not really ‘new’ ones) popping up every 15-40 minutes and old ones no longer featuring as their addresses got recycled.
The major flaw I saw in this is that devices normally don’t just suddenly disappear – the science doesn’t allow them to as their signal degrades gradually as they get further away from the source who is sampling. The obvious exception to this being if they suddenly switched off their wireless capability or turned off their device. The inverse is also true for appearing devices; as they get nearer to the sampler source, their signal strength increases gradually – they don’t typically appear out of thin air. The exception to this rule again being if they just turned on their device or wireless capability from previously being off.
I got the pens out to demonstrate.
The graph below is how you’d expect a wireless device to behave at a RF signal strength level as it leaves range; the power (or strength) slowly decreasing over time.
Figure 1. How you would expect a wireless device to behave at a RF signal strength level as it leaves range.
The graph below this shows how you’d expect a wireless device to behave (RF signal strength wise) coming into range; the power slowly increasing over time.
Figure 2. How you would expect a wireless device to behave (RF signal strength wise) coming into range.
So, with this knowledge about how devices should appear/disappear with regards to power, we can apply that to what we’re trying to do.
If we don’t see a device ‘exit’ the airwaves gradually and just vanish, we can assume that this was likely related to that device ‘retiring’ (or cycling) that randomized MAC address. Similarly, and importantly, if we see this happen in combination (within seconds) of a new device being seen (a new MAC address) which appears out of thin air, then we can assume that this is likely related to the same cycle/rotation. We can then look to compare the signal strength of both these values (for ‘old’ and ‘new’) to see if it fits within a range to confirm that assumption.
What we see in the airwaves with MAC address randomization going on looks like the below graph. Note that for illustrative purposes I’ve removed lots of other points that you’d see from other devices spamming the airwaves.
Figure 3. What we see in the airwaves with MAC address randomization.
We see a device (we’ll call it ‘red’, noted by the red ink) appear (out of nowhere), be about for a period of time (15-40 minutes) at roughly the same signal level (although this doesn’t matter too much), and then disappear into thin air, never to be seen again.
We then see a ‘new’ MAC address, essentially a new device (we’ll call it ‘blue’) show up out of the blue (pun intended!) very close in time to the last time that ‘red’ was seen, and importantly, the power (the signal strength) is very close (or it could be the same if the time period is very close) to what the ‘red’ device last reported power was. This then continues, with ‘blue’ disappearing after some time (banished, never to be seen again!) and a new device (a new MAC address) ‘green’ magically shows up out of nowhere – same thing; close in time, close in power level.
It is the constant that is the power (the same, or within a range) and the fact that the old device is never seen again (both these things at point of MAC address rotation/cycle) that we can conclude that the two (the two crosses really close to each other in the graph) are in fact the same device.
The beauty of this approach is that we’re completely passive. Sure, we could start querying GATTs, but that would require us to connect to the device and then it becomes active. If you have hundreds of wireless devices, then this wouldn’t scale, plus you’d need to do this in real-time. Whereas this is all passive, you can do the analysis afterwards if you have captured the raw data previously – it scales.
So that’s the theory from my head. Let’s see how it all stacks up in the real world.
I wrote some code to continuously scan for BLE traffic (any type of frame) and report the time it saw it, note down the MAC address and the power (the signal strength, aka RSSI). This information is saved to a database to allow for querying.
I start the scanner and see lots of traffic populating the database. I turn on my phone (and Bluetooth) and leave the scanner running for a little while.
I came back to the raw data and started applying the rules from above; if a device (we’ll call ‘old’) suddenly disappears AND a new device (suddenly) appears with roughly the same time window AND same or near power range… then this is the same device and we just caught a MAC cycle/jump/rotation, whatever you want to call it.
Using this technique, I was able to identify my phone among all the other BLE traffic and follow the MAC address jumps.
So yeah, we have a little bit of an issue.
What could be done to fix this? I think this could be solved by software. The signal at point of rotation could be deliberately manipulated (to a random value) by software to stop this detection technique in collaboration with perhaps having ‘ghost’ replays of previous (old) devices so that this also blocks off that route too.
Thanks for reading!