1022444 - Randomize MAC address when doing a Wi-Fi scan

Status: RESOLVED WONTFIX

(Firefox OS Graveyard :: Wifi, defect)

Description

[Doug Turner (:dougt)]

Can we randomize the MAC address of the wifi interface while doing a scan?  It sounds like io8 is going to do this and it sounds like a really great privacy enhancing feature.

Comment 1

[Doug Turner (:dougt)]

kanru, do you know who might be able to think about this kind of feature on the wifi/radio side of ffos?

Comment 2

[Kan-Ru Chen [:kanru] (UTC+9)]

It depends on the hardware capability. Also, how do we make sure the MAC address is valid across the LAN?

Vincent might know.

Comment 3

[Vincent Chang[:vchang][changyihsin]]

There is an Android application called Pry-fi here. 
http://forum.xda-developers.com/showthread.php?t=2631512
So it should be possible to support this function in FFOS. I am not jumping into the detail about implementation of the application. But I think there should be some modifications related to wpa_supplicant or wifi driver.

Comment 4

[Avi Halachmi (:avih)]

While very neat, if Apple could patent it, then I'd bet it's patented/pending by now. Do we want to care about this vector?

Comment 5

[Richard Newman [:rnewman]]

Tweet with an image that offers some evidence that iOS is doing this:

https://twitter.com/fredericjacobs/status/475601665836744704

and evidence that it's not a purely theoretical issue:

http://sfappeal.com/2014/05/san-francisco-coffee-shop-says-they-will-stop-scanning-and-tracking-wireless-devices-of-patrons-and-passers-by/

Comment 6

[Chris Peterson [:cpeterson]]

Note that the randomized MAC address is only used for Wi-Fi scanning, not when actually connecting. To avoid twitter link rot, here is a transcription of the iOS 8 screenshot:

  In iOS 8, Wi-Fi scanning behavior has changed to use random, locally administrated MAC addresses:
    * Probe requests (management frame sub-type 0x4)
    * Probe responses (management frame sub-type 0x5)
  The MAC address used for Wi-Fi scans may not alwasy be the device's real (universal) address.

In contrast, some Samsung Android devices actually randomize their "real" MAC address every time the device reboots or reenables Wi-Fi. That sounds like an interesting anti-tracking feature, but apparently it seriously frustrates many vocal Android users who rely peculiar network configurations using MAC address filtering or static MAC addresses:

https://code.google.com/p/android/issues/detail?id=23330

Comment 7

[:Atoll]

https://code.google.com/p/android/issues/detail?id=71084 appears to be the only Android bug regarding 0x4/0x5 MAC randomization, based on a rough triage of their queue. Linking here for cross-reference purposes.

Comment 8

[Björn Smedman]

Please don't use random MAC addresses without thinking it through carefully. Depending on how you do it a whole lot of good things can break: http://lists.shmoo.com/pipermail/hostap/2014-June/030439.html

Also note this discussion from a few months back: https://groups.google.com/forum/#!msg/mozilla.dev.webapi/ZeA43s6S0NA/h3o91Stp1EwJ

Comment 9

[Jan Keromnes [:janx]]

From comment 6 and other feedback I collected, randomizing just for scanning is not enough, the really useful anti-tracking feature would come from MAC randomization every time the interface comes up (WiFi is reenabled).

However, this would cause problems e.g. with MAC-filtering networks (commonplace among enterprise networks and some home routers), so I guess the feature will need to be optional (behind a pref) and configurable from the Firefox OS settings.

For ideal privacy, the device should randomize on every interface up, but you'd be able to fix your address for some saved networks when needed.

Comment 10

[Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)]

These could be two separate but related features. Trite as the phrase is, let's not let perfect be the enemy of good.

Comment 11

[:Atoll]

(In reply to Jan Keromnes [:janx] from comment #9)
> From comment 6 and other feedback I collected, randomizing just for scanning
> is not enough, the really useful anti-tracking feature would come from MAC
> randomization every time the interface comes up (WiFi is reenabled).
> 
> However, this would cause problems e.g. with MAC-filtering networks
> (commonplace among enterprise networks and some home routers), so I guess
> the feature will need to be optional (behind a pref) and configurable from
> the Firefox OS settings.

:janx, you are quite correct - randomizing MAC address on ifup is certainly more effective at disguising a device's identity when connecting to certain networks, while breaking on other networks.

(In reply to David Keeler (:keeler) [use needinfo?] from comment #10)
> These could be two separate but related features. Trite as the phrase is,
> let's not let perfect be the enemy of good.

However, we should not merge the "randomize MAC when scanning" feature this bug describes with the "randomize MAC always" feature you describe. Your feature is absolutely a legitimate request - but it carries a different set of requirements, benefits, and drawbacks than this bug's "when scanning" focus permits.

So, please file the "ideal privacy" solution (which would have to be pref'd both globally and per-SSID, I imagine) as a separate request, with a 'See Also' to this bug. I've reverted the title to focus this bug on the imperfect-but-good "scanning only" solution, so that we don't confuse the two bugs when the "ideal" bug is linked to this one.

Comment 12

[Jan Keromnes [:janx]]

(In reply to Richard Soderberg [:atoll] from comment #11)
> :janx, you are quite correct - randomizing MAC address on ifup is certainly
> more effective at disguising a device's identity when connecting to certain
> networks, while breaking on other networks.

Thank you for confirming my suspicions.

> However, we should not merge the "randomize MAC when scanning" feature this
> bug describes with the "randomize MAC always" feature you describe. Your
> feature is absolutely a legitimate request - but it carries a different set
> of requirements, benefits, and drawbacks than this bug's "when scanning"
> focus permits.
> 
> So, please file the "ideal privacy" solution (which would have to be pref'd
> both globally and per-SSID, I imagine) as a separate request, with a 'See
> Also' to this bug. I've reverted the title to focus this bug on the
> imperfect-but-good "scanning only" solution, so that we don't confuse the
> two bugs when the "ideal" bug is linked to this one.

You're absolutely right, the randomize-on-scan approach shouldn't be dismissed. Thank you for pointing that out! I've filed bug 1033826 for the randomize-on-ifup solution.

Comment 13

[Chris Peterson [:cpeterson]]

Here is a detailed analysis of iOS8's MAC address randomization:

http://blog.airtightnetworks.com/ios8-mac-randomization-analyzed/

Comment 14

[Chris Peterson [:cpeterson]]

Android 6.0 (Marshmallow) also randomizes MAC addresses for Wi-Fi scans:

http://arstechnica.com/gadgets/2015/10/android-6-0-marshmallow-thoroughly-reviewed/5/

MAC addresses get hidden from external devices, too. When Android does a background Wi-Fi and Bluetooth scan, (for finding open networks or Bluetooth beacons) the scan spoofs the MAC address and identifies as a randomized value.

Comment 15

[Naoki Hirata :nhirata (please use needinfo instead of cc)]

Wilfred, this is a privacy concern; I don't think we have time to ship with this in 2.5; having said that, I think we really should place this in the following release as a feature.

Comment 16

[Wilfred Mathanaraj [:WDM]]

we shouldplan it for a followup release - moving to fxos team review so the wifi poroduct owner can drive this

Comment 17

[BMO Automation]

Firefox OS is not being worked on