Thread Links Date Links
Thread Prev Thread Next Thread Index Date Prev Date Next Date Index

[STDS-802-11] On the need for standard language on MAC randomization (and more)



--- This message came from the IEEE 802.11 Working Group Reflector ---

 

  Greetings,

 

  Exactly 3 years ago I presented 11-14/0367r2 in 11mc. That submission proposed some language in

the 802.11 standard to define certain behavior when MAC address randomization is used. There were

a number of comments but the big one was that it was not necessary. Over time, implementations

have come on the market that randomize MAC addresses and the results are in: we really do need

some language in the standard that says exactly what to do when privacy is desired, both how and

when to randomize a MAC address and how to remove information from 802.11 frames that can

be used to perform tracking even when a randomized MAC address is used.

 

  Researchers from the U.S. Naval Academy have performed a study [1] and conclude with:

 

“We propose the following best practices for MAC address randomization. Firstly, mandate

a universal randomization policy to be used across the spectra of 802.11 client devices. We

have illustrated that when vendors implement unique MAC address randomization schemes

it becomes easier to identify and track those devices.” concluded the experts. “A universal

policy must include at minimum, rules for randomized MAC address byte structure, 802.11 IE

usage, and sequence number behavior,” 

 

  Based on this sage advice, I plan on introducing a submission to 11md (when formed) to define a

privatization policy to be used by STAs that wish to make it harder to track them. If you wish to

contribute to this effort or if you have legitimate concerns on 802.11 privacy, please unicast

me back.

 

  regards,

 

  Dan.

 

[1] http://securityaffairs.co/wordpress/57076/uncategorized/mac-address-randomization-flaws.html

 

 

_______________________________________________________________________________

If you wish to be removed from this reflector, do not send your request to this reflector - it will have no effect.

Instead, go to http://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11 and then press the LEAVE button.

If there is no LEAVE button here, try http://listserv.ieee.org/cgi-bin/wa?SUBED1=STDS-802-11-RO.

Further information can be found at: http://www.ieee802.org/11/Email_Subscribe.html _______________________________________________________________________________