Sophos Cloud Optix
A small change in iOS 8 will make privacy advocates happy, although it’s going to be a tough pill to swallow for mobile marketers.
Apple iOS 8 devices keep more of users’ mobile data private, such as location, past Wi-Fi connections, and the all-important MAC address, which is unique to each device.
Whenever your mobile device searches for nearby Wi-Fi networks (which it always does when you have Wi-Fi turned on), the device’s Media Access Control (MAC) addresses are visible to nearby routers, even if you don’t actually join a network.
The difference on iOS 8, out in September 2014 along with the iPhone 6, means the marketing firms that gather those MAC addresses won’t be able to track your movements (such as where you shop) and serve you ads based on your profile, location and preferences.
At the Apple Worldwide Developer Conference, a developer named Frederic Jacobs discovered that iOS 8 will use randomly generated MAC addresses – and sent out a tweet saying he is “Hoping that this becomes an industry standard.”
@FredericJacobs: iOS 8 randomises the MAC address while scanning for WiFi networks. Hoping that this becomes an industry standard.
The tweet got lots of attention, including from @Mario_Greenly, who tweeted that this is going to make a few marketing firms, well, mad.
@Mario_Greenly: @FredericJacobs Holy hell that is going to p*ss some wifi/mobile marketing firms off.
This Wi-Fi sniffing tracking technology has been used by so-called marketing location analytics (MLA) firms to create profiles of shoppers and serve ads from formerly innocuous objects such as trash receptacles and vending machines.
Although iOS 8 will obscure your identity when your Wi-Fi-enabled device scans for wireless networks, it’s not perfect privacy protection.
Once you decide to connect to a hotspot, iOS 8 will use your real MAC address.
And if you have your device set to remember and automatically connect to Wi-Fi spots you’ve logged into in the past, Wi-Fi sniffers, including MLA firms but also spies or criminals, can see who you are and track you.
Of course, you should be mindful that other parties can and do track your location – even if your Wi-Fi is turned off.
For example, mobile devices with phone or 3G capability turned on can be tracked independently of your Wi-Fi settings as they move around in the cellular network.
MLA industry standards only exist in the form of a “code of conduct” which is agreed to by the mobile marketing firms themselves.
Which is better than no standards at all, but it still relies on device users understanding the implications for their privacy.
As for Android users, there’s no similar protection for MAC addresses. Should Google follow Apple’s lead? It’s a good idea, and one that Apple should not try to keep for itself.
Wi-Fi privacy tips
Broadcasting your movements and past connections can reveal a lot about you and when you use location services and GPS on your device, you are broadcasting your location and movements to the world.
To protect yourself from unwanted snooping, here are a few recommendations for better security and privacy.
- Turn off Wi-Fi and Bluetooth when you’re not using it. You can also use “flight mode” (although you won’t be able to receive calls in flight mode).
- Your apps such as Facebook, Twitter and Instagram use geo-tagging. Turn geo-tagging off if you don’t want to give away your location.
- Don’t accept prompts to remember Wi-Fi networks – if you automatically connect to networks you could leave yourself vulnerable to Wi-Fi sniffers, including MLA firms but also spies or criminals, who can see who you are and track you. An attacker could also create a network with the same name and use it to launch a Man-in-the-Middle attack.
- Encrypt your devices and data. You should always use a VPN (virtual private network) for a secure connection when you sign on to an open Wi-Fi network.
- Make sure you’re using WPA2 encryption on your wireless networks. Don’t use the outdated WEP or WPA encryption protocols.
- Download the free Sophos UTM Home Edition. It comes with a VPN for both iOS and Android.
For further information
Sophos’s James Lyne recently went on a “warbiking” tour to see how careful the general public is when connecting to Wi-Fi networks. First stops – San Francisco and London.
And to learn more about MAC addresses, and how they can be used to track you, check out the short video below, “Busting Wireless Security Myths.”
Image of iPhone using Wi-Fi courtesy of Shutterstock. Image of iOS 8 logo courtesy of Apple.
Download the free Sophos UTM Home Edition. It comes with a VPN for both iOS and Android. – I still don’t get how this is going to help?
Our VPN (included free with Sophos UTM Home) doesn’t deal directly with Wi-Fi location monitoring by MAC address — but it does protect you from rogue access points.
Naked Security writer Paul Ducklin tells me it means you can’t get duped by a fake Wi-Fi name set up by an attacker.
Here’s what Duck said:
“Even if you do end up connecting to the wrong network — say, an attacker uses the name “Acme coffee shop,” or the like — your traffic is encrypted from your computer or tablet until it’s inside your home network, then it emerges onto the internet openly, as if from there.
Two benefits:
1. You aren’t connecting to third party sites with your own IP number.
2. The networks you connect to can’t track you to multiple locations.”
There are also benefits to using a VPN that aren’t directly related to Wi-Fi tracking, of course, notably that you can’t have your data “sniffed” or recorded by anyone else at the Acme Coffee Shop.
Even at hotspots where there is WPA2 with a shared password that one of the waiters will tell you if you ask nicely, other patrons can sniff your traffic if they know the password, too. (There is a tiny caveat: to decrypt your packets, they have to be present and listening in at the moment you connect, but after that, they can see your traffic as easily as if it were unencrypted.)
And (as Chester reminded me), another handy benefit of a home VPN is that all your DNS requests, which give an imprecise but nevertheless very revealing overview of what you are up to, are handled by your UTM at home, not by the Acme Coffee Shop’s router.
DNS requests don’t tell a crook what you actually downloaded, nor exactly which web pages you viewed, but they do record the names of every server you showed an interest in…where you go for email, which search engine you prefer, what shops you browsed to, the news services you like best, possibly where you work, and much, much more.
Sounds like going a bit overboard over a little thing. A spare machine, running it round the clock, not sure if it’s worth the effort and cost.
“Sounds like going a bit overboard over a little thing. A spare machine, running it round the clock, not sure if it’s worth the effort and cost.”
Most decent home routers support VPNs (emphasis on _decent_)
“As for Android users, there’s no similar protection for MAC addresses.”
Pry-Fi is free and on the app store.
One thing that may be useful to clarify, although it’s implied in the article: this is solely about using your network chip’s MAC ID to track what wireless hotspots your device views (you don’t necessarily have to connect to them). Not only does this do nothing regarding cellular connections, it also has nothing to do with your device’s UUID which is used to track you via the apps you use and the places you eventually connect to on the internet.
To reiterate, all we’re talking about here is a scheme to prevent people putting up Wifi beacons whose purpose is to check when your device is physically nearby and your Wifi is enabled.
Currently, physical stores, especially in shopping malls, sometimes use this data to track when your device enters/leaves their store; with the proper layout of beacons, they can even track where you go in the store over time.
This can be useful, as they can build up an anonymous collection of traffic patterns, paired products etc, but it’s also not beyond the realm of possibility to note when your device steps up to the cash register and pair it with any card you use to pay for your purchases. In this case, they know when you, the individual, shop in their store, and every move you make while there — and they also know when you’re in the area but don’t go into their store.
Of course, this same technique can be used by anyone with a Wifi-enabled device and a bit of knowhow — there is software for jailbroken iOS devices and Android devices that will track what MAC IDs it sees in the area, including geolocation and timestamp.
MAC randomization prevents all this, as under the new scheme, the real ID isn’t presented until a connection is actually being made — so now only the network (and the other people connected to that network) can see the real MAC.
The problem with not using the real MAC for actual network connections is that while the numberspace for a MAC is large (there are 281,474,976,710,656 numbers), the numbers are broken up into namespaces and tied to the hardware manufacturer of the chip itself.
So for a MAC address of 01:23:45:67:89:ab, the 01:23:45 part belongs to the manufacturer and is used to identify the chipset, and only the 67:89:ab part is used to identify the device.
This is important, as if the MAC is being randomized responsibly, Apple has to either use their own namespace, or risk a collision with another device from the same manufacturer — and since iOS devices’ chips tend to come from the same manufacturer, this means the namespace is limited to 16,777,216 values — which while large, leaves lots of room for two devices accidentally having the same ID and causing a network snarl.
The changed MAC is only used for wireless detection not for wireless connection.
I don’t think this is enough to protect your privacy, it is only an attempt at solving half the problem of external WiFi hotspots gathering information on you. The bigger problem are the apps installed on your phone that detect the external Wifi spots and record your location. Every time you install an app you are potentially being tracked
True, indeed. But the issue here is that tracking you by MAC address as you walk around can happen whatever apps you have installed, and whether or not you have authorised them to use your geolocation data.
It’s like the difference between choosing to share your photo on Facebook and being monitored on CCTV.
Don’t forget this tip for improving wifi security: don’t use hidden-ssid networks (or if you do, don’t remember/auto-connect them) or else you’ll advertise that access point wherever you go.
Also, WPA2 is pretty secure, minus the enterprise part’s pitiful implementation on Android. It’s so secure, that I believe the NSA/lower LI – whoever doesnt matter – prodded for the implementation of or gleefully took advantage of the Great Weakening of Wireless: WPS. Disable it, and do an intrusion test. Replace your router if it fails to faithfully disable WPS. Or replace/upgrade the firmware to the OEM firmware, or an open source replacement.
Sorry this article is old and maybe it’s already covered in something newer. But I got here by googling, and clicking on a related article, so if you don’t like it, well, actually, don’t take any actions against me.
We deal with the issues you mention here elsewhere on the site, for example…
WPS:
https://nakedsecurity.sophos.com/?s=wps
Alternative firmware:
https://nakedsecurity.sophos.com/2015/04/21/d-link-router-user-keep-your-ears-and-eyes-open-for-the-next-firmware-fixes/
Wi-Fi (in)security advice (video):
https://nakedsecurity.sophos.com/2013/05/22/busting-wireless-security-myths-video/