Every network device typically has at least one MAC (Media Access Control) address. These addresses are unique and assigned by the vendor when the device is created. When you connect to a wireless or wired network, the MAC address is used to route information locally (or what the network folks would call Layer 2). Most people are familiar with an IP address, which is a address that allows you to communicate on the Internet. Your IP address can change and often does. Let's take your mobile phone for example. When you connect to a network it will using it's MAC address as an identifier, request an IP address. When you take your mobile phone and head to your local coffee shop, it will do the same connect to the network and identifying itself using a MAC address and request a IP address which most likely will be different than the IP address you had previously. (for the technical folks, yes I have simplified the description for the purposes of this post).
One can see that using an IP address to track a particular device is challenging because it changes. Your MAC address however stays the same. Many companies have business models based on determining your MAC address and using it to keep track of you and your behaviour. In my example above, if you are using your mobile device to access a particular shopping site while at home and a marketing company records your MAC address and where you were. When you move to your local coffee shop, I know what you did before and with a large degree of certainty who you are. What was not common place historically was to change your MAC address. Many security practitioners will change their MAC address for certain security tests to fool systems upset the tracking ability of a particular target. It is very easy to change:
Here is the built in MAC address of my wireless:
With a simple command we change it:
What I am happy to see is that it appears to becoming a standard. I was installing an upgraded version of a server I have this past weekend. During the installation, it asked me if I wanted to enable randomization of the MAC addresses. I said no for the purposes of this server, but what I liked is that they have built in the ability automatically with minimal technical knowledge required. Apple has also released MAC randomization on their iPhones as of iOS 8 (it has a few bugs), but they will work it out.
With a simple command we change it:What I am happy to see is that it appears to becoming a standard. I was installing an upgraded version of a server I have this past weekend. During the installation, it asked me if I wanted to enable randomization of the MAC addresses. I said no for the purposes of this server, but what I liked is that they have built in the ability automatically with minimal technical knowledge required. Apple has also released MAC randomization on their iPhones as of iOS 8 (it has a few bugs), but they will work it out.
There are of course many other ways to identify a device uniquely. DHCP requests, HTTPS and other types of behaviour can be used (commonly called fingerprinting today). But these are more sophisticated methods, requiring not only effort, but advanced analytic and behavioural analysis. By removing the easy way, we force the industry to invest in research, product development and ultimately advance. We raise the bar for privacy and we force businesses, law enforcement, market research, and other monitoring type companies to do the same.
From Apple:
No comments:
Post a Comment