MAC randomization question

Hello.

Note: for your convenience links will be placed in bottom by marking like [1] or [a].

For those of you that don’t know, your Wi-Fi MAC address can be “de-randomized” even if its set to change per SSID or new connection request. This works much like how browser fingerprinting works by creating a hash of all the Information Elements (IEs) your WiFi card provides to a router for connection purposes (which comes at a privacy cost). Some of these IEs may include:

Previously Connected SSIDs
Supported Data Rates
Device Vendor Specific Information
RSN (Robust Security Network) Information
QoS (Quality of Service) Capability
Incrementing Sequence Numbers from the last WiFi Access Point you connected to
many more

The feasibility and accuracy of this type of attack has been quite well documented in academic papers [1, 2, 3]

Randomization of these elements occur at the hardware level and currently the only devices I can see which support this are Google Pixel [a] devices (includes GrapheneOS [b]) and Apple [c] devices (includes macOS and iOS)

I have some questions for people who are more well-read in this topic than I:

What is the actual feasibility of surveillance occurring in this way? As I am aware, this information is likely stored on the router and not sent to ISPs or governments who can actually make use of this mass data as people change location e.g. going from their home to a friends house to a shopping mall and then to a coffee shop
Has there been any evidence of ISPs or governments performing this type of analysis?
Other than the Google Pixel and Apple products, are there any other devices or workarounds to being able to implement randomization of these IEs?

[a] Android Developers Blog: Changes to Device Identifiers in Android O
[b] Usage guide | GrapheneOS
[c] Privacy features when connecting to wireless networks - Apple Support

[1] https://dl.acm.org/doi/abs/10.1145/2897845.2897883
[2] WiFi Probes sniffing: an Artificial Intelligence based approach for MAC addresses de-randomization | IEEE Conference Publication | IEEE Xplore
[3] MAC address de-randomization for WiFi device counting: Combining temporal- and content-based fingerprints - ScienceDirect

So the main question: is there any actions made by GL to mitigate such? @bruce

Off the top of my head details simila these are applicable to every network interface. 'Device vendor' would be tied to the IOU if not other data points (eg: default TTL). RSN would probably be related to the WPA-level or alike.

To answer your question: if it hits the hardware & isn't wrapped in an encrypted tunnel you should probably assume its logged. There seems to be nothing the harvesting parasites that are 'data brokers' won't try to collect... & turn around & sell to anyone inc. the gov. (who, conveniently, don't need a warrant to do so when buying).

This is going to be interesting reading. Thanks.

Hi,

the op mentioned in the topic that these supported devices (Pixel/Apple) are made in hardware, so I think software-based can not be prevented.

We don’t know what information will be collected by the "hackers", such as channel, bandwidth, HT capability set, and HE capability set. These are inherent and cannot be random, so you cannot prevent others from identifying it.
As long as the AP device is enabled, all may can be scanned.

If best way is to not enable WiFi and not repeats to connect to any WiFi in public places. But in this case, any WiFi scenarios will be meaningless, so we can only use the existing technology to enable VPN connections to protect user's network data packets after repeating to public WiFi in router.

Related: