iOS 8 Will Randomize MAC Addresses to Help Stop Tracking

apple id phishing

Apple enthusiasts have been poring over the feature list for iOS 8, due out this fall, geeking out over the tighter integration among all iOS devices, the improved mail app and myriad other bells and whistles. But perhaps the most important change is a subtle one hidden beneath the covers that will help prevent much of the tracking of mobile devices that’s done through WiFi hotspots.

One of the key methods that retailers and other companies involved in the massive mobile tracking industry is the collection of MAC addresses of the devices that connect to various WiFi hotspots. Users rarely think twice about connecting to the wireless networks in coffee shops, airports, retail stores and other public spaces, even though there are a lot of security and privacy risks associated with that behavior. Attackers often will use public hotspots as targets for man-in-the-middle attacks that let them intercept users’ traffic. Those networks also can be used to collect detailed information about the devices that connect to them, including the unique device identifiers known as MAC addresses.

Those identifiers typically are static, but in Apple iOS 8 the company is introducing a function that will spoof MAC addresses when a device scans for available WiFi networks. Each device will generate random MAC addresses to be used during scanning and connection, a behavior that will go a long way toward hampering the pervasive device tracking that’s performed as a matter of course by so many retailers and other companies. Retailers typically perform mobile device tracking in order to get a picture of customers’ movements in a store and track their behavior.

The randomization of iOS MAC addresses is a privacy win.

The randomization of iOS MAC addresses is a privacy win, especially for consumers who may not be aware that their devices broadcast a trackable unique identifier to WiFi hotspots or what that information could be used for by retailers and others involved in the tracking industry. But that’s not the only privacy enhancing change that’s included in iOS 8. Apple also is giving users the option of setting Duck Duck Go as the default search engine in Safari.

Duck Duck Go is considered to be the search engine that does the best job of protecting users’ privacy, as it doesn’t collect or store any personal information. It also doesn’t send search terms to the sites that you visit from results pages and it also automatically redirects users to the encrypted versions of sites when they’re available. That function is similar to the functionality of the HTTPS Everywhere extension for desktop browsers.


Suggested articles


  • LukeInDC on

    So how exactly are you to use Mac address security on your wifi router now if your device randomly changes its mac address? And how long does it keep said address? And this will royally screw those of us smart enough to statically assign IP addresses using Static DHCP. Oh and if you're in a work environment, forget security based on mac addresses etc. This wasn't well thought out. Oh, and what happens when you have 2 identical mac addresses? With the proliferation of devices, even a random # generator is bound to come up with the same numbers more than once. While the chances of them being on the same wifi at the same time, I can see this happening within a corporation.
  • jsj on

    @LukeInDc If you are using mac based filters for security then you just have an illusion of security anyways. I'd rather have the privacy that MAC randomization brings than use MAC as some sort of authentication mechanism.
  • Jarrod Chesney on

    I agree, mac filtering is not a very useful thing, it causes more trouble than it's worth as a hacker can easily change their mac address.
  • Crackers on

    Duck Duck Go is based in the U.S. iXQuick (HTTPS) is based in the Netherlands. Need I say any more?
  • roballen on

    There is no such thing as "MAC address security". MAC's are sent unencrypted over the network and are spoofed easily, as iOS8 will be doing. However, your point is valid that random MAC's could pose a problem for corporations that filter MAC addresses (for whatever reason) or assign static IP's per MAC address. I would imagine that MAC randomization could be turned off for each network when establishing a password-protected connection. You will be prompted when connecting to secure networks and that prompt could offer a check box for MAC randomization. Obviously, I don't know if iOS8 will actually do that. MAC collisions on typical networks is unlikely. You would need about 24,000 random-generated 48-bit, locally-administered MAC's on a network in order to have a 1 in a million chance of a single collision (see ). Real-world odds of collision are actually lower since most devices are using static, unique MAC's (collisions only occur when /generating/ MACs). MAC randomization is a great feature, but it needs to have a per-network disable switch.
  • roballen on

    Also note that the locally administered, random MAC address could be static for each network so that DHCP can still assign IP's. You MAC would change between networks, but remain static on each network. We just don't know the details about how Apple is implementing this, but you definitely want your MAC to be static on certain networks.
  • Jeff Harrell on

    I'd love to think Apple is doing this to protect our privacy, but isn't this sort of tracking basically what Apple's iBeacon can do, albeit via bluetooth? Could it be that Apple is simply using this privacy feature to lock out competitive tracking technologies?
    • Jarrod Chesney on

      I suspect they entered the tracking/ad industry so that they can control more of the user experience. I bet you that the iBeacon will be configurable in privacy settings, where as you can not turn off someone tracking you by your mac address (you can now though).
  • roballen on

    re: JeffHarrell. I think you make a good point and I've seen discussions along those lines elsewhere. iBeacon basically negates the entire MAC randomization feature while conveniently hampering non-Apple trackers. Apple already gets paid very well for its hardware, so it really seems ridiculous for them to join the tracking/ad industry.
  • jmore on

    MAC address randomization is a useful feature but the idea of "MAC address security" doesn't exist. WAP2 is the best answer for securing wi-fi. MAC randomization is best to minimize any tracking of your use of the Internet. True, all information is based upon the MAC address but it's hard for any telemarkerters to track you if you visit the same web sites from the same coffee shop you frequent. This is one of those "no-brainer" technologies which should have been implemented years ago. As for "iBeacon" there's a simple answer...disable Bluetooth. Problem solved.
  • Mike on

    So the problem is that MAC filtering is how I limit my kids time on the internet. So that all went out the window. So the next question is, can I lock in the mac so that it can still be used for more simple things?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.