When is a MAC address not a MAC address? When it’s been randomised! But before we begin it’s important to have a good understanding of what a MAC address is and why it is used.
What is a MAC address?
A media access control address or “MAC” address is a unique identifier for the network/wifi chip inside your device (such as your phone or laptop). It is used when connecting to a wired or wireless network. An example of a MAC address is AA-BB-CC-DD-EE-FF.
Because a MAC address is linked to a wireless device, network owners and WiFi operators use it to identify when a device or user is connecting to the network and apply things like policies, limits and access control rights.
This has been the standard way of doing things since networks began.
What is MAC Randomization?
MAC randomization is where the operating system ‘fakes’ the real MAC address of your device by generating a random one to protect your identity.
However, up until recently, most operating systems only did this when scanning for available wireless networks, so it didn’t affect anything when you actually connect to the network.
The reason for this was to prevent WiFi providers from tracking your device in order to determine which venues you visit and how often, regardless of if you actually connect.
If you own an Apple device, that’s all about to change.
Apple has just announced that starting iOS14 and MacOS Big Sur, MAC randomization will be enabled and turned on by default for all wireless networks that you connect to, not just for background scanning.
How does this affect Guest WiFi users?
At face value, you might think this is a step forward for user privacy, but for network owners and users it will have a significant impact on the onboarding of guest users and will most definitely cause disruption to WiFi networks.
For example, when you connect to a free WiFi hotspot, the MAC address of your device is typically used to identify if you are a new or repeat user.
If it’s your first time visiting, nothing changes, you register or sign up as normal and get online.
When you come back the next day, because your MAC address has changed to another random one (it changes every 24 hours in fact) the WiFi provider cannot automatically recognise you.
The result? Every day you’ll be forced to sign in again. Might sound easy, but do you remember that password you created when you signed up, for every hotspot you signed in to? What about the username/email address you used? If you regularly visit a place every day this will quickly become tiresome.
This could be frustrating for those who work remotely but go into the office once a week, as many sales professionals do, each time you’ll have to connect each one of your Apple smart devices.
Another example is that there are so many variations of how MAC randomization is being implemented across operating systems.
Some are not randomising MAC addresses (as used to be the case for everything), some are making it optional, mandatory, 24 hour randomization and even some that are random on a per SSID basis.
Going forward it’s going to be increasingly difficult for network operators and WiFi users to seamlessly interact with Guest WiFi.
How will this affect network owners?
For network owners and WiFi providers this causes a number of headaches, as it is no longer possible to directly associate a MAC address to a device or user resulting in many other custom services not working correctly without additional user input.
It is not only going to affect onboarding solutions, but also requests for information by the authorities.
As a WiFi provider Purple regularly receives RIPA requests from the police (and similar in other countries) for a MAC address.
The majority of these requests are to help locate a missing person in need of urgent attention or even when a crime was committed to try and identify the culprit.
Before MAC randomization Purple would be able to search our systems for the MAC address and provide this information when legally required to do so in order to help the authorities.
Now, the provider can’t be sure anymore because a MAC address is not necessarily a real one and could even be shared/duplicated over time.
Behind the scenes the industry is proactively planning on how to overcome these challenges and ensure that the user journey is as easy as possible. One of the potential options is Hotspot 2.0 which enables a per user profile to be installed on a device after registration. This would then allow the user to reconnect automatically on future visits and also improve the security of their connection to the access point, however that also has challenges around the profile installation UI/UX and is not a like for like replacement for overcoming the randomized MAC problem. That said, it might spark the uptake that is required for Hotspot 2.0 to become a front-runner and the new industry standard way of connecting to WiFi.
At present, the option is enabled by default in the beta release of iOS14 and there is hope that the final version might have it disabled by default. Of course, if you regularly use WiFi hotspots or corporate networks, consider disabling this option for those networks so that you can continue as normal with the least amount of disruption.