Your smartphone — and other devices that use Wi-Fi — broadcast a unique number when they search for nearby Wi-Fi networks. A device’s unique MAC address is sent along with “probe requests” that search for nearby Wi-Fi networks.
This tracking problem isn’t just theoretical. Advertisers in London used Wi-Fi-enabled garbage cans to track people’s movements around the city. The Wi-Fi specification wasn’t designed for a world where people carried Wi-Fi-scanning devices in their pockets all day long.
Why Your Devices Have Unique MAC Addresses
Each physical network interface — whether it’s a wired Ethernet card in a desktop PC or a Wi-Fi chipset in a smartphone — ships with a unique MAC address. This number is designed to be unique to the hardware. This lets networks you connect to identify the device.
For example, at home, you could adjust your home router’s settings to assign static IP addresses to your devices based on their MAC addresses. A network can easily track whether you’ve connected before and assign settings unique to your device. You can change a device’s MAC address in software, but very few people do this.
So far, so good. The problem is how Wi-Fi works and especially how the smartphones we carry around in our pockets work. This applies to laptops and tablets just the same when they’re scanning for Wi-Fi networks, too.
Wi-Fi Scanning Broadcasts the MAC Address
Unless you turn Wi-Fi off on your phone before you leave your house, your phone is automatically scanning for available Wi-Fi networks nearby as you move around. Smartphones and other devices typically use both passive and active discovery — they passively listen for Wi-Fi access points broadcasting to let nearby devices know they’re available, and they actively broadcast requests searching for nearby access points.
Due to the way Wi-Fi was designed, a device searching for Wi-Fi access points includes its MAC address as part of the “probe requests” it broadcasts to nearby WI-Fi access points. This is part of the Wi-Fi specification.
As you walk around, the smartphone in your pocket is broadcasting its MAC address for anyone within Wi-Fi range to notice. Unless you disable Wi-Fi, this is happening to you.
How This Can Be Used to Track You
Take the case of the garbage cans in London. Garbage cans were placed all over the city, and WI-Fi monitoring hardware was installed in them. Then, the garbage cans were networked together. When you walked by one of these garbage cans, your device would send probe requests with its MAC address and the garbage can’s sniffer would make a note of the MAC address and its location. When you walked by another garbage can, it would note your device’s MAC address and location again. This information could be combined to form a picture of your movements throughout the day. Advertisers would know the areas you visited and could try to target ads specifically to you. With enough Wi-Fi sensors joined together, it would be possible to track your smartphone’s complete movements over an entire day.
A store could place Wi-Fi sniffers throughout their store and log MAC addresses. Perhaps you spent some time in the electronics section before leaving for another section of the store — the store could display ads for electronics to you.
Apple’s iOS 8 Just Fixed This Problem
Apple just fixed this problem on iPhones (as well as iPads and iPod Touches) running iOS 8. iOS 8 automatically randomizes your device’s MAC address each time it scans for Wi-Fi networks nearby. This makes the broadcasted MAC address useless for tracking.
Other operating systems should follow in Apple’s shoes. Each network interface comes with a MAC address specified in its hardware, but this MAC address can be overridden — that’s how you can change your own MAC address. The leakage of a MAC address with Wi-Fi scanning isn’t actually useful for anything — it just allows easy tracking of a smartphone’s movements.
No, this isn’t an advertisement for Apple — they brought additional attention to this problem by solving it in iOS 8. Devices running iOS 7 and earlier broadcast their unique MAC addresses and can be tracked like devices running competing operating systems. Apple’s solution doesn’t have to be Apple-only — we’d like to see Android and Windows Phone implement it, too.
Yes, what Apple did is technically against the WI-Fi specification, but it’s a good idea anyway. We’re not aware of anything this actually breaks — aside from tracking systems, of course.
There are other ways to track a device — due to the way networks work, your unique MAC address will still be visible to a Wi-Fi network you connect to, but only the one you connect to. Cellular signals could also be used to track your device’s movements. However, there’s no good reason to have a device automatically broadcast a unique identifier all day.
Maybe we’re just trying to hold back the floodgates of ubiquitous digital surveillance and location-tracking, but we might as well try and not just give up.