MAC Randomisation iOS Update

By Chris Spencer, Chief Security Officer, GlobalReach Technology

When Apple announced its new MAC randomisation feature in iOS14 and iPadOS14, it quickly sent ripples through the Wi-Fi industry. The change was controversial and presented a problem to Wi-Fi networks. In theory, changing the MAC address every 24 hours for extra user privacy is a good idea, but in practice, it will break many user experiences and existing solutions: 

  • To reserve device IP addresses
  • Age-related content filtering (DNS delivered over DHCP)
  • To remember a guest’s device while on vacation
  • To allow a Wi-Fi user to name a device network side (in their home router or account)
  • Network-based intrusion protection devices.
  • Lawful interception and logging

Along with these smaller solutions that can be resolved over time, network operators have had to make hasty changes. 

Arguably these can be resolved by implementing better, non-MAC address solutions to begin with. But the truth of the matter is that networks have been deploying these methods for some time, mainly as a way to improve user experience, with:

  • Paid weekly passes tied to a device
  • Concurrency limits on networks

Apple’s introduction of a MAC per SSID makes complete sense and is something that’s been done by other operating systems for a few years. However, a new private Wi-Fi address that changes every 24 hours was simply too much too soon. Announced in June 2020 and released via a public BETA in July 2020, Apple gave little time for network owners, documentation, service desk training, customer engagement, and Wi-Fi end-user education to happen. 

Privacy is, of course, a hugely important subject and something we all have a right to, but the balance between usability needs to be recognised. Imagine walking into a coffee shop, or on your daily commute and having to agree to the terms and conditions of service every day or trade your email address for internet access every 24 hours. 

Wi-Fi in a lot of cases is usually perceived as a free service. Still, in reality, someone is paying for it, perhaps the venue owner benefits from the footfall analytics it receives for offering free guest Wi-Fi to allow it to plan better spaces and paths. It’s feasible a brand will give you free Wi-Fi in return for you joining their mailing list or at least asking you. The Wi-Fi platform has to be paid for, access points, switches, routers, backhaul, service providers, support desks all play a valuable role in the delivery chain of offering free Wi-Fi.

In some countries it’s a requirement to know the end-user, you’ve probably been to a hotel that requires your passport before allowing you to stay, so they have a legal record of who stays with them, this also validates and records your approval for internet access. In Belgium internet service providers have to follow their government guidelines and record guest devices on their networks, they often do this by sending an SMS code to the device and cross-validate this to the MAC for a period of time. 

Most of these use cases can be overcome. Passpoint is one option, OpenRoaming another but it’s not for everyone. The industry is now looking at alternative solutions.

GlobalReach raised this with Apple directly. We worked with the Wireless Broadband Alliance, other bodies and agencies to raise this concern. Thank you, Apple, for seemingly listening to our feedback.

Apple’s iOS14 final release removed the 24-hour randomisation, they still create a randomised, but unique per SSID MAC address as Android’s operating system does today.

As Spock once said, “Logic clearly dictates that the needs of the many outweigh the needs of the few.” We agree privacy is important but so is user experience. 

GlobalReach will always take privacy seriously, and we strongly advise against the use of a MAC address as a long-term identifier, solutions should look at all other possibilities before using the MAC as a permanent identifier. A MAC address simply can not be trusted or indeed validated. 

Apple still allows full user control of their privacy by enabling them to create a new randomised MAC address per network SSID when they choose, but no longer automatically every 24 hours. 

As ever, we are here to help you navigate this challenge and to build better Wi-Fi experiences. Contact us today.