MAC Randomisation: BETA 4 Update

By Chris Spencer, Chief Security Officer, GlobalReach Technology

When Apple announced its new MAC randomisation feature in iOS14 and iPadOS14, it quickly sent ripples through the Wi-Fi industry.

Never before had such a change caused such a controversial problem. In theory, changing a MAC every 24 hours for extra privacy seemed a good idea, but in practice, it broke so many user experiences and existing solutions.

  • Reserved device IP addresses
  • Age-related content filtering (DNS delivered over DHCP)
  • Remembering a guests device while on a weeks vacation
  • Allowing a Wi-Fi user to name a device network side (in their home router or account)
  • Network-based intrusion protection devices.
  • Lawful interception and logging

Along with these smaller solutions that can be resolved over time, network operators also had to make hasty changes.

Arguably these can be resolved by implementing better solutions to start with, but the truth of the matter is that networks have been deploying these methods for some time, mainly as a way to improve user experience.

  • Paid weekly passes tied to a device
  • Concurrency limits on networks

Apple’s introduction of a MAC per SSID makes complete sense and something that’s been done by other operating systems for a few years, but their new private Wi-Fi address that changes every 24 hours was simply too much too soon. Announced in June and released via a public BETA in July, Apple gave very little time for network owners, documentation, service desk training, customer engagement, and Wi-Fi end-user education to happen.

Privacy is, of course, a hugely important subject and something we all have a right to, but a balance between usability needs to be recognised. Imagine walking into a coffee shop, or on your daily commute and having to agree to the terms and conditions of service every day or trade your email address for internet access every 24 hours.

Wi-Fi in a lot of cases is usually perceived as a free service. Still, in reality, someone is paying for it, perhaps the venue owner benefits from the footfall analytics it receives for offering free guest Wi-Fi to allow it to plan better spaces and paths. It’s feasible a brand will give you free Wi-Fi in return for you joining their mailing list or at least asking you. The Wi-Fi platform has to be paid for, access points, switches, routers, backhaul, service providers, support desks all play a valuable role in the delivery chain of offering free Wi-Fi.

In some countries it’s a requirement to know the end-user, you’ve probably been to a hotel that requires your passport before allowing you to stay, so they have a legal record of who stays with them, this also validates and records your approval for internet access. In Belgium internet service providers have to follow their government guidelines and record guest devices on their networks, they often do this by sending an SMS code to the device and cross-validate this to the MAC for a period of time.

Most of these use cases can be overcome. Passpoint is one option, OpenRoaming another but it’s not for everyone. Apple’s 24 hour MAC randomisation was too much too soon for the industry to roll out alternative solutions.

GlobalReach raised this with Apple directly. We also worked with the Wireless Broadband Alliance, other bodies and agencies to raise this concern directly to Apple.

Apple’s latest iOS14 BETA 4 seems to have now removed the 24-hour randomisation, they still create a randomised, but unique per SSID MAC address just like Android’s operating system does today.

As Spock once said, “Logic clearly dictates that the needs of the many outweigh the needs of the few.” We agree privacy is important but so is user experience.

Thank you, Apple, for seemingly listening to our feedback.

GlobalReach will always take privacy seriously, and we strongly advise against the use of a MAC address as a long-term identifier, solutions should look at all other possibilities before using the MAC as a permanent identifier. A MAC address simply can not be trusted or indeed validated.

This new change in beta 4 by Apple still allows full user control of their privacy by enabling them to create a new randomised MAC address per network SSID when they choose, but no longer automatically every 24 hours.

We have asked Apple for a statement and updated documentation on its MAC randomisation implementation and will be watching and reporting on this hot topic over the coming months.

As ever, we are here to help you navigate this challenge and to build better Wi-Fi experiences. Contact us today.