Full Report
I came up with a theory (based on science) that it may be possible to passively track wireless devices even though they are making use of the defense that is MAC Address Randomization.
Analysis Summary
# Research: Using RF Power Levels to Defeat MAC Address Randomization
## Metadata
- **Authors:** Tom (Managing Security Consultant)
- **Institution:** LevelBlue SpiderLabs
- **Publication:** SpiderLabs Blog
- **Date:** Original post date not specified (Relates to LevelBlue/Trustwave research updates)
## Abstract
This research explores a novel method for tracking wireless devices that utilize Media Access Control (MAC) address randomization—a privacy feature designed to prevent persistent tracking. The author theorizes and demonstrates that despite software-level identity changes (rotating MAC addresses), the physical layer characteristics of the radio signal, specifically Received Signal Strength Indication (RSSI), remain consistent enough to link a "new" randomized identity to a "previous" one. By analyzing signal power levels and patterns at the moment of address rotation, a passive observer can maintain a continuous track of a specific hardware device.
## Research Objective
The primary objective is to determine if wireless devices can be tracked passively across MAC address rotations by using Radio Frequency (RF) power levels as a persistent fingerprint.
## Methodology
### Approach
The research employs a passive monitoring approach. It focuses on the transition point where a device stops broadcasting with "MAC Address A" and begins broadcasting with "MAC Address B." By keeping the physical distance between the transmitter (mobile device) and the receiver (monitoring station) constant, the researcher observed whether the signal metrics remained stable across the identity change.
### Dataset/Environment
- **Controlled Environment:** A static setup where the device and the listener are stationary.
- **Variable focus:** The timing and signal strength of 802.11 (Wi-Fi) probe requests.
### Tools & Technologies
- **Wireless Network Adapter:** Capable of monitor mode.
- **Packet Capture Software:** Tools such as Wireshark or `tcpdump` for capturing wireless frames.
- **Analysis Logic:** Correlating timestamps and RSSI values between different MAC addresses.
## Key Findings
### Primary Results
1. **RSSI Persistence:** RSSI is a function of physical hardware and distance; it does not change simply because the software changes the MAC address in the frame header.
2. **Temporal Correlation:** MAC address rotation often occurs while the device is actively searching for networks, leading to a "new" address appearing almost immediately after the "old" one disappears within the same power bracket.
3. **Pattern Matching:** In addition to raw power, the frequency or "cadence" of probe requests can serve as a secondary identifier to link randomized addresses.
### Supporting Evidence
- **Empirical Observation:** During the transition (rotation), the signal level for the new MAC address was identical (e.g., -40dBm) to the signal level of the preceding address, allowing for near-certainty in device linkage.
### Novel Contributions
- Identifies a **Layer 1 (Physical) vulnerability** that undermines a **Layer 2 (Data Link) privacy defense**.
- Proposes that volume and signal strength act as a "side channel" for identity.
## Technical Details
In 802.11 networks, MAC randomization is used in "probe requests" to prevent retailers or attackers from tracking a user's movements via static identifiers. However, the researcher noted that the **Radio Tap Header** (added by the receiving card but reflecting the physical energy of the incoming signal) provides the RSSI. Because the physical radio hardware and its distance from the sensor do not change during the millisecond transition of a MAC rotation, the RSSI remains a constant variable. If a monitor sees MAC-A vanish at -45dBm and MAC-B appear at -45dBm within a narrow time window, the probability that they are the same physical device is extremely high.
## Practical Implications
### For Security Practitioners
- Passive tracking is still viable for behavioral analytics or localized surveillance even if targets use modern privacy-hardened OSs (iOS, Android).
### For Defenders
- Current randomization implementations are insufficient against sophisticated RF analysis.
- **Actionable Insight:** Turn off Wi-Fi when not in use to mitigate passive RF fingerprinting.
### For Researchers
- This highlights the need for "Physical Layer Randomization" or "Signal Camouflage" to accompany software-based privacy features.
## Limitations
- **Distance Dependence:** If the device is moving rapidly, the RSSI will change, making correlation more difficult (though still possible through velocity/path modeling).
- **Environment Noise:** In high-density areas with many devices rotating addresses simultaneously, the signal-to-noise ratio might decrease the accuracy of the correlation.
- **Hardware Variation:** Different monitoring cards may report RSSI differently.
## Comparison to Prior Work
Traditional MAC randomization research focuses on "information leaks" within the packet (such as sequence numbers or IE tags). This research differs by ignoring the *content* of the packet and focusing instead on the *physical energy* (RSSI) and *timing* of the transmission.
## Real-world Applications
- **Surveillance:** Intelligence or law enforcement tracking a specific individual through a crowded area despite device privacy settings.
- **Retail Analytics:** Stores tracking customer dwell time more accurately than standard MAC-sniffing allows.
## Future Work
- **Software Fixes:** Investigating if software can "jitter" the transmission power during a MAC rotation to break the RSSI link.
- **Ghost Replays:** Developing software to broadcast "decoy" probe requests with old MAC addresses to create noise and confuse trackers.
## References
- LevelBlue SpiderLabs Research: hxxps://www[.]levelblue[.]com/blogs/spiderlabs-blog/using-rf-power-levels-to-defeat-mac-address-randomization-enabling-passive-device-tracking