If one thing’s for sure, it’s that the wild, wild world of Wi-Fi stops for no one. As a matter of fact, it doesn’t stop for anything at all and has become even more popular during the coronavirus pandemic following the uptick of remote workers.
Back in July, Apple announced a slew of updates at WWDC, including its implementation of MAC randomization. As you’ve likely heard, this wasn’t well received by the Wi-Fi community. And while it promises improvements to both user privacy and security, it also brings unwarranted disruptions to enterprises. To better understand these implications, we’ve unpacked the situation below.
What’s with the new updates?
Long story short, the new iOS 14 includes a new feature called “Use Private Address” that rotates a user’s MAC address every 24-hours, even when being used on the same network. This means that a device will use a temporary identifier rather than its original MAC address. From a security standpoint, this update further enhances device anonymity and minimizes privacy concerns. The 24-hour rotation is the current implementation of MAC randomization- it has changed several times already, starting with “after a period of time” with a few sprinkles of each connection in there.
Spoiler alert: after receiving backlash from the Wi-Fi community, it’s said that Apple will allow this feature to be deactivated based on user preference. For corporate-managed devices using MDM, this feature should also be configurable by MDM policy, allowing organizations to disable it for corporate networks.
What devices are doing MAC randomization?
Apple wasn’t the first to implement MAC randomization, and they’re certainly not the only one. Windows 10 added the feature years ago (something we caught early at one of our NAC deployments), and more recently Android joined the rando-bandwagon.
As mentioned with Apple’s implementation of MAC randomization, it seems all the various OS manufacturers are constantly making adjustments to this behavior. A new MAC address may be used each time a device connects and reconnects to a network. It may use a unique random MAC for each known network, for as long as the network is saved, or it may randomize after a specified period of time. We expect/hope each OS vendor will settle on a behavior, but for now it’s a bit of a free-for-all and highly unpredictable.
The one thing that *is* predictable is what a randomized MAC address looks like. At least there’s a standard for it, and our systems can identify that a MAC address is real vs random. More on that later.
So what’s all the fuss about?
Today, everyone wants speed and instant connectivity, but this new update kicks these dreams to the backburner. With these new features, enterprises will experience impacts on Wi-Fi authentication, data collection and customer experience.
MAC addresses are unique identifiers for anything that has a network interface. There are hardware-based interfaces with MAC addresses as well as virtual MAC addresses. In today’s world, we rely on MAC addresses to identify devices, and really from an enterprise perspective, it’s less about tracking users and more about the network simply recognizing it as an already known/approved device.
Pretty much every Wi-Fi guest portal uses a MAC caching process to allow a user to join the network and then reconnect without having to go through the portal or registration again. The system does this by remembering the MAC address. So you can imagine, if devices are constantly changing their MAC addresses, then the systems think they’re unique devices each time. Aside from annoying the end user by having to re-do the portal more frequently, it also impacts the organization’s licensing for Wi-Fi and NAC products, which are almost always based on a number of unique MAC addresses.
In other implementations supporting BYOD and NAC functions, the MAC address may be used as part of the authentication process (such as MAB in 802.1X deployments) which can impact wired and wireless devices. In these cases, the MAC address is registered in a semi-permanent way (versus a guest visiting for a short time). The system then uses that database to check for the correct authentication and access rights to be applied. Again, if the device has changed the MAC address, the system will not know and these devices will fail any MAC-based authentication, impacting users and possibly critical business applications.
With the increasingly dynamic nature of MAC addresses, organizations are scrambling to implement interim solutions and have started to browse alternative methods of authentication.
Carolina Advanced Digital offers consulting for mitigating MAC randomization with current NAC and Wi-Fi deployments and offers a suite of solutions for other authentication options such as device certificates and automated on-boarding. Contact us today to schedule a call and discuss your needs!