The trace we leave when we use Wi-Fi even if we don't connect

 Do you feel like the apps you use know where you've been? How can ads for a certain brand of coffee come through if you weren't even connected to Wi-Fi when you visited the store a couple of hours ago?

We live in a highly connected society. Every day we have more devices connected and we connect more time and from more different locations. This poses a constant silent threat. Without being aware we leave a trail of what we do, when we do it and where we do it.

The problem of privacy and security on the Internet is today more relevant than ever. There are multiple dimensions: the confidentiality of the information, the authenticity of the same and of the interlocutors. This article focuses on one aspect: how to make crawling more difficult.

MAC addresses and Wi-Fi networks

Devices use MAC (Medium Access Control) addresses to connect to a Wi-Fi network. These serve to identify the device on the network when it sends or receives data. For that reason, MAC addresses must be unique on the network.

Each device comes with a factory-set MAC address. These addresses are globally unique, so no two devices in the world share the same address. This is a problem, as we will see below.

In a Wi-Fi network, devices use MAC addresses every time they send or receive information. By using the same address every time, network operators or other observers on the network can monitor when a particular device is connected to the network. 

Furthermore, in many cases it is very easy to associate the MAC address used by a device with the real identity of the user. For example, when we first connect to a network we provide information in order to gain access.

A device is vulnerable to being tracked even without being connected to the network. Wi-Fi requires, in many cases, that devices have to send certain messages, for example to find out what networks are available. These messages include MAC addresses, so they can be used to reveal the identity of terminals, even without them being connected to the network.

In some cases, a device may actively ask for networks it has been connected to recently, including the names of those networks in the messages they send. 

This allows a potential attacker to find out which networks the device recently visited, obtaining very sensitive information.

Random and private addresses

To avoid these serious privacy problems, the main operating systems began to use random MAC addresses (called private addresses in the case of Apple devices). 

To make tracking more difficult, devices generate a random MAC address instead of the factory-set one. This address should only be unique on the network the device is on.

If the device uses different random addresses for each network it connects to, an observer will not be able to conclude that it is the same device. 

Also, devices use different random MAC addresses every time you send information without being connected to any network. This makes it difficult to track down users who haven't even connected to the network.

Recently Android and iOS mobile devices started using random MAC addresses by default. In some specific scenarios or networks it may be necessary to disable this behavior. An example is in those networks that use authorized MAC address lists.

The future

The impact that the use of random MAC addresses can have on the applications we use and the networks we connect to is currently being investigated. 

There are scenarios where the network needs to anonymously identify a device even though it uses random addresses. This is the objective of the MADINAS working group of the IETF (Internet Engineering Task Force), the main organization for the standardization of internet protocols.

It is important to study how to combine the use of random addresses with other mechanisms designed to improve privacy. 

In the future, devices will be able to adapt to the context and specific needs of each user. In the same way that we do not walk barefoot on the street and we can do it at home, our devices must learn how and when to apply certain solutions to protect our privacy.