Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
avidiax 5 hours ago

> Bluetooth desperately needs mac randomization.

Bluetooth already has a well developed MAC randomization scheme.

Lookup "resolvable private address". The short of it is, your phone can find your headphones or vice-versa, despite one or both having random addresses. The addresses can be regenerated or rotate at an interval (say 15 minutes). The first part of the address is a nonce (pRand), and the rest of the address is a 24-bit hash of pRand with an identity resolving key (IRK). So the other party just listens passively for addresses, and sees if any of them happen to have the right hash.

I don't think this is as airtight as people think it is. Certainly, if you are following somebody and one address disappears right as another appears (rotation), it's quite easy to infer the new/old addresses belong to one device. I tried briefly to convince the Android developers to synchronize that rotation globally.

You can also probably infer that if you see a pair of random MACs arrive, and they have a certain pattern of timing and payload size, you can say with some certainty that they are particular devices, say an iPhone and an Apple Watch. But that requires sophisticated equipment since most Bluetooth LE communication is over a non-cryptographic frequency hopping arrangement.

Lastly, radio fingerprinting is widely known in academia, but requires special equipment.

bigiain an hour ago | parent [-]

> Lookup "resolvable private address". The short of it is, your phone can find your headphones or vice-versa, despite one or both having random addresses.

Is that just for the connection phase? Or does it then start publicly broadcasting a persistent MAC onced it's connected, so if you earbuds or watch are connected and communicating with your phoine, would a sniffer see a persisten MAC address or the session randomised one?

That's a problam (one of many problems) with WiFi MAC address randomisation - you can sniff the network names a phone is trying to connect to, then stand up a wifi access point with one of those names and the phone will reveal its real MAC address when it connects. I experimented a long time back with having a raspi that broadcast itself as a McDonalds free wifi access point, a huge number of phones would try to connect while I was out in public with it.

gruez 44 minutes ago | parent [-]

>That's a problam (one of many problems) with WiFi MAC address randomisation - you can sniff the network names a phone is trying to connect to, then stand up a wifi access point with one of those names and the phone will reveal its real MAC address when it connects.

That's not how mac address randomization works now for both android and ios. Both connects with a randomized mac as well, which might be persistent per-network, but it still heavily hampers data collection. For ios specifically, it also seems to have some sort of heuristic to detect which network names are common/guessable, and use a rotating mac for those. Moreover "you can sniff the network names a phone is trying to connect to" isn't really a thing unless the network is using hidden ssid, which isn't the default for almost all routers.

bigiain 27 minutes ago | parent [-]

Oh cool, thanks. My last time playing with this was pre covid, possibly 5 or more years pre covid.

I do know for sure that my iOS devices connect with persistent MAC addresses on both my home and work wifi networks - I'd _assumed_ it was the same MAC address on both networks, but I'll be curious to see if that's correct next time I'm in the office.

gruez 7 minutes ago | parent [-]

You don't even need to be in the office to see it. Just go to wifi -> edit, and it'll bring up a list of saved networks. Tap on one of them and it'll show the mac address used.