Will MAC Address leaking pose a privacy risk for IoT?

The expansion of the Internet of Things will compound privacy risks to individuals.
The expansion of the Internet of Things will compound privacy risks to individuals.

In-brief: privacy researchers warn that the media access control (MAC) addresses that identify connected devices pose a serious privacy risk to individuals: allowing would-be attackers or businesses to collect a wealth of data about an individual’s movements, activities and preferences.

The growing adoption of smart devices and related services promises to deliver consumers a Brave New World of super convenience and connectivity. In the not distant future, we’re promised, our smart watch’s biometric features will note when we waken and queue our coffee maker to start brewing.  Gelocation data from our connected car might communicate back to our connected oven, telling it to start pre-heating in anticipation of our arrival home.

That’s wonderful. But privacy advocates have long warned that the aggregation of all that data may pose real risks to our (cherished) notions of anonymity and privacy. Now two researchers are warning that the risk is real – and already upon us in the form of a little noted data point: the media access control (or MAC) address.

In a speech this week, Adam Harvey, a privacy advocate and designer at NYU’s Tisch school, warned that the media access control (MAC) address that identifies connected devices on a network, represents a serious privacy vulnerability: allowing would-be attackers or businesses to collect a wealth of data about an individual’s movements, activities and preferences.

“We are about to manufacture and deploy billions of devices and we don’t even know what the problems are yet,” he told a technical audience at a talk hosted by Digital Catapult, the London-based innovation centre. according to a report.

“The MAC address is such a big thing because so many devices use it. Anything with a networking card has a MAC address,” Harvey said.

His concern: unique MAC addresses for devices act as a kind of fingerprint that can trace that device’s movements across networks. In the case of mobile devices like smart phones or wearable (or embedded) health devices, that identifier and the identity of the owner are intertwined, creating a de facto personal identifier.

Working with the security researcher Surya Mattu, Harvey said he has cross referenced MAC addresses harvested from smart phones with Wi-Fi networks that each phone had connected to. The result is a rudimentary map that traced the phones’ owners’ movements around the world, Harvey said.

Smart phones collect and transmit a wide range of data  both directly and via third party applications. Many phones are configured to automatically look for and connect to known wi-fi hotspots: a potential problem when hotspots use common names like “Linksys” or “attwifi.” And wi-fi networks are often used as a supplement to determine the location of the phone in environments where access to GPS satellites is unreliable.

Google famously encountered a backlash after it was revealed that the cars used for its street mapping program were cataloging the SSIDs and MAC addresses of residential and commercial hotspots the vehicles encountered on their travels.

And, in this 2014 article, Ars Technica used the application Wireshark to analyze wireless LAN traffic and found it could compile a list of MAC addresses of  phones requesting access to the hotspot and the SSIDs of the networks they were looking for. That data can be captured and linked to the MAC address of the device. That information can then be combined with tools like the wardriving site WiGLE.net, which compiles data on wireless networks and allow users to search by SSID or MAC address. By noting what networks a particular device is looking for, would be attackers or businesses can create a kind of geospatial map of the phone’s various use contexts including work environments, hotels and stores frequented.

[Read more Security Ledger coverage of the Internet of Things.]

Sophisticated attackers might use such data to craft sophisticated spear phishing attacks that, for example, built on information about a hotel wifi network you connected your device to, Harvey warned.

Speaking to the Security Ledger, Mattu, said that their research leverages existing research and platforms like WiGLE.net. But the proliferation of smart devices is new: providing even more granular context about device owners than has been possible.

He said the problem is a common one: insecure protocols and standards that didn’t anticipate spread of connectivity. “This is a problem that’s driven by the ubiquity of connectivity. It became an issue once there started to be hotspots everywhere,” he said. He has created a demonstration of the data leak problem that he calls “From the Dark” and a tool called “airoViz” that visualizes Wi-Fi network activity in the space around a user.

Looking ahead, Mattu sees other potential problems, as companies or cybercriminals look to monitor traffic to and from connected homes and businesses to develop a detailed profile of the kind of smart objects that are being used within the walls.  “Many of us have smart objects in our homes that are constantly talking to the cloud in ways that we’re not aware of.”

The difference between the future and now is simply the number and variety of devices that will sport MAC addresses and the complex web of interactions that will be created between them. Mattu said that will almost certainly put more pressure on regulators like the FTC to devise ways to set ground rules that device makers can use to protect user privacy.