Apple Computer made waves in the world of network security when they announced iOS 14 for mobile in June 2020. While consumers delighted in the cool new features of iOS 14, Apple’s expansion of user privacy took network security professionals off guard. Two changes in this release have required IT professionals to rethink network security strategies:
- The move from opt-out to opt-in identifiers for advertisers (IDFA) access.
- Randomization of MAC addresses every 24 hours.
While the new opt-in approach to IDFA access severely affects target marketing, this article explores the impact of 24-hour MAC address randomization on network services and security. From the hospitality industry to the ISP industry, identifying, classifying and verifying devices across the network has just gotten much harder.
Note: This blog was written during the iOS beta period. Due to industry pressure, Apple removed 24-hour MAC address randomization from iOS 14 and said the feature was being delayed. It is our expectation that it will return in a future iOS release and cause the problems as discussed below. (11/22/2020)
Network Security Has Depended on MAC Address Identifiers
Until iOS 14, the MAC address has been a fundamental means for identifying, classifying and verifying devices on computer networks. This is because every Network Interface Controller (NIC) had a MAC address, and that MAC address was always the same across the NICs in a device. The unique 48-bit long stream of characters could identify every network interface card (NIC) or network adapter in a device. Most early computers had one NIC, which is how the MAC address became the de-facto device identifier from the start. Using MAC addresses for device identification worked well until Apple started changing MAC addresses on devices daily through randomization. This change has made MAC addresses functionally irrelevant for identifying devices.
MAC Address Use Cases in Network Security
MAC addresses have had a variety of functions for securing the networks. These functions include setting permissions of devices for activities within the network or creating network management use cases, such as port forwarding. Persistent MAC addresses have been useful to troubleshoot network performance, especially if you need to inspect a certain device’s network behavior over several days. Additionally, persistent MAC addresses have been essential in pay-per-use day passes (e.g., Public Wi-Fi), guest network login (Hotels) and parental control services (e.g., In-home Wi-Fi).
Why Has the MAC Address Been Critical to Device Identification?
The MAC address constitutes the only consistent anchor in the seven-layer open systems interconnect (OSI) networking stack. The individual layers in the OSI are dynamic and because of this cannot be relied on as identifiers.
Think about it. On layers one through four, the device behaves differently over time. Even the IP address in layer three can change from connection to connection. At the physical layer, the channel characteristics change rapidly, so they cannot be relied on to identify devices.
The MAC address, in data layer two has always been the consistent and reliable identifier to maintain your network and manage device identities. That is, until iOS 14 came along.
iOS 14 randomizes the MAC address every 24 hours, meaning that MAC addresses are no longer consistent and cannot be used for device identification, classification and verification.
What Is the Impact of Randomizing MAC Addresses
When Apple announced that the MAC address would be irrelevant for network security, network equipment providers, such as ISPs, public Wi-Fi vendors and hospitality networks managers panicked. The level of panic almost had a Y2K-bug feel to it—yes, the change was that significant. These professionals had good reason to panic because with MAC address randomization significant services in network security break.
What Breaks with MAC Address Randomization
What breaks if the MAC address is randomized every 24 hours? Here are some examples:
- Parental Control: No rules can be set for individual devices for in-home networks.
- Hotel Guest Services: Requires guests to re-login to the hotel network every day during their stay. Pay-per-use cases will require new payment at each login resulting in a diminished guest experience.
- Network Performance: Troubleshooting your network performance for individual devices becomes nearly impossible. Network logs from one day will not be correlated to logs from another day.
- Blacklisting or whitelisting: This security approach won’t be effective anymore.
- Port forwarding/Firewalls: Rules for individual devices will become ineffective.
Interestingly, with the iOS 14 change, network protocols, such as Ethernet or Wi-Fi, don’t require the MAC address to be persistent. They can work with a random MAC address as long as the MAC address doesn’t change during a live connection. However, over the years many different services (including Ethernet and Wi-Fi, among others) have been built on top of the MAC address. Because of this, these services will be affected by MAC address randomization.
If MAC Address Randomization Breaks Services and Security, Why Did Apple Do It?
It’s all about user privacy. That’s the main reason Apple and other tech giants such as Google and Microsoft support randomizing the MAC address. A device’s MAC address can be read easily by a third party even if that party is outside the device’s network.
Before iOS 14 an external observer could track devices through MAC addresses to learn about people. They could obtain information such as location and habits without user permission or knowledge.
In other scenarios, many applications have been collecting MAC addresses and cross correlating them against users’ Personally Identifiable Information (PII). For instance, TikTok has reportedly connected 100’s of millions of MAC addresses from those that have installed their app. While users can opt-out from advertiser identifiers such as Apple’s IDFA or Google’s GAID, there is no option to opt-out of reading a MAC address. For TikTok, the MAC address was a reliable means for identifying a device and its user.
What Are Some Alternatives for Device Identification Now that the MAC Address Is Becoming Irrelevant?
You might be wondering how services such as parental control or whitelist/blacklist-based security can identify devices in a home network scenario.
Let’s look at a US household of four, two parents and two teenagers. Everyone owns an iPhone. The parents block their children during homework time. But with MAC address randomization how is this possible? How will the rule differentiate between the parents’ phones and the teenagers’ phones now that the MAC addresses are changing daily?
Let’s say you work for an ISP and you want to give your users this capability to block their children during homework time or some other task involving parental controls. Let’s walk through this home network challenge through the lens of enterprise security and CIOs.
an Enterprise Security Perspective
Install certificates on every device and use these certificates for device identification. Problem solved. Except for your boss…
an Enterprise CIO Perspective
You would object to a certificate for every device given the large-scale cost and complexity of deploying and managing certificates. Recent studies cite that 7 out of 10 CIOs believe certificate management was the worst part of their job. If it is a nightmare for a large organization with a dedicated IT staff, it seems reasonable that it wouldn’t be the best idea to put it on every consumer device (which in the US alone would be more than 1,000,000,000 devices).
A CIO might consider using device fingerprinting as an alternative but existing device fingerprinting techniques can only identify a device type and not the individual device.
So in the example of our family of four: If the parent sets a parental control rule for their children’s devices to block them during homework time, they block themselves, too. The parent device couldn’t change the rule either once they made it, because guess what? They are blocked!
While these solutions might work in some cases, they are not always the most viable because they have cost tradeoffs in terms of money, time, complexity and the result of the user’s experience.
There is a better solution that is available now. It’s the LEVL-ID.
The Best Solution for Device Identification in an iOS 14 World
At LEVL we take a novel approach for device identification that gives you a unique identifier, a LEVL-ID, for every individual device on the network. Our platform is the only solution that leverages data from every layer of the OSI stack (from the physical layer and up).
The LEVL-ID does not require anything from the user and is completely zero-touch. Whether it is a customer or an employee or someone else you are serving, your users’ experience is seamless. It does not rely on user-data or PII for identification, and so it doesn’t compromise the user privacy. And the best part is that It is a derived identifier, not stored on the device—it cannot be read by Apps on the phone directly nor it can be compromised by other third-party observers because it relies on device characteristics only known to the internal network.
LEVL-ID is the privacy and user-friendly alternative to the MAC address.