In June 2020 Apple announced their upcoming mobile OS, iOS14. While most people focused on the set of cool consumer features that iOS14 offered, Apple’s increased focus on privacy took many industries off guard.  Namely, the 24 hour randomization of the MAC addresses and changes to IDFA access from an “Opt out” approach to an “Opt in” approach. While the latter made waves in the marketing industry, where it will severely affect the targeted marketing business, in this discussion we focus on the former, which made waves in the networking and hospitality industries. 

The MAC address is one of the most recognized and fundamental concepts of computer networks. It is a unique stream of characters which is 48-bit long and can uniquely identify every network interface card (NIC) or network adapter in a device. Since most computers initially had only one NIC then MAC address very soon became the de facto device identifier rather than just the NIC identifier. The MAC address has been used for multiple purposes such as setting certain security rules on what certain devices can and cannot do in a network, or for network management use cases such as port forwarding. They are also very useful when troubleshooting the network performance, especially if to do so the network admin needs to inspect a certain device’s network behaviour over several days. Additional use-cases include pay-per-use day passes (e.g., in public Wi-Fi), guest network login (in Hotels) and policy enforcing in parental control services (e.g., in Home WiFi use-cases). 

From more of an engineering perspective, the MAC address constitutes the only consistent “anchor” in the networking stack. Looking at the 3 or 4 lower layers of the OSI model, anything from the Physical layer and up can change dramatically and is very dynamic. Think about it, at the physical layer the channel characteristics change rapidly and cannot really be relied on, on higher layers the device behaves differently over time. Even the IP address is dynamic and can change from connection to connection. Hence, the MAC address has been the one consistent and reliable identifier that different industries used to maintain their network and manage device identities. So when Apple announced that the MAC address was soon becoming effectively irrelevant then it is no wonder that several network equipment providers, ISPs, public WiFi vendors and hospitality networks managers panicked. It almost had a Y2K bug feel to it.

So what “breaks” if the MAC address is randomized every 24 hours?

  • Parental control in home networks becomes effectively irrelevant because no rules can be set for individual devices anymore.
  • Guests at a hotel now need to re-login every day during their stay. And even worse, in pay-per-use cases they will be asked to repay for the service they have already paid for. 
  • Network managers will not be able to troubleshoot the network performance for individual devices because network logs from one day will not be correlated to logs from another day.
  • Blacklisting or whitelisting based security won’t be effective anymore
  • Port forwarding/Firewalls rules for individual devices will become ineffective.

The most interesting part about it is that the network protocols such as Ethernet or Wi-Fi don’t require the MAC address to be persistent. They can work with a random MAC address as long as the MAC address doesn’t change during a live connection. However, over the years many different services (such as those mentioned above) have been built on top of the MAC address which will be now affected by such randomization. 

The main reason Apple and other tech giants such as Google and Microsoft support randomizing the MAC address is to protect the privacy of users. MAC address of a certain device can be read easily by a 3rd party even if that party is not part of the network to which the said device is connected. This means an external observer can track devices, and thus people and learn about their habits without them even knowing. In other scenarios, many applications have been collecting MAC addresses and cross correlating them against users Personally Identifiable Information (PII). A recent example is TikTok, who has reportedly connected 100’s of millions of MAC addresses from those that have installed their app. The main reason for this being that while users can Opt-out from advertiser identifiers such as Apple’s IDFA or Google’s GAID, there is no option to Opt-out of a MAC address reading. Hence, for TikTok MAC address constituted a more reliable way of identifying a device, and hence a user. 

So what are the alternatives now that the MAC address is on a clear path to becoming irrelevant? How can services such as parental control or whitelist/blacklist based security identify devices in a home scenario for example? If you put on your “Enterprise security” glasses then you probably will offer to install certificates on every device and use that for device identification. However, if you put on your Enterprise CIO glasses you would probably object to this offer, given the large scale cost and complexity of deploying and managing those certificates. There is a good reason why recent studies cite that 7 out of 10 CIOs believe certificate management was the worst part of their job. If it is a nightmare for a large organization with a dedicated IT staff,  it seems reasonable that it wouldn’t be the best idea to put it on every consumer device (which in the US alone would be more than 1,000,000,000 devices). How about using device fingerprinting then? The problem with existing device fingerprinting techniques is that the best they can do is to identify a device type and not really an individual device. So for example, assume a common US household of 2 parents and 2 teenagers then there is a high probability that you are looking at 4 Apple iPhones in that house. If the best existing technologies can do is to identify device types then there is a good chance that the parent will set a parental control rule for their children mobile devices to be blocked during the homework time and end up blocking themselves. The parent device wouldn’t even be able to fix that issue, because guess what? it is blocked!

At LEVL we take a fundamentally different approach for device identification. Our platform leverages data available from different layers of the OSI stack (from Physical layer and up) to create a unique identifier, a LEVL-ID, for every individual device. It does not require anything from the user and is completely zero-touch so it does not impact the user experience. It does not rely on the user-data or PII and thus, it doesn’t compromise the user privacy.  And the best part is that It is a derived identifier, not stored on the device, and thus, it cannot be read by Apps on the phone directly nor it can be compromised by external inspection because it relies on device characteristics only known to the internal network. Hence, LEVL-ID constitutes a privacy and user friendly alternative to the MAC address.

About Author

Daniel Zahavi

Daniel has made a career of innovating wireless cyber security technologies in very high-threat environments. He is now applying that experience to the commercial market.