Topics

Author

Nzyme is a free intrusion detection system that can analyze data from Ethernet or WiFi networks and Bluetooth devices to identify potential threats.

Learn More

Not written by AI.

What are random MAC addresses

Modern devices are now using MAC address randomization when they are not connected to a WiFi network and are searching for available networks in the vicinity. This technique is employed to enhance the privacy of the device owner.

To illustrate how this method significantly improves privacy, consider the following scenario: You once connected your personal phone to your office Wi-Fi. Your employer now has a record of your MAC address. Subsequently, your employer could potentially track your presence in the office by monitoring for your MAC address, even if you are not connected to the office Wi-Fi, because your phone periodically sends out probe requests to locate known networks.

With MAC address randomization, a phone will use a random MAC address for these probe requests, making it impossible to identify the device based on previously recorded MAC addresses. The device will only revert to its actual MAC address once it connects to a Wi-Fi network.

Today, almost all iPhones and Android devices incorporate MAC address randomization to protect user privacy.

Identifying randomized MAC addresses

You can identify a randomized MAC address by looking the Locally Administered Address (LAA) bit. This is the second least significant bit of the first byte, which determines whether the address is universally or locally administered. If this bit is set to 1, the address is locally administered, which is often indicative of randomization. In hexadecimal notation, this means the second digit of the MAC address will be one of 2, 6, A, or E for unicast MAC addresses or 3, 7, B, or F for multicast MAC addresses. For instance, a MAC address beginning with 02:xx:xx:xx:xx:xx suggests it is randomized.

In the nzyme web interface, you will see an icon and property indicating that a MAC address is randomized.

Of course, you cannot entirely rely on this method of identification. MAC addresses are easy to spoof and nothing forces a device to follow this specification properly.

Working with randomized MAC addresses in nzyme

The clients page in your nzyme web interface features a toggle to include or exclude randomized MAC addresses. By default, these addresses are excluded from the tables and charts related to disconnected devices due to their low value and high noise factor. However, it’s important to remember that these addresses exist and to include them in your analysis when necessary.

Found a problem?

Did you find a mistake or think something can be improved? You can file issues on GitHub, join the nzyme Discord or post in the discussion forums to provide your feedback. Thank you so much!