Re: [homenet] [Captive-portals] [Int-area] [EXTERNAL] Re: Evaluate impact of MAC address randomization to IP applications

[Carsten Bormann]

On 2020-09-30, at 19:16, Michael Richardson  wrote:
> 
> the
> adversary

There may be more than one.
Of course, if you want to attack privacy, being Google or Facebook gives you 
unique opportunities.
That doesn’t mean you don’t want to have a seat belt any more if you have 
lane-keeping assistance.

Grüße, Carsten

___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] [Captive-portals] [Int-area] [EXTERNAL] Re: Evaluate impact of MAC address randomization to IP applications

[Stephen Farrell]

Hiya,

I don't agree with that conclusion...

On 30/09/2020 18:16, Michael Richardson wrote:
> My take home from your work is that MAC address randomization is a useless
> waste of time.  It causes significant costs to the network operator(s) without
> actually providing any benefit to the mobile phone owner, because the
> adversary is inside the device, invited in by the owner.
> In such a situation, MAC randomization feels like security theatre to me.

I think MAC address randomisation *alone* isn't very useful
but even so still has some utility as it makes some forms
of tracking (based purely on a static MAC) harder. IIRC
exactly that form of tracking was reported as being done by
the security services in Canada linking MACs seen in
Pearson with those later seen downtown or something. (I
didn't go find the reference so that may be inaccurate.)

MAC address randomisation, when well-coupled to changes
at other layers can be more beneficial. That is how the GAEN system is
designed - the beacon payload (the RPI) is
intended to change with the BLE MAC address about every
10 minutes.

Getting similar benefits for randomised WiFi MAC addresses
with IP and more layers above is hard, but it's still worth
having the basic mechanism so that people can try address those harder
problems over time.

So, no, not "theatre" but far from complete.

I'd probably also disagree with you on the practicality of
depending on 802.1X outside enterprise environments, but
that's a different topic too.

Cheers,
S.



0x5AB2FAF17B172BEA.asc
Description: application/pgp-keys
___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] [Captive-portals] [Int-area] [EXTERNAL] Re: Evaluate impact of MAC address randomization to IP applications

[Michael Richardson]

Stephen Farrell  wrote:
>> Stephen Farrell  wrote:
>>
>> > On 29/09/2020 19:41, Michael Richardson wrote: >> It will be good if
>> we can get a document from the MAC randomization >> proponents (if
>> there is such a group), to explain the thread profile.  >> I don't
>> think it includes active compromised hosts.
>>
>> > That is a problem yes. I no longer think "compromised host" is the >
>> correct term there though. In the case of android, we found google
>> play > services regularly calls home linking all these identifiers and
>> more > (phone#, sim serial, imei...) [1] for Google's own uses. I'd be
>> very
>>
>> I feel that you have confounded two things, and I don't think it's
>> helpful.  I won't dispute your observatrions about surveillance
>> capitalism, but I feel that you've sensationalized what I thought was
>> a pretty specific technical point. Namely: You can't see into the L3
>> layer of WIFI, even when there are ARP broadcasts, unless your are
>> also part of that L2 network.

> I disagree about sensationalising, obviously;-)

> The point is that we tended to think of a compromised host as one that
> had been subject to a successful attack often run by an unknown
> party. For mobile phones, the privacy adversary seems more often to be
> an entity that the phone user has accepted one way or another, whether
> that be the OS or handset vendor or whoever wrote that cute spirit-
> level app.

My take home from your work is that MAC address randomization is a useless
waste of time.  It causes significant costs to the network operator(s) without
actually providing any benefit to the mobile phone owner, because the
adversary is inside the device, invited in by the owner.
In such a situation, MAC randomization feels like security theatre to me.

[I'm reminded of various systems of magic in fiction, where you are safe as long
as you don't unwittingly invite the bad guys in]

You have defined the security perimeter as being from "top" of the phone.
(Between the screen and the human)

I have defined the security perimeter as being the "bottom" of the phone
(between the phone and the Internet).

I think that we can do more here, and I think that the cost to the operator
(moving from unencrypted, MAC-address excepted networks, to encrypted 802.1X
authenticated networks with provisioned identities) with some correspondant
benefits to the operator as well as the end user.

> PS: to be clear - the above's not really anti-google - we've seen
> similar looking traffic from handset vendors' pre-installed s/w too.

Agreed.

--
]   Never tell me the odds! | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works|IoT architect   [
] m...@sandelman.ca  http://www.sandelman.ca/|   ruby on rails[


--
Michael Richardson. o O ( IPv6 IøT consulting )
   Sandelman Software Works Inc, Ottawa and Worldwide






signature.asc
Description: PGP signature
___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] [Captive-portals] [Int-area] [EXTERNAL] Re: Evaluate impact of MAC address randomization to IP applications

[Stephen Farrell]

Hiya,

On 29/09/2020 20:56, Michael Richardson wrote:
> 
> Stephen Farrell  wrote:
> 
> > On 29/09/2020 19:41, Michael Richardson wrote:
> >> It will be good if we can get a document from the MAC randomization
> >> proponents (if there is such a group), to explain the thread profile.
> >> I don't think it includes active compromised hosts.
> 
> > That is a problem yes. I no longer think "compromised host" is the
> > correct term there though. In the case of android, we found google play
> > services regularly calls home linking all these identifiers and more
> > (phone#, sim serial, imei...) [1] for Google's own uses. I'd be very
> 
> I feel that you have confounded two things, and I don't think it's helpful.
> I won't dispute your observatrions about surveillance capitalism, but I feel
> that you've sensationalized what I thought was a pretty specific technical
> point. Namely:
> You can't see into the L3 layer of WIFI, even when there are
> ARP broadcasts, unless your are also part of that L2 network.

I disagree about sensationalising, obviously;-)

The point is that we tended to think of a compromised host
as one that had been subject to a successful attack often
run by an unknown party. For mobile phones, the privacy
adversary seems more often to be an entity that the phone
user has accepted one way or another, whether that be the
OS or handset vendor or whoever wrote that cute spirit-
level app.

> 
> I'm sure that Google Play calls home and tells Google all the your
> L2/L3/IMEI/etc.  I don't doubt it.
> 
> I don't see how this relates to a local passive eavesdropping observing the
> L2 frames with the encrypted L3.  One not involved with the operation
> of the wifi, nor connected to that link.

The MAC address and other identifiers are payload with the
source IP address and thus correlated at the destination
without having to locally eavesdrop. But they can be used
to later correlate with the local eavesdropper's data,
probably after that's also been centralised (perhaps via
another app using the same SDK).

> 
> Unless you are saying that Google Play operates as active eavesdropper on all
> the networks on which it is connected?  I.e. it sends the L2/L3 mappings for
> all devices on that network?

I don't believe google do that for that attack, but they
can correlate the MAC and IP addresses, yes, for all the
devices on a n/w running their OS.

> 
> > More on-topic, 

But yeah the above is a bit off-topic, except that it
shows there's a *lot* more to do in the mobile context
to get benefit from address randomisation.

S.

PS: to be clear - the above's not really anti-google -
we've seen similar looking traffic from handset vendors'
pre-installed s/w too.


> I do think MAC address randomisation has a role to play
> > for WiFi as it does for BLE, but yes there is a lack of guidance as to
> > how to implement and deploy such techniques well. It's a bit tricky
> > though as it's fairly OS dependent so maybe not really in scope for the
> > IETF?
> 
> The IEEE has a spec on how to do MAC address ramdomization.
> It says nothing about how to automatically update the accept-list rules
> created by RFC8520, or RFC8908/RFC8910 (CAPPORT).  Or EAP-FOO.
> 
> > (For the last 3 years I've set a possible student project in
> > this space, but each time a student has considered it, it turned out
> > "too hard";-)
> 
> :-(
> 
> --
> ]   Never tell me the odds! | ipv6 mesh networks [
> ]   Michael Richardson, Sandelman Software Works|IoT architect   [
> ] m...@sandelman.ca  http://www.sandelman.ca/|   ruby on rails
> [
> 
> 
> 
> ___
> homenet mailing list
> homenet@ietf.org
> https://www.ietf.org/mailman/listinfo/homenet
> 


0x5AB2FAF17B172BEA.asc
Description: application/pgp-keys
___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] [Captive-portals] [Int-area] [EXTERNAL] Re: Evaluate impact of MAC address randomization to IP applications

[Michael Richardson]

Stephen Farrell  wrote:

> On 29/09/2020 19:41, Michael Richardson wrote:
>> It will be good if we can get a document from the MAC randomization
>> proponents (if there is such a group), to explain the thread profile.
>> I don't think it includes active compromised hosts.

> That is a problem yes. I no longer think "compromised host" is the
> correct term there though. In the case of android, we found google play
> services regularly calls home linking all these identifiers and more
> (phone#, sim serial, imei...) [1] for Google's own uses. I'd be very

I feel that you have confounded two things, and I don't think it's helpful.
I won't dispute your observatrions about surveillance capitalism, but I feel
that you've sensationalized what I thought was a pretty specific technical
point. Namely:
You can't see into the L3 layer of WIFI, even when there are
ARP broadcasts, unless your are also part of that L2 network.

I'm sure that Google Play calls home and tells Google all the your
L2/L3/IMEI/etc.  I don't doubt it.

I don't see how this relates to a local passive eavesdropping observing the
L2 frames with the encrypted L3.  One not involved with the operation
of the wifi, nor connected to that link.

Unless you are saying that Google Play operates as active eavesdropper on all
the networks on which it is connected?  I.e. it sends the L2/L3 mappings for
all devices on that network?

> More on-topic, I do think MAC address randomisation has a role to play
> for WiFi as it does for BLE, but yes there is a lack of guidance as to
> how to implement and deploy such techniques well. It's a bit tricky
> though as it's fairly OS dependent so maybe not really in scope for the
> IETF?

The IEEE has a spec on how to do MAC address ramdomization.
It says nothing about how to automatically update the accept-list rules
created by RFC8520, or RFC8908/RFC8910 (CAPPORT).  Or EAP-FOO.

> (For the last 3 years I've set a possible student project in
> this space, but each time a student has considered it, it turned out
> "too hard";-)

:-(

--
]   Never tell me the odds! | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works|IoT architect   [
] m...@sandelman.ca  http://www.sandelman.ca/|   ruby on rails[




signature.asc
Description: PGP signature
___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] [Captive-portals] [Int-area] [EXTERNAL] Re: Evaluate impact of MAC address randomization to IP applications

[Peter Yee]

On 29/09/2020 12:03, Stephen Farrell wrote:

> More on-topic, I do think MAC address randomisation has a role to play for 
> WiFi as it does for BLE, but yes there is a lack of guidance as to how to 
> implement and deploy such techniques well. It's a bit tricky though as it's 
> fairly OS dependent so maybe not really in scope for the IETF?
> (For the last 3 years I've set a possible student project in this space, but 
> each time a student has considered it, it turned out "too hard";-)

As I mentioned previously, IEEE 802.11 is looking into this area, both from an 
operational perspective and from a privacy perspective. New IEEE 802.11 
amendments (IEEE 802.11bh and IEEE 802.11bi, if approved) are being discussed. 
The (very) high-level documents describing each can be found at [1] and [2]. I 
would be happy to convey input to IEEE 802.11 regarding either document, 
particularly in regards to layers 3 and above. Without wishing to open up a can 
of worms about meeting fees, I will note that IEEE 802.11 is currently not 
charging for its online meetings, so if anyone wishes to take part in the 
random MAC address discussions directly, the next meeting will be held in early 
November. The RCM Study Group met yesterday morning (Americas) and will meet 
again in two weeks. See [3].

-Peter

[1] 
https://mentor.ieee.org/802.11/dcn/20/11-20-0742-04-0rcm-proposed-par-draft.docx
[2] 
https://mentor.ieee.org/802.11/dcn/20/11-20-0854-06-0rcm-par-proposal-for-privacy.pdf
[3] https://mentor.ieee.org/802.11/dcn/20/11-20-0995-10-0rcm-rcm-sg-agenda.pptx



___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] [Captive-portals] [Int-area] [EXTERNAL] Re: Evaluate impact of MAC address randomization to IP applications

[Stephen Farrell]

Hiya,

On 29/09/2020 19:41, Michael Richardson wrote:
> It will be good if we can get a document from the MAC randomization
> proponents (if there is such a group), to explain the thread profile.
> I don't think it includes active compromised hosts.

That is a problem yes. I no longer think "compromised host"
is the correct term there though. In the case of android,
we found google play services regularly calls home linking
all these identifiers and more (phone#, sim serial,
imei...) [1] for Google's own uses. I'd be very surprised
if other entities (e.g. other OS and handset makers)
weren't doing the same kind of thing (in fact I've seen
some of that but we've not yet written it up). And
supposedly innocuous "apps" can and do embed SDKs that also
do that kind of thing. [2]

I don't think "compromised" is an apt term for such a host.
Perhaps it is apt for almost the entire mobile ecosystem?

More on-topic, I do think MAC address randomisation has a
role to play for WiFi as it does for BLE, but yes there is
a lack of guidance as to how to implement and deploy such
techniques well. It's a bit tricky though as it's fairly
OS dependent so maybe not really in scope for the IETF?
(For the last 3 years I've set a possible student project
in this space, but each time a student has considered it,
it turned out "too hard";-)

Cheers,
S.

[1] https://www.scss.tcd.ie/Doug.Leith/pubs/contact_tracing_app_traffic.pdf
[2] https://arxiv.org/abs/2009.06077



0x5AB2FAF17B172BEA.asc
Description: application/pgp-keys
___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] [Captive-portals] [Int-area] [EXTERNAL] Re: Evaluate impact of MAC address randomization to IP applications

[Michael Richardson]

<#secure method=pgpmime mode=sign>

Brian Dickson  wrote:
> Any host/interface that uses ARP (not sure whether any flavor of WiFi
> does, or if so which flavors), exposes the L3/L2 mapping.

Yes, WIFI does use ARP. On all flavours.

Encrypted WIFI, which is mostly the default now, encrypts everything above
the L2, so the L3 part of the mapping is not seen by passive EM observers.

ARP broadcasts as you mention, so other stations on the network could see the
mapping, and the AP by default helpfully re-encrypts broadcasts to every
station.  But, that's not a passive observer: the observer is on the network.
Many APs filter ARP broadcasts as being useless chatter.

> So, wired
> IPv4 for certain (except in very locked-down enterprise settings with
> static MAC addresses, perhaps) leaks this information to every host on
> the same broadcast domain (same subnet and possibly additional subnets
> on the same LAN/VLAN).

Yes, but that's not wifi.  Phones do not have wired connections.

> ARP L2 broadcasts solicit information about IP addresses, and at a
> minimum each such query exposes its own MAC and IP address. Responses
> may be unicast or broadcast, not sure which.  An active compromised
> host can easily solicit that information by iterating over all the IP
> addresses on the subnet and performing an ARP for each one.

It will be good if we can get a document from the MAC randomization
proponents (if there is such a group), to explain the thread profile.
I don't think it includes active compromised hosts.

Such hosts can also ARP/ND spoof, and can even do that for the router (".1"),
capturing all the traffic on the network.

--
Michael Richardson. o O ( IPv6 IøT consulting )
   Sandelman Software Works Inc, Ottawa and Worldwide




___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet