Guest wifi analytics and mac randomization

ByHans Van Ballaer

When a company want to use guest wifi and to perform analytics on it, they have to take into account client devices like iOS are using mac randomization. iOS devices are doing this for a long time but Android devices started doing this now also.

Mac randomization is only visible when a client is not connected to a wireless network, the client device will present itself to the wireless network with a random mac address. Once the client connects to the SSID and authenticates it will show up with it’s real mac address.

Disconnected my iOS phone and captured the probe requests

When you look at the capture you notice the mac address mentioned as the source address doesn’t match with the mac of your device. You can recognize the random mac address by looking at the 2 least significant bit of the octet, the are called local administered mac-addresses because the don’t match with any vendor OUI

Problem of mac randomization for company’s willing to perform guest counting have to take into account some platforms don’t count these local administered mac-addresses, so they don’t see the actual footfall or dwell time. On the other hand, some platforms do count the locally administered mac-address, if an iOS device is within range of the wireless network and sending probe request you will notice them. Because of the clients sending different mac addresses from the same device, you will see the same device multiple times on the same day. This will result in a footfall graph showing a lot more clients inside the building than in reality. You will still see a trend in the graphs from one week to another, if for instance a retailer is doing a marketing campaign and is seeing that the trend is going up compared to last week than he has a good idea that marketing did a good job

From a client perspective it is better to not remember all wireless networks on your phone if you don’t want to be tracked every time. Multi-site organisations, typically retailers or ISP hot-spots, use the same SSID for every location. Once you come close to the location with your phone and your phone has the profile of the SSID stored, it will try to connect. As soon as the phone is connected to the SSID, even when it is not authenticated on the captive portal it is showing it’s real mac address and it will be counted by the guest wifi analytics platform.

Similar Posts

  • My first 802.11ah frames

    ByHans Van Ballaer

    While we are all looking up into the 6GHz frequency range i was wondering what was happening on the other side of the frequency range, more specific in the Sub-1GHz space. On November 2, 2021 Wi-Fi Alliance started to certify products for Sub-1 Ghz operation. https://www.wi-fi.org/news-events/newsroom/wi-fi-certified-halow-delivers-long-range-low-power-wi-fi However the amendment was already published by IEEE on…

  • 4 bars

    ByHans Van Ballaer

    From the start of my career as a network engineer until now i made some mistakes and learned a lot from these projects. With this blog i would like to help other people and maybe prevent them from making the same mistakes i did when i designed my first wireless networks

  • EasyMesh

    ByHans Van Ballaer

    Recently during a training I got a request from a participant what EasyMesh is and if it is interesting in some cases. I did some research on it and with this I wanted to share my results. What is EasyMesh ? We know meshing as a system that can cooperate and form a unified network. Meshing…

  • WPA3 security

    ByHans Van Ballaer

    With the new august 2019 release of the Analysis document by Mathy Vanhoef and Eyal Ronen, it shows companies should be careful with the creation of SSID’s. Underneath the hood of WPA3 DragonFly handshake is assuring the security of the standard, it is supposed to be impossible to crack and find the password of the…

Leave a Reply

Your email address will not be published. Required fields are marked *