Everyone knows that these six bytes, usually displayed in hexadecimal format, are assigned to the network card at the factory, and at first glance are random. Some people know that the first three bytes of the address are the manufacturer's identifier, and the remaining three bytes are assigned to them. It is also known that one can put arbitrary address. Many have heard about "random addresses" in Wi-Fi.
Let's figure out what it is.
MAC address (media access control address) - a unique identifier assigned to a network adapter, used in IEEE 802 networks, mainly Ethernet, Wi-Fi and Bluetooth. It is officially called "EUI-48 Type Identifier". From the name it is obvious that the address has a length of 48 bits, i.e. 6 bytes. There is no generally accepted standard for writing an address (as opposed to an IPv4 address, where octets are always separated by dots). It is usually written as six hexadecimal numbers separated by a colon: 00:AB:CD:EF:11:22, although some hardware manufacturers prefer to write 00 -AB-CD-EF-11-22 and even 00ab.cdef.1122.
Historically, addresses were flashed into the ROM of the network card chipset without the possibility of modifying them without a flash programmer, but at present the address can be changed programmatically from the operating system. You can manually set the MAC address of a network card in Linux and MacOS (always), Windows (almost always, if the driver allows), Android (rooted only); with iOS (without root) this trick is not possible.
Address Structure
The address consists of a part of the manufacturer's identifier, OUI, and an identifier assigned by the manufacturer. Assignment of OUI (Organizationally Unique Identifier) identifiers IEEE organization. In fact, its length can be not only 3 bytes (24 bits), but 28 or 36 bits, from which blocks (MAC Address Block, MA) of addresses of the Large (MA-L), Medium (MA-M) and Small types are formed. (MA-S) respectively. The size of the issued block, in this case, will be 24, 20, 12 bits or 16 million, 1 million, 4 thousand addresses. At the moment, about 38 thousand blocks have been distributed, they can be viewed by numerous online tools, for example, at or .
Who owns the addresses
Easy processing of publicly available IEEE gives quite a lot of information. For example, some organizations took a lot of OUI blocks for themselves. Here are our heroes:
Vendor
Number of blocks/records
Number of addresses, mln.
Cisco Systems Inc
888
14208
Apple Lossless Audio CODEC (ALAC),
772
12352
Samsung
636
10144
Huawei Technologies Co.Ltd
606
9696
Intel Corporation
375
5776
ARRIS Group Inc.
319
5104
Nokia Corporation
241
3856
Private
232
2704
Texas Instruments
212
3392
zte corporation
198
3168
IEEE Registration Authority
194
3072
Hewlett Packard
149
2384
Hon Hai Precision
136
2176
TP-LINK
134
2144
Dell Inc.
123
1968
Juniper Networks
110
1760
Sagemcom Broadband SAS
97
1552
Fiberhome Telecommunication Technologies Co. LTD
97
1552
Xiaomi Communications Co Ltd
88
1408
Guangdong Oppo Mobile Telecommunications Corp.Ltd
82
1312
Google has only 40 of them, which is not surprising: they do not make many network devices themselves.
MA blocks are not provided free of charge, they can be purchased for a reasonable price (no subscription fee) for $3000, $1800 or $755 respectively. Interestingly, for additional money (per year) you can purchase the “hiding” of public information about the allocated block. There are now 232 of them, as seen above.
When MAC addresses run out
We are all pretty tired of the stories that have been going on for 10 years that "IPv4 addresses are about to run out." Yes, new IPv4 blocks are no longer easy to obtain. It is known that IP addresses ; there are gigantic and underused blocks owned by large corporations and US government agencies, however, with little hope of their redistribution in favor of the needy. The proliferation of NAT, CG-NAT, and IPv6 has made the problem of the lack of public addresses less acute.
There are 48 bits in a MAC address, of which 46 can be considered “useful” (why? read on), which gives 246 or 1014 addresses, which is 214 times the IPv4 address space.
At the moment, approximately half a trillion addresses are distributed, or only 0.73% of the total. The exhaustion of MAC addresses is still very, very far away.
Bit Randomness
It can be assumed that the OUIs are randomly assigned, and the vendor then also randomly assigns addresses to individual network devices. Is it so? Let's look at the distribution of bits in the databases of MAC addresses of 802.11 devices at my disposal, collected by working authorization systems in wireless networks . The addresses belong to real devices connected to Wi-Fi over several years in three countries. In addition, there is a small base of 802.3 wired LAN devices.
Let's break each MAC address (six bytes) of each of the samples into bits byte by byte, and look at the frequency of occurrence of the "1" bit in each of the 48 positions. If the bit is set in a completely arbitrary way, then the probability of getting a "1" should be 50%.
Wi-Fi Sample #1 (RF)
Wi-Fi Sample #2 (Belarus)
Wi-Fi Sample #3 (Uzbekistan)
LAN sampling (RF)
Number of records in the database
5929000
1274000
366000
1000
Bit number:
% bit "1"
% bit "1"
% bit "1"
% bit "1"
1
48.6%
49.2%
50.7%
28.7%
2
44.8%
49.1%
47.7%
30.7%
3
46.7%
48.3%
46.8%
35.8%
4
48.0%
48.6%
49.8%
37.1%
5
45.7%
46.9%
47.0%
32.3%
6
46.6%
46.7%
47.8%
27.1%
7
0.3%
0.3%
0.2%
0.7%
8
0.0%
0.0%
0.0%
0.0%
9
48.1%
50.6%
49.4%
38.1%
10
49.1%
50.2%
47.4%
42.7%
11
50.8%
50.0%
50.6%
42.9%
12
49.0%
48.4%
48.2%
53.7%
13
47.6%
47.0%
46.3%
48.5%
14
47.5%
47.4%
51.7%
46.8%
15
48.3%
47.5%
48.7%
46.1%
16
50.6%
50.4%
51.2%
45.3%
17
49.4%
50.4%
54.3%
38.2%
18
49.8%
50.5%
51.5%
51.9%
19
51.6%
53.3%
53.9%
42.6%
20
46.6%
46.1%
45.5%
48.4%
21
51.7%
52.9%
47.7%
48.9%
22
49.2%
49.6%
41.6%
49.8%
23
51.2%
50.9%
47.0%
41.9%
24
49.5%
50.2%
50.1%
47.5%
25
47.1%
47.3%
47.7%
44.2%
26
48.6%
48.6%
49.2%
43.9%
27
49.8%
49.0%
49.7%
48.9%
28
49.3%
49.3%
49.7%
55.1%
29
49.5%
49.4%
49.8%
49.8%
30
49.8%
49.8%
49.7%
52.1%
31
49.5%
49.7%
49.6%
46.6%
32
49.4%
49.7%
49.5%
47.5%
33
49.4%
49.8%
49.7%
48.3%
34
49.7%
50.0%
49.6%
44.9%
35
49.9%
50.0%
50.0%
50.6%
36
49.9%
49.9%
49.8%
49.1%
37
49.8%
50.0%
49.9%
51.4%
38
50.0%
50.0%
49.8%
51.8%
39
49.9%
50.0%
49.9%
55.7%
40
50.0%
50.0%
50.0%
49.5%
41
49.9%
50.0%
49.9%
52.2%
42
50.0%
50.0%
50.0%
53.9%
43
50.1%
50.0%
50.3%
56.1%
44
50.1%
50.0%
50.1%
45.8%
45
50.0%
50.0%
50.1%
50.1%
46
50.0%
50.0%
50.1%
49.5%
47
49.2%
49.4%
49.7%
45.2%
48
49.9%
50.1%
50.7%
54.6%
Whence such injustice in 7 and 8 bits? There are almost always zeros.
Indeed, the standard defines these bits as special ():
The eighth (from the beginning) bit of the first byte of the MAC address is called the Unicast / Multicast bit and determines what type of frame (frame) is transmitted with this address, normal (0) or broadcast (1) (multicast or broadcast). For normal, unicast network adapter communication, this bit is set to "0" in all packets it sends.
The seventh (from the beginning) bit of the first byte of the MAC address is called the U/L (Universal/Local) bit and determines whether the address is globally unique (0) or locally unique (1). By default, all "manufactured" addresses are globally unique, so the vast majority of collected MAC addresses have the seventh bit set to "0". In the table of assigned OUI identifiers, only about 130 entries have U / L bit "1", and apparently these are MAC address blocks for special purposes.
From the sixth to the first bits of the first byte, the bits of the second and third bytes in OUI identifiers, and even more so, the bits in 4-6 bytes of the address assigned by the manufacturer are more or less evenly distributed.
Thus, in the real MAC address of the network adapter, the bits are actually equivalent and have no technological meaning, with the exception of two service bits of the high byte.
Prevalence
I wonder which wireless equipment manufacturers are the most popular? Let's combine the search in the OUI database with the data of sample No. 1.
Vendor
Share of devices, %
Apple Lossless Audio CODEC (ALAC),
26,09
Samsung
19,79
Huawei Technologies Co. Ltd
7,80
Xiaomi Communications Co Ltd
6,83
sony mobile communications inc
3,29
LG Electronics (Mobile Communications)
2,76
ASUSTek COMPUTER INC.
2,58
TCT mobile ltd
2,13
zte corporation
2,00
not found in the IEEE database
1,92
Lenovo Mobile Communication Technology Ltd.
1,71
HTC Corporation
1,68
Murata Manufacturing
1,31
InProComm
1,26
Microsoft Corporation
1,11
Shenzhen TINNO Mobile Technology Corp.
1,02
Motorola (Wuhan) Mobility Technologies Communication Co. Ltd.
0,93
Nokia Corporation
0,88
Shanghai Wind Technologies Co. Ltd
0,74
Lenovo Mobile Communication (Wuhan) Company Limited
0,71
Practice shows that the more prosperous the contingent of wireless network subscribers in a given location, the greater the share of Apple devices.
Uniqueness
Are MAC addresses unique? In theory, yes, since each of the device manufacturers (owners of the MA block) is obliged to provide a unique address for each of the network adapters they produce. However, some chip manufacturers, namely:
- 00:0A:F5 Airgo Networks, Inc. (now Qualcomm)
- 00:08:22 InPro Comm (now MediaTek)
set the last three bytes of the MAC address to a random number, apparently after each reboot of the device. There were 1 thousand such addresses in my sample No. 82.
You can set yourself someone else's, not a unique address, of course, by purposefully setting it "like a neighbor", identifying it with a sniffer, or choosing at random. It is also possible to accidentally set yourself a non-unique address by, for example, restoring a configuration backup of some router like Mikrotik or OpenWrt.
What happens if there are two devices with the same MAC address on the network? It all depends on the logic of the network equipment (wired router, wireless network controller). Most likely, both devices will either not work or will work intermittently. From the point of view of IEEE standards, it is proposed to solve protection against MAC address forgery using, for example, MACsec or 802.1X.
What if you set yourself a MAC with the seventh or eighth bit set to "1", i.e. local or multicast address? Most likely, your network will not pay attention to this, but formally such an address will not comply with the standard, and it is better not to do this.
How randomization works
We know that in order to prevent people from being tracked by scanning the air and collecting, the MAC operating systems of smartphones have been using randomization technology for several years. Theoretically, when scanning the air in search of known networks, the smartphone sends a packet (group of packets) of the 802.11 probe request type with the MAC address as the source:
The enabled randomization allows you to specify not a “stitched”, but some other packet source address that changes with each scan cycle, in time, or in some other way. Does it work? Let's look at the statistics of collected MAC addresses from the air by the so-called "Wi-Fi Radar":
Whole sample
Sample with zero 7th bit only
Number of records in the database
3920000
305000
Bit number:
% bit "1"
% bit "1"
1
66.1%
43.3%
2
66.5%
43.4%
3
31.7%
43.8%
4
66.6%
46.4%
5
66.7%
45.7%
6
31.9%
46.4%
7
92.2%
0.0%
8
0.0%
0.0%
9
67.2%
47.5%
10
32.3%
45.6%
11
66.9%
45.3%
12
32.3%
46.8%
13
32.6%
50.1%
14
33.0%
56.1%
15
32.5%
45.0%
16
67.2%
48.3%
17
33.2%
56.9%
18
33.3%
56.8%
19
33.3%
56.3%
20
66.8%
43.2%
21
67.0%
46.4%
22
32.6%
50.1%
23
32.9%
51.2%
24
67.6%
52.2%
25
49.8%
47.8%
26
50.0%
50.0%
27
50.0%
50.2%
28
50.0%
49.8%
29
50.0%
49.4%
30
50.0%
50.0%
31
50.0%
49.7%
32
50.0%
49.9%
33
50.0%
49.7%
34
50.0%
49.6%
35
50.0%
50.1%
36
50.0%
49.5%
37
50.0%
49.9%
38
50.0%
49.8%
39
50.0%
49.9%
40
50.0%
50.1%
41
50.0%
50.2%
42
50.0%
50.2%
43
50.0%
50.1%
44
50.0%
50.1%
45
50.0%
50.0%
46
50.0%
49.8%
47
50.0%
49.8%
48
50.1%
50.9%
The picture is completely different.
The 8th bit of the first byte of the MAC address still corresponds to the Unicast nature of the SRC address in the probe request packet.
The 7th bit is set to Local in 92.2% of cases, i.e. with a fair degree of confidence, we can assume that just as many collected addresses are randomized, and less than 8% are real. At the same time, the distribution of bits in the OUI for such real addresses approximately coincides with the data in the previous table.
Which manufacturer, according to the OUI, owns the randomized addresses (i.e. with the 7th bit in "1")?
Manufacturer by OUI
Share among all addresses
not found in the IEEE database
62.45%
Google Inc.
37.54%
rest
0.01%
At the same time, all randomized addresses assigned to Google belong to the same OUI with the prefix DA:A1:19. What is this prefix? Let's look into .
private static final MacAddress BASE_GOOGLE_MAC = MacAddress.fromString("da:a1:19:0:0:0");The stock android in the search for wireless networks uses a special, registered OUI, one of the few with the seventh bit set.
Calculate real MAC from random
Let's take a look there:
private static final long VALID_LONG_MASK = (1L << 48) - 1;
private static final long LOCALLY_ASSIGNED_MASK = MacAddress.fromString("2:0:0:0:0:0").mAddr;
private static final long MULTICAST_MASK = MacAddress.fromString("1:0:0:0:0:0").mAddr;
public static @NonNull MacAddress createRandomUnicastAddress(MacAddress base, Random r) {
long addr;
if (base == null) {
addr = r.nextLong() & VALID_LONG_MASK;
} else {
addr = (base.mAddr & OUI_MASK) | (NIC_MASK & r.nextLong());
}
addr |= LOCALLY_ASSIGNED_MASK;
addr &= ~MULTICAST_MASK;
MacAddress mac = new MacAddress(addr);
if (mac.equals(DEFAULT_MAC_ADDRESS)) {
return createRandomUnicastAddress(base, r);
}
return mac;
}
The whole address, or its lower three bytes, is pure Random.nextLong(). "Proprietary Recovery of the Real MAC" is a scam. With a high degree of certainty, we can expect Android phone manufacturers to use other non-registered OUIs. We do not have iOS sources, but most likely a similar algorithm is used there.
The above does not cancel the work of other mechanisms for deanonymizing Wi-Fi subscribers based on the analysis of other fields of the probe request frame, or the correlation of the relative frequency of requests sent by the device. However, it is extremely problematic to reliably track a subscriber by external means. The data collected is more suitable for analysis of average/peak load by location and time, based on large numbers, without being tied to specific devices and people. Accurate data is available only to those who are "inside", from the manufacturers of mobile operating systems themselves, from installed applications.
What could be dangerous about someone else knowing the MAC address of your device? For wired and wireless networks, you can organize a denial of service attack. For a wireless device, moreover, with some probability it is possible to fix the moment of appearance in the place where the sensor is installed. By spoofing the address, you can try to "introduce yourself" as your device, which can only work if additional security measures (authorization and / or encryption) are not applied. 99.9% of the people here have nothing to worry about.
A MAC address is more complicated than it looks, but easier than it could be.
Source: habr.com