MAC Address Randomization Impacts Businesses: Here’s Some Good News​

MAC Address Randomization

Personal privacy is important to all of us, and with businesses collecting data at unprecedented rates for innumerable use cases, our privacy is in question. Despite new regulations such as GDPR, CCPA and others being rolled out in recent years, we’re still being tracked – but not all of that tracking is a bad thing.

Lansweeper, is in the business of IT discovery, and has been the market leader in device recognition since acquiring Fing in October, 2020. Our goal is to give businesses all the information they need to ensure the health and security of every device on their network, and optimize costs across the technology infrastructure. 

Over the past decade – and in two years in particular, as remote working became a predominant trend due to the Pandemic – tracking a growing number of employees’ mobile and personal devices became an imperative. Since around 2010, the Bring Your Own Device (BYOD) trend has exploded, and today 83% of companies have a BYOD policy of some kind. What’s more, roughly 75% of employees use their personal smartphones for work, and 80% of companies believe mobile phones are necessary for their employees to do their jobs.

To maintain security – both physical and cyber – businesses must be able to track the people and devices accessing the corporate network at all times. A critical aspect of creating an IT asset inventory that’s always accurate and up to date is identifying and recognizing the devices – the type, brand and model, and the specific device, as well. Until 2017, this was possible. Then Apple’s iOS launched support for Mac Address Randomization, which prevents many IT scanning solutions from identifying or recognizing a device.


What is MAC Address Randomization?

If you live in a home or an apartment, you have an address – a unique identifier that says “this is where I live.” Similarly, every device – a computer, server, laptop, smartphone or other – has a unique address called a Media Access Control (MAC) address, which is assigned to the device by the device manufacturer. The MAC address identifies the device to other devices on a local network and is used to send data between devices. 

In recent years, however, MAC addresses have been used for tracking consumers, leading to privacy concerns. Merchants and advertisers use MAC addresses lookup to deliver targeted and personalized advertising to consumers, based on their location or behavior. For example, if a consumer visits a shopping center, merchants and advertisers may leverage a consumer’s MAC address to send promotional offers for nearby stores. Additionally, shopping center management may want to track consumers to learn how often they visit the shopping center and which stores they frequent. This information can be used not only for advertising, but to optimize traffic patterns, prioritize investments in particular merchants, and a number of other use cases. Some merchants have even used location tracking to identify shoppers that used a fitting room but never made it to the case register. 

The majority of customers do not want to be tracked – so mobile operating system manufacturers such as Apple and Google began to introduce restrictions on the availability of network information on devices to third-party apps back in 2017. With iOS 11, the ability for third-party apps to read a network-connected phone’s MAC addresses was removed.

Later, more restrictions were introduced for both iOS and Android phones. With the release of Apple iOS 14 (as well as iPadOS 14 and watchOS 7), all devices equipped with this version of the OS mask their MAC address when they connect to a WiFi network using MAC randomization. MAC randomization works by concealing the MAC address and creating a fake one in its place – and this makes it impossible for a business to identify a) the type of device that’s connecting to the network and b) whether the device is the same as a device that connected previously. With MAC randomization in place, that shopping center in our example wouldn’t be able to tell if a consumer was a return customer, and it would be more difficult to target them with specific advertisements based on their behavior over time.


Randomized by Default

In recent OS versions from Apple, Google and others, MAC randomization is enabled by default, and users must manually disable it. The devices automatically hide their MAC address when they connect to any WiFi network, and therefore appear as a new device, even if the device has connected to that network many times before. This is good news for consumers who wish to avoid being tracked and targeted by advertisers and merchants, but bad news for companies who need to keep their IT infrastructure secure despite employees using personal devices such as laptops and smartphones to access the corporate network and resources. While corporate policies can be applied to company-issued devices to disable MAC address randomization, these cannot be enforced on employee-owned devices with any certainty. 

Unable to identify and recognize these devices, businesses cannot effectively monitor, maintain or secure them, and vulnerabilities in the software on those devices can put them at risk. If a different identifier is generated every time an employee connects to the corporate network, it’s impossible to determine if the user is actually an employee and not an intruder or hacker. MAC address randomization will trigger security firewalls, as well, putting devices in device quarantine and impacting productivity. Additionally, if IT staff is unable to recognize the type of device or OS it’s running, it’s impossible to determine what, if any, software updates and upgrades to roll out to that device, increasing risk further.


How Lansweeper Addresses MAC Address Randomization

Here are the two main challenges of MAC address randomization and how Lansweeper is helping businesses tackle them:

Identifying and recognizing networked devices: Maintaining a complete and accurate technology asset inventory of all technology assets connected to your network is a critical first step to optimizing and protecting your business’s technology infrastructure. While MAC address randomization hides essential device data for personal mobile devices, Lansweeper can identify and recognize them anyway. Our platform leverages a unique combination of rule-based recognition techniques along with advanced AI and machine learning algorithms that process a wide array of data points generated by a device. 

Although Lansweeper’s device identification works best when MAC addresses are not hidden, our algorithms can recognize connected devices by brand, make, model and OS based on analyzing network protocols (i.e. DHCP, HTTP, user agent and hostname). The solution then cross-checks and validates the performance of our network fingerprinting engine – which can recognize a device based on its network protocol fingerprint – and our machine learning engine – which creates a prediction model by performing correlation and supervised segmentation of basic device information. Lansweeper’s device recognition technology is the best on the market, and its effectiveness and reliability are not impacted by MAC Address Randomization.

Distinguishing between new and returning devices. MAC address randomization makes it impossible to tell whether a device that is connecting to the network is a new device or belongs to an employee who is authorized to access corporate resources. As stated earlier, this can lead to many problems for businesses, including security risk and lost productivity, among others. To solve this challenge, businesses must be able to monitor the behavior and traffic that each device generates, in order to understand if it’s the same device or another device. 

At Lansweeper, we’ve been researching ways to deduplicate randomized MAC addresses to understand the unique identifier of each device on a network – and we’re making headway. We are currently evaluating partnership opportunities to move our research efforts to the next phase.

Keep in mind, Lansweeper isn’t interested in personal data – only device information. We never associate the device data we collect with personally identifiable information. Our ultimate goal is to enhance security for the organizations we serve, since it’s impossible to protect devices you don’t know you have or can’t identify. 

Lansweeper’s Device Recognition technology is easy to embed into your existing tech stack and offers numerous integrations with mission-critical tools, enabling you to leverage a single source of truth for technology asset intelligence across your organization. We continue to research ways to deliver increasingly granular device data, while continuing to protect the privacy and anonymity of users.

Learn more about how Lansweeper Embedded Technologies can help you navigate the challenges of device identification.