Android 10 randomizes MAC addresses per default

Hi all -

I wanted to give you a heads-up as I noticed that Android 10 now uses a new feature called “MAC address randomizing”. What was intended to be a security enhancement in public wifi networks can cause some pain if you rely on fixed MAC addresses for DHCP and access to the BLUE segment of your network.

Luckily you can disable this feature on a per-ESSID-basis manually as is described here:

Set to “Use device MAC”. After all, if one of your network clients has recently got an OTA update of Android 10 it will have changed its MAC address for good and you need to add the new address to your IPFire configuration after which it will stay constant (if you followed the steps in the link provided and disabled randomizing).



I don’t think this feature is as good as described in the article cited.
The MAC address is the unique identification for a device. Therefore to allow a device to log in into the (W)LAN, one must use this id!

BTW: I didn’t find a description of the randomisation. Does it break the uniqueness of MAC addresses?

I think the problem is that MAC randomization is switched on by default on Android 10.
This could be a problem with WiFi devices on blue side filtered by MAC addresses. Also with the captive portal. It burns the access codes per device.

When is it planned to randomize the IMEI of smartphones? This is necessary to forbid providers to log a usage protocol!


I think that provider logging does nothing to do with ipfire project. It is one of many problems with tracking user data :wink:
Remember Google, Facebook, Microsoft, Twitter, Samsung, Amazon, all other stores and all other portals, clouds and databases on web. Don’t forget the intelligent services world wide ;-p

Sorry, my answer about IMEIs wasn’t meant serious.
See SCNR :wink:

Anyway, the MAC Address randomization into not safe network enhance a bit the security of connection and may reduce the opportunity for packet capture. Of course it won’t ease the problem if the data-stalker is using behavioral analysis of traffic, but can help a bit.

If I’ve read right the android article, the MAC is persistent for a network connected before.
Thus remains the problem of the MAC pool. Is the same MAC used twice?

Even more interesting facts about this feature:

What strikes me in the article above is this (quote):

  • If you “forget the network” such as when changing your password, a new mac address will be generated.
  • Users can only see what that MAC Address is when “connected” to that network.

That makes it more complicated for use cases (with IPFire) in which a MAC filter is utilized.

1 Like

perhaps at some point in the future the guys at ipfire will develop a feature to cache the initial connection and manually add the devices IEMI to track the changing mac address

It’s called “login”…

For me it sounds like Darwinism on IT base…
Who isn’t smart enough or willing to search for the problem won’t be able to connect…maybe this “feature” will let the people think a bit more about the way the technology they use works…

So in other words, I don’t think that the way one grants access to the WLAN has to be changed (I also don’t know what to change it to, IMEI, DNA, colour of their poop? :smiley: )

1 Like

IMVHO it’s a way for push MDM packages. Control on device side, not on network side.


this is a horrible article. It does not really convey a lot of information and shows a “new feature” which really isn’t one.

First of all, if you think your wifi is spying on you: don’t connect to it.

Secondly, changing your MAC address is 100% security by obscurity. The people tracking you on the internet simply use cookies and do not care about layer 2. Nobody would seriously consider this a “security feature”.

What would prevent people from tracking you is what Apple does: When an iOS device is not connected to an access point, it will scan for known networks in the area. If you are walking through a shopping mall, then the shop owners could record your MAC address and pool their data. They would then know that you have been shopping for soap, fashion and electrical or something depending on where your phone showed up. By randomising the MAC address, this is no longer possible.

As soon as the iOS device connects to an access point, it will use the same MAC address so that the networks can recognise the device again. DHCP, captive portals and so on will still work.

This is what you want to do. But you don’t want to break things like Android does.

The more they work on it, the less I like it. It is becoming a horrible OS.