Use random MAC address

BR/EDR

BLE

A MAC address (Media Access Control) is a unique identifier assigned to a device’s network interface for identification on a device network. These addresses are used in communication networks that utilize protocols from the IEEE 802 family, including Bluetooth (IEEE 802.15.1).

In Bluetooth, there are two types of MAC addresses:

  • Public MAC Address: This address is the actual and fixed device identification, which cannot be changed.
  • Random MAC Address: This address is randomly generated to represent the device and can be altered.

Within the group of Random MAC Addresses, there are two subgroups: those that allow connection to the device and those that do not.

The Random MAC Addresses that permit connection and access to a set of Bluetooth services do not necessarily need to be resolved against the Public MAC Address. However, it is possible to calculate the Public MAC Address from a Random MAC Address.

The generation of Random MAC Addresses during device discovery is essential to prevent attacks such as BlueTrust.

Note: There is a similarity between the real MAC address in Wi-Fi and the Public MAC Address in Bluetooth, just as there is a similarity between the random MAC address in Wi-Fi and random MAC Address in Bluetooth.

Description

During the advertising process, it’s necessary to verify if the device is generating a random address by inspecting the corresponding field in the HCI_LE_Extended_Advertising_Report message. The Address_Type[i] field can take on the following values:

ValueParameter Description
0x00Public Device Address
0x01Random Device Address
0x02Public Identity Address (corresponds to Resolved Private Address)
0x03Random (static) Identity Address (corresponds to Resolved Private Address)
0xFFNo Address provided (anonymous advertisement)
All other valuesReserved for future use

This check is considered satisfactory when the value in the field Address_Type is 1, 2, or 3.

Example case

Opening Wireshark with BTVS (btvs.exe -Mode Wireshark) allows reading the discovery messages of nearby devices. One of the tags shown in the advertisement packets is the type of MAC address, indicated by the Address Type field, in this case with a value of 0x00 (Public Device Address).

Wireshark LE Meta Address Type

The MAC address type is specified according to the Bluetooth standard. In general terms, the obtained value will be in the range of 0x00 to 0x03.

The check control FAIL when the value is 0x00.

External references

  • Bluetooth Core V5.3, Vol. 3, Part C, Section 10.8 Random Device Address
  • Bluetooth Core V5.3, Vol. 1, Part A, Section 2.1.1.3 Security Manager Protocol
  • Bluetooth Core V5.3, Vol. 4, Part H, Section 7.7.65.13 LE Extended Advertising Report event