It has been a hot potato in the last couple of years, engaging both wifi manufactures at one end, providing the retail vertical with new ways to use the increasingly number of wifi-enabled gadgets that we carry around to analyze customer behavior and movements, and privacy concerned citizens at the other end, not at all willing to freely give retail companies any kind of insight into their shopping habits, especially not if it was done without their consent and explicit permission.

As good as every enterprise wireless manufacturer has a solution for this, and regardless of what the product is called at a specific manufacturer, the basic functionality is the same. By listening to the probe requests that our wifi-enabled gadgets and phones sends out straight into the air when searching for wireless networks, they collect the mac address of that device. Pair that information with the signal strength for that particular device and you can start putting together some interesting metrics.

Most commonly these metrics consists of things like the number of recurring customers, how long customers normally stay in the store and what percentage of customers that actually comes into the store versus the one that just passes by.

The value of customer metrics

These metrics are considered almost too good to be true for some marketing departments, while IT guys rarely raises more than an eyebrow over the same metrics, in most cases they’re still lightyears away from what Google Analytics can provide for a simple webshop. The key difference though is that Google Analytics is not for the physical world, at least not yet: the gmail application found in Android and iPhone is reporting some of these metrics to Google, which means that for example you can see how long customers normally stay if you google your favorite store.

But the fact is that just the possibility to be able to get their hands on even some of these metrics has been the deciding factor in quite a few wireless deals in the past years.

For those working with these kind of presence solutions however, Apple released an eye-opener in 2015 with the rumor that iOS 8 would randomize the MAC-address in every probe request to make it impossible for big brother to see you. Not only that, but by using a random mac address for each probe, you would effectively make all the collected statistics more or less useless. The amount of new customers in a store would increase significantly from one day to another, while the average time spent in the store would be more or less a “probe interval”.
Today I stumbled over the news that Apple iOS 10 actually randomizes the MAC-address in probe request. To see if this was only rumors once again, or if this will be the final needle in the coffin for presence analytics I had to analyze the behavior myself.

This was my procedure to see how iOS 10 behaves.

Hands-on in the lab

The first piece of the puzzle is a device to capture wifi packets.
I used my Aerohive AP230 as a remote probe.
In the console enter the command “exec capture remote-sniffer promiscous”


This could be done via Utilities in HiveManager classic, but I couldn’t find how to in HiveManager NG.

Next step is to connect I remote interface in Wireshark on a PC to see the packtes.wireshark_remote_capture

The third and hardest part is to try to isolate the probe requests from only the iPhone with iOS10.
Since I don’t know which SSID the phones gonna probe after, or what MAC-address it will use I had to try to filter out other probe requests.

In the lack of a Faraday cage, I had to improvise a bit:

Analyzing the traffic

The access point and the iPhone where placed in the soda fridge and a wireshark filter was applied to show only probe requests with a RSSI better than -60 proved what I was afraid of.

The iPhone changes MAC address when it probes after the screen has been turned of and on again,
or when it has entered powersave and gets woken up by a message or call.
Since it changes it’s MAC address it has to use a “private” address to avoid conflict with other devices.
The private addresses are in the following ranges:


This means that every presence solution counting customers via probes will see every iPhone as a few customers.
It will never be able to see if there is any returning customers and it can’t analyze “store conversion”/walk by.

It still uses its correct address when it connects so this will not affect system that analyzes connected guest users.

No matter how good the presence system looks, it’s never better than the data it gets. And since at least a big part of the data is collected from iOS 10 devices, you might as well sell your customer an not-so-educated guess.

Android devices will also randomize their MAC address from 6.0 (Marshmallow)

Lämna en kommentar

E-postadressen publiceras inte. Obligatoriska fält är märkta *