Imagine if almost everyone walking into your hospital – patients, doctors, visitors, salespeople – was carrying an active homing beacon, which broadcast, unencrypted, their presence and repeatedly updated exact location to anyone who chose to listen.
[See also: Where will HIT security be in 3 years?]
That's where things stand today, courtesy of the mobile MAC address signal (it stands for media access control), a unique ID coming from every smartphone, tablet and wearable device.
But not for long, given upcoming changes to how Apple products will handle MAC address broadcasts – a move almost certain to be copied by Google's Android.
[See also: 'Troubling disconnect' between mobile security threats and protections in place]
Apple's iOS 8 change, focusing initially on how MAC addressing interacts with Wi-Fi scans, will shift to using "randomly, locally administered" MAC addresses. The result, according to Apple: "The MAC address used for Wi-Fi scans may not always be the device's real – universal – address." (That description is on page 18 of an Apple PDF, available here.)
As a practical matter, using this kind of a randomized bogus address approach will make tracking people via mobile devices impossible or, at best, impractical, depending on the level of randomization used and how often – if ever – the true MAC address is broadcast.
It will still be months before Apple releases this new version of its mobile OS publicly (it's now solely with developers), weeks and maybe months before most consumers will upgrade and longer still before others – especially Google's Android – mimic the move.
That means that, for now, this security privacy risk is still a very real threat.
The risk is twofold. First, there is the potential for a renegade member of the hospital's staff to track people. Second, there exists the possibility that hospital visitors could wirelessly track other hospital visitors.
With the first scenario, this is not as much of a concern for tracking doctors and other hospital staff, as they could just as easily be tracked the instant they log into the hospital's local area network, so the MAC address broadcast is not necessary. With visiting cyberthieves or stalkers, anyone with a mobile device is a potentially tracked victim.
The security risk is that a specific MAC address would be tracked over time, showing all travel activity within the hospital. Retail offers a great example of the risk: Retailers work with vendors who have contracts with lots of other retailers. This allows those companies to create – and to then sell – detailed reports of every store and mall and parking lot that a MAC address visits. By overlaying it with purchase records, that address can be associated with specific purchases. If those purchases used a payment card or loyalty card, that MAC address can then be associated with a specific person.
There are many other database interactions, such as security cameras in the mall, hospital and parking lots. This allows a face and clothing to be associated with that MAC address. In a parking lot, it allows for license plates to be so associated. Some retail vendors have started aggressively using facial recognition software, both to identify shoplifters who have been banned from a store as well as to attach names and purchase histories to a shopper who just pays with cash.
Hospitals officially do not have the same business incentives for such an identification program, but a rogue employee or a cyberthief could use the MAC address in a similarly intrusive manner.
With the new randomization that Apple is launching, such potential risks evaporate.
"This is one of the better things Apple is doing with the upcoming version iOS 8," said Daniel Wood, a security penetration tester who specializes in Apple mobile devices. "It will prevent, to an extent, the tracking of users when they are walking in range of wireless access points.
"When you have Wi-Fi turned on with your iPhone/iPad, it is constantly polling the network airwaves for access and broadcasting the device identifier," he added. "As of now, when your phone broadcasts looking for an access point, anyone sniffing would see Daniel's iPhone as a device looking for access."
Another security penetration tester, Godfrey Nolan, said this move will likely impact the people who are most trying to track consumers.
"Moving MAC addresses would stop the marketing people tracking you like they do on the web," said Nolan. "It's also going to make the NSA's job a bit harder."
This kind of randomization will also make healthcare IT's job a bit harder, but only in the beginning. The problem will impact healthcare networks that use MAC addresses for authentication, to allow an initial connection before requiring password or PIN authentication.
"The doctor won't automatically connect if the MAC address is randomized. He will have to sign himself in," said Jeff Mongelli, CEO of Acentec, which sells medical security systems. "The staff that rely on the wireless network aren't going to be happy about it. They are going to have to go through that network logon each time. In a world where doctors complain about how many times they have to click on software, the doctors are going to gripe."
In reality, though, hospital IT staffs will more likely simply switch to a different authentication system for staff, perhaps using tokens or a cookie on the mobile device, said Mongelli.
"Those networks that are relying on MAC will be forced to rely on something else, like an encrypted key, which will be a little more difficult to pick off," he said. "That would be a good thing, from an improving security perspective. From an IT guy's perspective, that's a lot of work. They'll have to reconfigure their firewalls. I think you could make the argument that this will add security, making mobile devices more secure. It will make trying to track people that much more difficult."
