For many years, MAC Address Randomization was slated as the next big thing for protecting user privacy on the modern Internet.
The standard, which works by deploying a new MAC address to a device in order to break down user tracking attempts, is still under development at the IEEE (Institute of Electrical and Electronics Engineers) and has already passed a few security tests.
Now, four scholars from the US Naval Academy say they've managed to track 100% of all test smartphones, despite the devices using randomized MAC addresses.
The technique worked across all tested manufacturers, and the researchers say this was possible because of a previously unknown flaw in the way wireless chipsets handle low-level control frames.
Their work was based on previous research released in 2016 by researchers from Belgium and France, who used a similar technique to track 50% of tested smartphones, despite using MAC address randomization.
The Naval Academy researchers say "adoption of this technology, however, has been sporadic and varied across device manufacturer."
For example, Apple introduced support for MAC address randomization in 2014, with the release of iOS 8, but later broke it last year, with the release of iOS 10.
Because researchers couldn't peek into iOS' source code, they can't tell what Apple did exactly, but they say that before iOS 10, Apple had implemented MAC address randomization much better than Android devs.
For its part, Google similarly introduced support for the standard in 2014, with the release of Android 6 (Marshmallow), and later backported the feature to Android 5 (Lollipop).
Despite the different ways of handling MAC address randomization in each OS, researchers said devices answered with specific packets (control frames) when they performed a specific request.
To protect against attacks on MAC address randomization, researchers recommend a stricter policies when handling MAC address randomization operations. Some recommendations are included at the end of their research paper, titled "A Study of MAC Address Randomization in Mobile Devices and When it Fails."