We will appreciate Peplink’s consideration of a modification of AP firmware to randomize AP MAC addresses upon reboot of the device, at a fixed interval or via GUI command. (A logical place to insert the GUI command may be in AP → Profiles.) Fixed MAC addresses present a security concern most recently summarized in a comprehensive paper here. The extensive references cited therein provide further explanation and justification.
The recommended action to be taken by device manufacturers is set forth in Section 9, Remediation.
Thanks for posting the link to the paper on this Rick-DC. It was a very interesting read.
I’d love to see someone from Peplink respond to this and see if they take this seriously or not and if they plan to implement some sort of AP MAC randomizer in their products to improve the overall privacy/security.
However should this be implemented by Peplink then I would like to see it in a means that it is off by default - there are many good reasons why we would not want the BSSID MAC addresses to change or become randomised once equipment is installed.
If Peplink does implement this could they consider the following points:
1 - Provide a means so that this feature can be controlled from Ic2 from day zero, at every level from organisation, group and specific AP.
2 - Implement another way that we could identify our APs in a consistent fashion when we are using certain tools (Ekahau, Hamina, NetAlly etc.) - this means you need to implement something like including the AP hostname in the beacon frames using a vendor specific information element, this again should be something that can be toggled on and off.