How Much Privacy Does $3,165 Buy You?

Security and privacy are frequently linked for good reason; the more specific information an attacker can gather regarding a person or organization, the more devastating or surgical a targeted attack can be. Armed with this knowledge, many individuals and organizations focus too heavily on protecting privacy while under-emphasizing or entirely neglecting actions which will actually make their systems more secure, a practice known as Security through Obscurity. Such is the case with the Institute of Electrical and Electronics Engineers (IEEE) practice of selling private Organizationally Unique Identifier (OUI) registrations to companies. This feature hides the name and personal information of the company that owns an address block in the IEEE public registry. In this paper, we track the adoption of private address allocation over time and attempt to unmask some of the companies behind this veil. We perform a cursory assessment of collected unencrypted frames transmitted by the devices implementing this practice. We identify that ∼86% of observed devices reveal their associated provenance through the content of their unencrypted transmissions, thereby rendering the privacy protection moot. Furthermore, we posit that the practice itself is flawed, inherently drawing unnecessary attention by the public nature of IEEE allocations. Our research reveals the ownership details of private addresses used by critical law enforcement, emergency services, and a variety of physical security systems. The results of our findings have been disclosed with the goal of raising awareness of companies and consumers using products with unsubstantiated security guarantees.