107 comments

[ 4.7 ms ] story [ 181 ms ] thread
This seems like it should be a default indeed. It does make it harder to assign fixed addresses to your devices in your home network. At least openwrt only seems to have static DHCP leases based on MAC and not on the advertised DHCP name. For most devices this doesn't matter as it does add a DNS entry with whatever IP it assigned. But when you then want to add a firewall rule to port forward something to a device a fixed IP is much nicer.
True - I could update the script to allow for whitelisting certain networks so they receive a stable-forever MAC address..?
That would probably make a lot of sense. Can the network manager setting also be changed per network? It would be nice to do this with the normal config in the future.
What makes it easier is having fixed goals in mind, because I am seeing a lot of people in this thread arguing because they're all solving different problems which is obviously going to mean different solutions.

If your only concern is passive tracking, then a randomized MAC being used for SSID probes (because whitelist-only hidden SSIDs are rare enough that those people can manually connect) will be sufficient.

If you're looking to keep an open Wifi provider from tracking you over the course of days, then using a different MAC for each connect is going to be sufficient.

If you're looking to avoid tracking by people doing traffic analysis to correlate by behaviour no amount of MAC trickery will help you.

If one is looking to avoid having to pay for overstaying their visit at a coffee house or similar capture portal, maybe what needs to be changed is one's sense of ethics, and changing a MAC won't help with that.

So, you can say "it should be a default" all you like, but everyone's going to have a different idea of what the default is for and they're going to throw a fit about it not being "the right default". Better to be conservative like Android and avoid inciting the newbs.

Your different problems with different solutions have at least a part that everyone agrees on like iOS doing it for probes. We can definitely argue what the right default is but will probably agree that no randomization at all is not a good one and move to at least some. Ubuntu currently does none.
This would be a bad default because it breaks things like staying signed into a network with a login gateway.
In OpenBSD, it's just:

  # ifconfig iwn0 lladdr random
Of course, iwn0 is your interface.
There's probably a one-liner in Linux too, but not one which satisfies the three caveats in the post.
The necessary infrastructure exists in wpa_supplicant, but only in a newer version than is distributed with Ubuntu 16.04. OpenBSD is more integrated, so advanced functionality like this tends to be easily accessed through ifconfig.
I've used https://github.com/feross/SpoofMAC in the past, which is a simple python tool for doing just this, cross-platform. Used it a lot in airports and can warmly recommend using it if you're usually dealing with multiple different OSes and don't want to remember how to do it for each.
Looks cool. I wish there was something like this for iPhone/iPad - which is much more likely to be with me everywhere and leak my MAC...

side note/question: do I need to actively connect to a WIFI network for them to know my MAC or does it leak even when my phone scans for neighbouring SSIDs? EDIT: looks like MAC would leak even if I don't connect to any access point, but my Wifi is on... At least according to [0]

EDIT 2: looks like iPhone and Android use MAC randomization when scanning WIFI. (not sure after they connect though). But even this randomization can be defeated[1]?

[0] https://www.crc.id.au/tracking-people-via-wifi-even-when-not... [1] https://www.theregister.co.uk/2017/03/10/mac_address_randomi...

I am pretty sure that when iPhone connects to an access point it uses the real mac, I don't know about android but it is probably the same.

Some access points need your real mac to connect because they use that to authorize you, I think schools/universities use this method a lot.

I do not understand though. Whitelisting MAC addresses is something you can do, but 99.99% of the wifi spots out there don't have it enabled. Why should my phone leak my MAC address needlessly instead of just generating a new one every 5 minutes or so?
If you connect to any hotspot with a captive portal, you would need to deal with the portal again every 5 minutes.
The MAC could remain unchanged for established connections while changing for new connection offers.
What does that accomplish?
It accomplishes what changing it in the first place is intended to accomplish - anonymity. Changing for established connections offers no benefits.
Hopefully just the process of watching all connections break and seeing the internet go away as the client reassociates with the AP each time they foolishly tumble their MAC on an _active_ connection will be enough to keep this scenario from ever playing out.
Or to be more precise, those access points probably need a consistent mac, not your real one. So it would be nice if you could configure those networks to receive their own mac, but that stays the same over time. This is what the NetworkManager 1.4.1+ "stable" setting does.
Good tip, thanks for linking to this.
Are there any lawyers here that can speak about the legal side of this? I could imagine a wifi provider that offers 30 minutes free wifi e.g. airports, has this covered in their terms and conditions or a country that could consider this as fraudulent?
iPhones and Android phones do this for awhile already. If you read the article you'll notice that the MAC stays the same for a SSID for a working day. This makes sure it doesn't break networking and as a side effect captcha portal limits still work.
I believe iPhones and Android phones only do it while in scanning mode. Once connected, they use the real MAC address.
I've found GNU macchanger to be the easiest way to do that kind of stuff. It's as simple as:

macchanger -r <interface>

Interesting article about macchanger on the Arch Wiki: https://wiki.archlinux.org/index.php/MAC_address_spoofing

I also used macchanger in the past but it seems that recent versions of NetworkManager overwrite the changes that macchanger makes.
Another case where NetworkManager pissed me off. A couple of years ago they broke all third party MAC changers in favor of their built-in solution, but the built-in solution required the bleeding edge head version of wpa_supplicant that no vendor shipped leaving the entire system nonfunctional. IIRC it still doesn't work on Ubuntu 16.
This seems like a good idea until you realize that you are the only one using a random mac address. (There is a vendor prefix at the beginning of every mac) Better would be to take a bit more care in choosing a more realistic address.
I think it's not a good idea to change your mac address as your only precaution against tracking. The DNS requests you'll make will reveal which sites you frequent.

I would advise to use a VPN connection. In this case it doesn't matter that you've randomized your mac address in a way which can be clearly identified as random. And even then you can see the VPN server IP in the logs so you should also make precautions and buy your VPN connection anonymously (and even then - you'll never know if you're really anonymous).

Changing your mac address seems to be sufficient (in addition to the VPN usage) to prevent easy tracking through something unique like your real mac address. But I agree that this is just 1-3 lines of code for realistic mac address generation so it should be unproblematic to add.

Edit: If you have fears of being uncovered by random-looking mac addresses without vendor prefixes, changing your mac address will probably not help you. Your threat model is different - maybe APT-level - and you have to do way more than changing your mac address.

If you're paranoid enough to be spoofing your MAC address, surely you're paranoid enough not to rely on shady DNS servers?
You can spoof DNS requests of a victim when you are in the same network as them (the router knows which sites you visit through those DNS requests anyway). It doesn't matter which DNS server the victim uses. As long as they don't use encrypted DNS they expose the websites they visit.

Takes 5 minutes to configure your OpenWRT router to log all DNS requests: https://superuser.com/questions/632898/how-to-log-all-dns-re... Or if you are an attacker without control over that router: search for dns spoofing. I did this several times to demonstrate companies that their public networks can be hijacked.

Your adversary probably isn’t the NSA, it’s commercial tracking services. Their business is tracking the general public, they don’t care about one weird person.

Unless avoiding this becomes common practice and then the whole story changes.

Yes, this is also my reasoning.

> Unless avoiding this becomes common practice and then the whole story changes

If that means that everyone starts to use random mac addresses, you still can't identify specific persons based on their randomized mac addresses when they change them every time they reconnect.

No but it would make more sense to start tracking then based on their other behavior.
(comment deleted)
Here is the code I use for my mac to randomize my mac address:

    interface="en0"
    new_mac=$(openssl rand -hex 6 | sed 's/\(..\)/\1:/g; s/:$//; s/./0/2') # from stackoverflow
    sudo ifconfig $interface ether $new_mac
Edit: What's the advantage of the solution in the post? If I just change my mac address every time I join a network (even the same one), they can't track me with my randomized mac addresses. So why would I prefer to keep a stable but randomized mac address for each network I connect to for a day?
Because maybe you had to pay to access the network and part of that involved binding your mac address.

For example, calling the hotel desk to get your device to work.

Would be interested where that happens because I've never encountered something like this (binding the mac to the access) in public networks e.g. McDonald's, hotels and other shops. I did only get access codes which could be used for a specific time where I just changed my mac address.

I only know about mac whitelisting in protected networks managed by wary administrators.

Airports do this all the time: Wifi is free for 1 hour, after that it's $X/hour. It's simply putting a "timer" on the MAC address.
Then randomizing that address gives you a new hour every time.
Yes, tested and working for 10+ years now. Also works well if usage is capped/throttled after a certain amount and you wish to 'reset' the connection. Try not to abuse this on a shared network obviously, but if you have a legitimate need it's very simple.
All of the universities I attended used MAC address whitelisting.
> I only know about mac whitelisting in protected networks managed by wary administrators.

Wouldn't make any sense for properly securing a network. As an attacker you could just create an evil twin (same ESSID), let some students connect to it and just use their mac addresses (and even drop their connections when they try to use the university wifi).

Edit: You don't even necessarily need an evil twin to get their mac addresses. You only have to listen to the wifi traffic and get some - even encrypted data packets still contain the raw mac address as far as I know. airodump-ng is the perfect tool to do that.

I didn't say it made any sense :) This is how I was able to get my Playstation connected up in my dorm. I set my laptop's MAC to my Playstation's, then got my laptop authenticated using their tool, switched the MAC back, and the Playstation would connect up without issue.
In Canada, the ISP shaw offers ShawOpen for subscribers. There are hotspots all over the place, access control by MAC address. So I would need to provide a consistent MAC address to that SSID.
Some bits of the MAC address are significant. You're generating all 48 bits randomly which could have some side effects.
Would love to know which side effects there are. I've never encountered any problems in all those years I use those randomly generated mac addresses.

    new_mac=$(openssl rand -hex 4 | sed 's/\(..\)/\1:/g; s/:$//; s/./0/2'; s/^/02:/)
is better. by using the 02: prefix for locally administered macs you avoid clashes with certain cards. I also used to randomize my local hostname.
Most of the time there are <100 devices connected to the wifis I'm connected to. I don't want to do the math now, but I expect that a collision is pretty unlikely. If you mean that some cards have problems with handling those mac addresses, I would love to hear about that.

> I also used to randomize my local hostname

Great idea, missed that. I'll integrate that in the future.

Intel cards and Realtek cards are known to be problematic with random vendor prefixes.
On systemd-networkd, you can add

    [Link]
    MACAddressPolicy=random
and (for RFC 7844[13] DHCP Anonymity Profiles)

    [DHCP]
    Anonymize=true
to your network unit or link.
MAC address randomization is in fact built in to NetworkManager (edit: 1.4), so none of this work is really necessary (edit: if you are on 1.4 or later).

NetworkManager also includes more advanced modes which make the MAC address stable for a given hotspot, but random between them.

https://blogs.gnome.org/thaller/2016/08/26/mac-address-spoof...

Unless you're using Ubuntu 16.04 LTS, in which case you're stuck with NetworkManager 1.2.

From the post: "I learned that NetworkManager 1.4.1+ can do MAC address randomization right out the box. If you’re using Ubuntu 17.04 upwards, you can get most of the way with this config file."

Will these new randomized MACs also be lookupable [1] to find the model? If I'm the feds running honeypot wifi and I see a different Dell Chromebook doing things interesting to me every day, this isn't a good cover.

[1] https://www.macvendorlookup.com/

Not necessarily. However, if you're the only random MAC user on a network, it can be trackable.

Depending on implementation the MAC will have a specific bit set to indicate it is user supplied and not necessarily universally unique but I'm not sure if NM does that.

No, because they use the 'locally administered' prefix [1]. This is deliberate in order not to collide with real existing MAC addresses. (The original version of the post used real, Intel MAC prefixes [2] and you can look in the gist revision for that code if you prefer.)

BTW if it's really the feds you're worried about, this article probably isn't for you.

[1] https://en.wikipedia.org/wiki/MAC_address#Universal_vs._loca...

[2] https://github.com/paulfurley/www.paulfurley.com/commit/bebc...

NSA MAC address prefix is 00:20:91, you can combine this knowledge with the one from the article to scare your sysadmins.
There's probably a lot more fun ones. Complete list at http://standards-oui.ieee.org/oui.txt. 3.6Mb.

    $ grep 00-20-91 oui.txt 
    00-20-91   (hex)		J125, NATIONAL SECURITY AGENCY
    $ egrep -ic 'army|force|navy|secur|secret|private' oui.txt 
    461
Unfortunately, this isn't compatible with a bunch of popular wireless cards, mostly from Realtek.
Be aware that this technique could be illegal or appear suspicious in some jurisdictions. MAC address randomization was mentioned in Aaron Swartz's indictment for wire fraud.

See page 7: https://www.wired.com/images_blogs/threatlevel/2012/09/swart...

Can you show me where changing your MAC address is illegal?
It's not illegal, it can be detected and then used against you in an indictment. It's like saying you dislike someone, they go missing, and the prosecutor mentions what you said.
"can be detected" beyond regular ol' OS/Browser/Traffic/Activity fingerprinting?
> and the prosecutor mentions what you said.

And then what? You're under further suspicion? If you're innocent, that shouldn't be your concern. But all you gotta do is STFU. Don't talk to the police either way.

What you said shouldn't be enough proof except in a banana republic.

If you were always spoofing your MAC address however, then you can use that as your defense.

Your argument is akin to it being suspicious that you use Tor. As if that means your computer should be seized because you might have WMDs. Tor usage might make you suspicious only if other credible factors exist.

> What you said shouldn't be enough proof except in a banana republic.

What effect does being a banana republic have on this?

A politically unstable country has ample amount of corruption and therefore likely has a weak, unfair legal system.
The law cares about intent.

Changing your Mac address, or wearing a fake beard, are both fine.

Changing your Mac address to trick a Wi-Fi hotspot which gives out one hour free per device per day, or using a fake beard to trick a shop keeper into letting you get "one free bagel per person" twice, is a crime.

This is what I was getting at.
Where would MAC address capture occur on the network? MACs are local to L2 traffic, so once a frame turns into a packet and is routed, the sMAC of your PC is no longer present in the data. If you're on your home network, this has no impact what so ever.
The capture would occur inside the router. You can just dump its ARP table which translates between MAC and IP address.

"If you're on your home network, this has no impact what so ever." Yes, I'm fairly happy with my own tracking policies :D

Actually, this is no longer true. An autoconfigured IPv6 address can leak your MAC address, depending on your settings, as one mechanism for autoconfiguration embeds your MAC address right into your IPv6 address.
I have Fibre to the Home at 1Gb/sec, but so far, they do not support IPv6. That's something interesting for me to look into though, so thank you. I was providing ADS-B flight data to a website, and then I realized that they were posting my MAC, my NAT'd IP, and my GPS location to the world. That L7 will get ya every time.
Your router MAC address is tracked by Google Location services. They do this with their wardriving vehicles and from Android phones.
Yes and even if you changed your Mac every day, your neighbors probably wouldn’t. So google can still see the three routers around you, look up the gps those routers have been seen concurrently with, and know where you are.
Not sure if I'm missing the point here... if I were using Google Location services, wouldn't that mean I was giving Google my location directly? Why would they need to use my MAC address?
Theoretically you don't need to be using Google location services. You just need a phone with a google app that has permissions to discover nearby wifi hotspots.
All good but your MAC address never leaves the LAN.
It’s worth noting that iOS has randomized MAC addresses in WiFi probes since iOS 8.[1] As far as I know your real MAC address is exposed upon connection. I’m curious to what extent other vendors have implemented this strategy.

[1] https://arstechnica.com/gadgets/2014/06/ios8-to-stymie-track...

That doesn't address the issue of you being tracked by mac when logginh into a hotel, as you said the real mac is used when connecting.

This only addresses tracking when your phone is in the pocket and sending probe requests to scan for AP's.

Unfortunately the iOS support is a sham. I tested myself, and the rumors that iOS does not randomize MACs turns out to be true. Not only does it not simply change over time, it doesn't even change when you restart the device. I walked around for a week, and my MAC never changed.

Apparently, if it ever works at all, you have to run settings that nobody uses - including, iirc, not being connected to a cell tower. I used to spread the same FUD of "iOS does this!", but the truth is it's a lie.

It only uses the random MAC for Wifi probes, no router I know of records these but they can be sniffed. Any real connection uses proper MAC.

If you want random MACs everytime I recommend Linux + a fairly recent NetworkManager.

Unfortunately randomizing MACs for active connections has some usability concerns, especially with paid WiFi APs (Airports, Hotels, etc...).

The best solution would be to make up a random but persistent MAC per connection, but that seems to be too difficult for some reason.

Note that your MAC address is only one part of the identifying information your computer gives to the DHCP server. For another approach check out DHCPcAnon:

https://github.com/juga0/dhcpcanon

You can contribute to the development of this project by helping to integrate it with your favorite WiFi manager.

Identifiers in DHCP requests is a really good point, thanks for raising this. I'll do some captures and see what my client is revealing.
I wish their readme would show some examples of leaked information from reference dhcp clients, so we could tangibly see why that's an improvement.
I recently noticed that Windows 10 has that feature too, which came as a surprise to me
Confused, I thought many chips (like some/many Intel ones) don't let you spoof the MAC address?
There's a prefix or suffix for Mac addresses that means self administered. A lot of them will let you change it if you use that
What about bluetooth? And does NFC have an hardware address?
Btw. if you want to use a random mac address just for one specific network you can simply add the following to the [wifi] section of the config file for that network (/etc/NetworkManager/system-connections/):

  cloned-mac-address=random
That way every time you connect to that network you will have a new, valid mac address.
I look forward to it when Ubuntu LTS includes a more recent NetworkManager :)

“I learned that NetworkManager 1.4.1+ can do MAC address randomization right out the box. If you’re using Ubuntu 17.04 upwards, you can get most of the way with this config file.”