MAC Address Spoofing and Tracking Threats

For Whonix on macOS, see macOS.

Introduction[edit]

All network cards, both wired and wireless, have a unique identifier called a MAC address. ^[1] MAC addresses are stored in hardware and are used to assign an address to computers on the local network.

The MAC address is normally not traceable because it is not passively sent to computers beyond the local router. ^[2] However, other computers on the local network can potentially log it, which would then provide proof the user's computer connected to that specific network. If users intend to use an untrusted, public network then MAC spoofing should be considered. ^[3]

MAC Spoofing Warning[edit]

Warning: According to recent research, MAC address spoofing is not effective against advanced tracking techniques that can still enumerate the address by inspecting the physical characteristics of the Wi-Fi card. ^[4] Unfortunately, a viable solution requires manufacturers to modify drivers or firmware of their hardware products to add privacy preserving mitigations.

Auto-connect Risk[edit]

Apart from the difficulty in creating an appropriate MAC address for spoofing purposes, there are also technical hurdles to overcome in the form of preventing automatic network connections.

It is futile to prepare a spoofed MAC address if the computer instantly connects to the public network after booting, disclosing the user's real MAC address in the process:

Physical Isolation: Whonix-Gateway^™ automatically connects to Tor after start.
USB Wi-FI Device: Automatic connections might also occur, depending on the configuration.
VM users: The host operating system most likely automatically connects via updates, perhaps time sync, and other avenues.

Burner Wi-Fi USB Sticks[edit]

One immediate workaround for the Wi-Fi card profiling threat is to buy new "burner" Wi-Fi USB sticks from different manufacturers. Take care to disable the computer's native Wi-Fi functionality in the BIOS settings if pursuing this option -- the computer's characteristics will have likely been logged if it was ever used from an untrusted hotspot. Burner devices should only be enabled for connectivity at the intended public destination. If this advice is ignored and burner devices are used for network connections at locations tied to or regularly visited by the user, this can lead to deanonymization. A different burner stick should be used for each new location to avoid geographical profiling / tracking.

Random MAC Addresses[edit]

Warning: Using a completely random MAC address is not recommended. While this technique might be sufficient to confuse lesser adversaries, it will not defeat skilled adversaries.

The problem with using a random MAC address is that the chosen vendor ID may be non-existent. Even if it exists, it is possible to end up with a vendor ID which has either never been used or not for decades. When spoofing MAC addresses, it is critical to use a popular vendor ID. The initial, second part of the MAC address can safely be random or unique. ^[5]

Research on this issue is still ongoing. At present, Whonix cannot provide detailed instructions on how to create appropriate MAC addresses fulfilling the criteria above.

Other Location Tracking Risks[edit]

Authentication Fingerprinting Techniques[edit]

An authentication technique can fingerprint devices by observing inter-packet timings on a LAN's wire-segment; one side effect is that user devices can be tracked. The timing effects are the result of how various components in a machine create packets. ^[6] Fortunately, this technique cannot be used to identify devices across the Internet. ^[7]

This technique can be defeated by inducing random delays in a machine's packet stream. Since there is no problem with impersonating other devices on the LAN, it does not matter that such an authentication system will view these machines as "unknown". ^[8] Note also that spectrum analyzers have been used to fingerprint the unique electromagnetic (EM) characteristics of a Wi-Fi card. The disposable USB Wi-Fi workaround described further above would mitigate this attack. ^[9]

Tor Entry Guard Fingerprinting[edit]

Dealing with the MAC address problem is only one piece of the larger location tracking puzzle. Users must also contend with changing the usual Tor entry guards used for connections across different locations, in order to prevent guard fingerprinting. To mitigate this threat, follow one of the recommended configurations:

Clone Whonix-Gateway (sys-whonix) with New Entry Guards.
Regenerate the Tor State File after Saving the Current Tor State.
Configure Tor to use Alternating Bridges.
If moving to a new location permanently, create Fresh Tor Entry Guards by Regenerating the Tor State File.

To fully thwart this threat, entry guard changes are necessary for every Tor instance on the user's machine host (apt-transport-tor) and guest.

MAC Spoofing on Different Networks[edit]

Home Connections[edit]

Tip: MAC address changes for home connections are not required.

Warning: This recommendation comes with an important caveat. If a browser exploit is successfully used to reveal activities outside a VM, then the physical MAC address might be discovered by the attacker. If a user is already under suspicion, this would eventually provide proof of identity. In this scenario, if the MAC address was changed beforehand, then root access is required to discover the real physical address (this has not yet been tested).

Connectivity Risk[edit]

If the user's home network has a cable modem internet connection, the ISP either provides the cable modem device as part of the service or requires pre-registration of the MAC address of the self-provided cable modem in order to setup the service.

If a user manages to hack or change the MAC address of the modem, the service would immediately cease functioning because the IP address assignment is apportioned for, and bound to, that specific MAC address. As a result, when connecting from behind a cable modem/NAT router, MAC address spoofing of the computer's ethernet adapter may be pointless. If a user is traced, the trackable endpoint will be the MAC address of the cable modem device.

Public Computers[edit]

This refers to use of computers in public places like libraries and Internet cafes.

The MAC address should not be changed in this scenario, otherwise it may bring undesired administrator attention to the service/user and/or simply prevent access to the Internet.

Using Personal Computers in a Public Network[edit]

This refers to using a personal laptop, desktop or any other Internet-facing device in a public network.

In this scenario, the MAC address must be changed and a new set of Tor entry guards should also be configured. ^[10] Attempts should be made to disguise the use of Tor from the administrator of the public network. Depending on the user's configuration, this may involve using an obfsproxy bridge or the tunneling of traffic through SSH or a VPN prior to connecting to the Tor network.

Depending on the user's threat model, changing the MAC address and using Tor might rule out revisiting that public network again in the future. If the same public network will be reused, then it is necessary to decide whether to use the same MAC address (and set of Tor entry guards) or to generate a new one.

If MAC address logging by the administrator is suspected, it is unwise to change the MAC address and arouse suspicion. If it is assessed the network is sufficiently public and observation is unlikely, then it might be safe to use a new MAC address -- with a popular vendor ID and random/unique second part (identifier) -- each time the network is used.

For further discussion on this rather complex topic, see Dev/MAC.

Changing MAC Addresses[edit]

Linux Hosts[edit]

If you are interested in MAC address spoofing in Non-Qubes-Whonix, please press on Expand on the right.

Non-Qubes-Whonix^™ means all Whonix platforms except Qubes-Whonix^™. This includes Whonix KVM, Whonix VirtualBox and Whonix Physical Isolation.

TODO: please help to test and improve these instructions.

1. Edit the network interfaces file.

Standard-Whonix-Version (VM) users: Edit /etc/network/interfaces on the host.
Physical Isolation users: Edit /etc/network/interfaces on Whonix-Gateway.

2. Install macchanger.

In a terminal, run.

su

apt update && apt install macchanger

3. Change the MAC address.

The following steps will manually change the MAC address for the device. An example is provided for a wireless device (wlan0). Replace wlan0 to match the device being spoofed, such as an ethernet device (eth0) and so on.

su

ifconfig wlan0 down

macchanger -a wlan0

ifconfig wlan0 up

If instructions from Step 1+ did not work, the following steps might also work without macchanger. Replace wlan0 to match the specific device. su

ifconfig wlan0 down

ifconfig wlan0 hw ether 00:AA:BB:CC:DD:EE

ifconfig wlan0 up

Or use iproute2 commands to change the MAC address. ip link set down wlan0

ip link set wlan0 address 00:AA:BB:CC:DD:EE

ip link set up wlan0

4. Complete the MAC address change.

Below iface eth0 inet dhcp, add.

hwaddress ether 00:00....

5. Optional: Automatically randomize the MAC address on boot.

If this is desired, add.

pre-up macchanger -e eth0

6. Change new network interfaces settings.

To prevent new network interfaces being brought up automatically, comment the following.

auto eth0

Then configure manual bring ups with the following setting.

sudo ifup eth0

macOS Hosts[edit]

These steps are untested.

1. Find the current MAC address of the interface. ^[11]

Open System Preferences.
Click on Network.
Select the interface from the listbox on the left.
Select the Advanced button.
Click the Hardware tab.

The first line is the MAC address of the interface.

2. Change the MAC address.

Note: There is no eth0 on default macOS configurations. By default, en0 and en1 are the physical network connections (wired and wireless LAN). ^[12] Disconnect from any networks before running these commands.

In a terminal, run as an administrator.

ifconfig en0 | grep ether

The output will show the MAC address for the en0 interface. Depending on how many interfaces there are on the computer, the command might need to be run several times by adding 1 to the number each time.

Once a MAC address is listed that matches the one seen via System Preferences, the user knows which interface (en0, en1 ...) to change.

In a terminal, run the following as an administrator. Below, change en0 to match the relevant interface, and replace "XX:XX:XX:XX:XX:XX" with the desired new MAC address, for example: f8:1e:df:d8:9d:8a

sudo ifconfig en0 ether XX:XX:XX:XX:XX:XX

3. Check the MAC address has changed.

In a terminal, re-run.

ifconfig en0 | grep ether

The output should show a value matching the user's change.

Qubes Hosts[edit]

Qubes OS does not currently “anonymize” or spoof the MAC address automatically.

Qubes users can manually change MAC addresses in the NetVM by following either the Network Manager or macchanger guides. MAC Address Randomization capability for Wi-Fi has been implemented, but it is not applied by default.

Refer to the following Qubes documentation and related support items for further information and advice:

Windows Hosts[edit]

In Windows, the MAC address can be changed with specific tools, by editing the registry or via Device Manager.

The following steps spoof the MAC address in Windows 10 via Device Manager: ^[13]

Press Windows Key + X.
Select Device Manager.
Expand the list of network adapters.
Right-click the appropriate adapter.
Select Properties.
Navigate to Advanced tab.
Select Network Address.
Enter any 12 digit hexadecimal value.
Click OK.

Reboot the computer for the changes to take effect. To check the changes are functional, in a terminal run.

ipconfig /all

The physical address of the adapter should show a new MAC address.

Sources[edit]

See footnote. ^[14]

References[edit]

↑ https://en.wikipedia.org/wiki/MAC_address
↑ Unless the computer is infected with malware designed to disclose this identifier.
↑ https://en.wikipedia.org/wiki/MAC_spoofing
↑ Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms
↑ Also note that if MAC address changing is always enabled, it might cause connectivity problems on some networks.
↑ A Passive Technique for Fingerprinting Wireless Devices with Wired-side Observations
↑ The primary weakness of this technique is that it relies on fine-grained packet timing; timing that is lost as a result of buffering in switches and routers. Therefore, this technique and similar methods are not suited for identification across the Internet. Rather, it is perfectly suited for the significant challenge of local network access control and other local network activities like counterfeit detection.
↑ Figure 7(a) shows attackers that can vary their packet sizes, change their data rate, and tunnel their packets through another protocol. Figure 7(b) presents attackers that can introduce constant or random delays to the packet stream and load the CPU with intensive applications to overshadow normal behavior. Figure 7(c) shows an attacker that can modify or change its operating system. GTID (the passive fingerprinting method) detects these attacks and classifies all of these devices that generated attack traffic from previously seen devices as unknown.
↑ There have also been physical layer approaches to fingerprinting wireless devices. Radio frequency (RF) emitter fingerprinting uses the distinct EM characteristics that arise from differences in circuit topology and manufacturing tolerances. This approach has a history of use in cellular systems and has more recently been applied to Wi-Fi and Bluetooth emitters. The EM properties fingerprint the unique transmitter of a signal and these differ from emitter to emitter. This technique requires expensive signal analyzer hardware to be within RF range of the target.
↑ This process involves removal of the /var/lib/tor/state file.
↑ https://www.online-tech-tips.com/computer-tips/how-to-change-mac-address/
↑ https://superuser.com/questions/1190550/physical-and-wireless-interfaces-in-macos
↑ https://windowsreport.com/mac-address-changer-windows-10/
↑
- https://tails.boum.org/contribute/design/MAC_address/
- https://gitlab.tails.boum.org/tails/tails/-/issues/5421
- https://gitlab.tails.boum.org/tails/blueprints/-/wikis/macchanger/
- Worth reading! Thanks to Tails!
- Dev/MAC

License[edit]

Whonix MAC Address wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix MAC Address wiki page Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP <adrelanos(at)whonix.org (Replace (at) with @.)Please DO NOT use e-mail for one of the following reasons: Private Contact: Please avoid e-mail whenever possible. (Private Communications Policy) Leaks Submissions: No. (No Leaks Policy) Sponsored posts: No. Paid links: No. SEO reviews: No. >
This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it under certain conditions; see the wiki source code for details.

Whonix

The most watertight privacy operating system in the world.

Dark mode

FREE · PLUS · PREMIUM Support

At Whonix we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint

2012-2023 ENCRYPTED SUPPORT LP

Your support makes
all the difference!

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 10 year success story and maybe DONATE!

[1] ttps://en.wikipedia.org/wiki/MAC_address

[2] Unless the computer is infected with malware designed to disclose this identifier.

[3] ttps://en.wikipedia.org/wiki/MAC_spoofing

[4] Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms

[5] Also note that if MAC address changing is always enabled, it might cause connectivity problems on some networks.

[6] A Passive Technique for Fingerprinting Wireless Devices with Wired-side Observations

[7] The primary weakness of this technique is that it relies on fine-grained packet timing; timing that is lost as a result of buffering in switches and routers. Therefore, this technique and similar methods are not suited for identification across the Internet. Rather, it is perfectly suited for the significant challenge of local network access control and other local network activities like counterfeit detection.

[8] Figure 7(a) shows attackers that can vary their packet sizes, change their data rate, and tunnel their packets through another protocol. Figure 7(b) presents attackers that can introduce constant or random delays to the packet stream and load the CPU with intensive applications to overshadow normal behavior. Figure 7(c) shows an attacker that can modify or change its operating system. GTID (the passive fingerprinting method) detects these attacks and classifies all of these devices that generated attack traffic from previously seen devices as unknown.

[9] There have also been physical layer approaches to fingerprinting wireless devices. Radio frequency (RF) emitter fingerprinting uses the distinct EM characteristics that arise from differences in circuit topology and manufacturing tolerances. This approach has a history of use in cellular systems and has more recently been applied to Wi-Fi and Bluetooth emitters. The EM properties fingerprint the unique transmitter of a signal and these differ from emitter to emitter. This technique requires expensive signal analyzer hardware to be within RF range of the target.

[10] This process involves removal of the /var/lib/tor/state file.

[11] ttps://www.online-tech-tips.com/computer-tips/how-to-change-mac-address/

[12] ttps://superuser.com/questions/1190550/physical-and-wireless-interfaces-in-macos

[13] ttps://windowsreport.com/mac-address-changer-windows-10/

[14] 
https://tails.boum.org/contribute/design/MAC_address/

https://gitlab.tails.boum.org/tails/tails/-/issues/5421

https://gitlab.tails.boum.org/tails/blueprints/-/wikis/macchanger/

Worth reading! Thanks to Tails!

Dev/MAC

[15] ttps://tails.boum.org/contribute/design/MAC_address/

[16] ttps://gitlab.tails.boum.org/tails/tails/-/issues/5421

[17] ttps://gitlab.tails.boum.org/tails/blueprints/-/wikis/macchanger/

[18] Worth reading! Thanks to Tails!

[19] Dev/MAC

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

MAC Address

Contents