Phriction PureOS Wiki PureOS Tips & Tricks Prevent Device Tracking By Untrusted Access Points History Version 1 vs 3
Version 1 vs 3
Version 1 vs 3
Edits
Edits
- Edit by d3vid, Version 3
- May 23 2019 12:34
- ·add alternate configuration
- Edit by d3vid, Version 1
- May 21 2019 03:21
- ·created
Edit Older Version 1... | Edit Current Version 3... |
Content Changes
Content Changes
WARNING: This doesn't currently work due to https://tracker.pureos.net/T775
# Introduction
Untrusted endpoints (e.g. your free coffee shop wifi) can recognise and track your device using your device-specific MAC address. The following procedure will cycle your MAC address by default, preventing device tracking by arbitrary access points.
It will also demonstrate how to declare a stable MAC address for trusted access points (e.g. your office ethernet). This is used, for example, by a trustworthy syadmin to assign you a permanent IP address.
(This technique is sometimes called "MAC address spoofing".)
# Steps
1. Install macchanger. When prompted, answer "Yes" to cycle your MAC address.
```
sudo apt install macchanger
```
2. List all known connections
```
nmcli connection show
```
3. Enable a stable address for trusted connection (replace "Office Wi-Fi" with the name of the trusted connection).
```
nmcli connection modify "Office Wi-Fi" \
wifi.cloned-mac-address stable
```
4. Repeat step 3 for all trusted connections.
5. Make a connection
6. List all known connections and note the Device of the active connection
```
nmcli connection show
```
7. Confirm that your "current" and "permanent" MAC addresses are different (replace DEVICE with the value from step 6)
```
macchanger --show DEVICE
# for example, macchanger --show wlp1s0
```
**Notes:**
* macchanger runs with the `--ending` setting, so vendor bytes remain the same
* For trusted connections a third, stable address will be used. This can be confirmed in Network Settings under the "Identity" tab. The "Cloned address" field will show "stable". Use the following command to find out the MAC address (replace "CONNECTION NAME" with the connection name):
```
nmcli connection show
nmcli connection show "CONNECTION NAME" | grep mac-address
```
* Tested with the following versions:
* `macchanger-1.7.0-5.4`
* `network-manager-1.14.6-2`
**References:**
* https://perot.me/mac-spoofing-what-why-how-and-something-about-coffee
* https://packages.debian.org/stable/macchanger
* https://blogs.gnome.org/thaller/2016/08/26/mac-address-spoofing-in-networkmanager-1-4-0/
WARNING: This doesn't currently work due to https://tracker.pureos.net/T775
# Introduction
Untrusted access points (e.g. your free coffee shop wifi) can recognise and track your device using your device-specific MAC address. The following procedure will cycle your MAC address by default, preventing device tracking by arbitrary access points.
It will also demonstrate how to declare a stable MAC address for trusted access points (e.g. your office ethernet). This is used, for example, by a trustworthy syadmin to assign you a permanent IP address.
(This technique is sometimes called "MAC address spoofing".)
# Steps
1. Install macchanger. When prompted, answer "Yes" to cycle your MAC address.
```
sudo apt install macchanger
```
2. List all known connections
```
nmcli connection show
```
3. Enable a stable address for trusted connection (replace "Office Wi-Fi" with the name of the trusted connection).
```
nmcli connection modify "Office Wi-Fi" \
wifi.cloned-mac-address stable
```
4. Repeat step 3 for all trusted connections.
5. Make a connection
6. List all known connections and note the Device of the active connection
```
nmcli connection show
```
7. Confirm that your "current" and "permanent" MAC addresses are different (replace DEVICE with the value from step 6)
```
macchanger --show DEVICE
# for example, macchanger --show wlp1s0
```
## Notes
* macchanger runs with the `--ending` setting, so vendor bytes remain the same
* For trusted connections a third, stable address will be used. This can be confirmed in Network Settings under the "Identity" tab. The "Cloned address" field will show "stable". Use the following command to find out the MAC address (replace "CONNECTION NAME" with the connection name):
```
nmcli connection show
nmcli connection show "CONNECTION NAME" | grep mac-address
```
* Tested with the following versions:
* `macchanger-1.7.0-5.4`
* `network-manager-1.14.6-2`
## Alternate configuration
Alternatively you can trust all access points, and cycle your MAC address only for untrusted access points. In this case you don't need to install `macchanger`, just use the following command (replace "CONNECTION NAME" with the connection name):
```
nmcli connection modify "CONNECTION NAME" wifi.cloned-mac-address random
```
## References
* https://perot.me/mac-spoofing-what-why-how-and-something-about-coffee
* https://packages.debian.org/stable/macchanger
* https://blogs.gnome.org/thaller/2016/08/26/mac-address-spoofing-in-networkmanager-1-4-0/
WARNING: This doesn't currently work due to https://tracker.pureos.net/T775
# Introduction
Untrusted endaccess points (e.g. your free coffee shop wifi) can recognise and track your device using your device-specific MAC address. The following procedure will cycle your MAC address by default, preventing device tracking by arbitrary access points.
It will also demonstrate how to declare a stable MAC address for trusted access points (e.g. your office ethernet). This is used, for example, by a trustworthy syadmin to assign you a permanent IP address.
(This technique is sometimes called "MAC address spoofing".)
# Steps
1. Install macchanger. When prompted, answer "Yes" to cycle your MAC address.
```
sudo apt install macchanger
```
2. List all known connections
```
nmcli connection show
```
3. Enable a stable address for trusted connection (replace "Office Wi-Fi" with the name of the trusted connection).
```
nmcli connection modify "Office Wi-Fi" \
wifi.cloned-mac-address stable
```
4. Repeat step 3 for all trusted connections.
5. Make a connection
6. List all known connections and note the Device of the active connection
```
nmcli connection show
```
7. Confirm that your "current" and "permanent" MAC addresses are different (replace DEVICE with the value from step 6)
```
macchanger --show DEVICE
# for example, macchanger --show wlp1s0
```
**## Notes:**
* macchanger runs with the `--ending` setting, so vendor bytes remain the same
* For trusted connections a third, stable address will be used. This can be confirmed in Network Settings under the "Identity" tab. The "Cloned address" field will show "stable". Use the following command to find out the MAC address (replace "CONNECTION NAME" with the connection name):
```
nmcli connection show
nmcli connection show "CONNECTION NAME" | grep mac-address
```
* Tested with the following versions:
* `macchanger-1.7.0-5.4`
* `network-manager-1.14.6-2`
**References:**## Alternate configuration
Alternatively you can trust all access points, and cycle your MAC address only for untrusted access points. In this case you don't need to install `macchanger`, just use the following command (replace "CONNECTION NAME" with the connection name):
```
nmcli connection modify "CONNECTION NAME" wifi.cloned-mac-address random
```
## References
* https://perot.me/mac-spoofing-what-why-how-and-something-about-coffee
* https://packages.debian.org/stable/macchanger
* https://blogs.gnome.org/thaller/2016/08/26/mac-address-spoofing-in-networkmanager-1-4-0/