Prevent Device Tracking By Untrusted Access Points
Updated 60 Days AgoPublic

WARNING: This doesn't currently work due to https://tracker.pureos.net/T775

Introduction

Untrusted access points (e.g. your free coffee shop wifi) can recognise and track your device using your device-specific MAC address. The following procedure will cycle your MAC address by default, preventing device tracking by arbitrary access points.

It will also demonstrate how to declare a stable MAC address for trusted access points (e.g. your office ethernet). This is used, for example, by a trustworthy syadmin to assign you a permanent IP address.

(This technique is sometimes called "MAC address spoofing".)

Steps

  1. Install macchanger. When prompted, answer "Yes" to cycle your MAC address.
sudo apt install macchanger
  1. List all known connections
nmcli connection show
  1. Enable a stable address for trusted connection (replace "Office Wi-Fi" with the name of the trusted connection).
nmcli connection modify "Office Wi-Fi" \
wifi.cloned-mac-address stable
  1. Repeat step 3 for all trusted connections.
  1. Make a connection
  1. List all known connections and note the Device of the active connection
nmcli connection show
  1. Confirm that your "current" and "permanent" MAC addresses are different (replace DEVICE with the value from step 6)
macchanger --show DEVICE
# for example, macchanger --show wlp1s0

Notes

  • macchanger runs with the --ending setting, so vendor bytes remain the same
  • For trusted connections a third, stable address will be used. This can be confirmed in Network Settings under the "Identity" tab. The "Cloned address" field will show "stable". Use the following command to find out the MAC address (replace "CONNECTION NAME" with the connection name):
nmcli connection show
nmcli connection show "CONNECTION NAME" | grep mac-address
  • Tested with the following versions:
    • macchanger-1.7.0-5.4
    • network-manager-1.14.6-2

Alternate configuration

Alternatively you can trust all access points, and cycle your MAC address only for untrusted access points. In this case you don't need to install macchanger, just use the following command (replace "CONNECTION NAME" with the connection name):

nmcli connection modify "CONNECTION NAME" wifi.cloned-mac-address random

References

Last Author
d3vid
Subscribers
None
Projects
None