<!--
Copyright:

   {{project_name_long}} MAC Address wiki page Copyright (C) Amnesia <amnesia at boum dot org>
   {{project_name_short}} MAC Address wiki page Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 3 of the License, or
   (at your option) any later version.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.

   You should have received a copy of the GNU General Public License
   along with this program; if not, write to:

    Free Software Foundation, Inc.
    51 Franklin St, Fifth Floor
    Boston, MA 02110-1301, USA.

On Debian GNU/Linux systems, the complete text of the GNU General Public
License can be found in the /usr/share/common-licenses' directory.

The complete text of the GNU General Public License can also be found online on gnu.org <https://www.gnu.org/licenses/gpl.html>, in {{project_name_short}} virtual machine images in /usr/share/common-licenses/GPL-3 file or on Github <https://github.com/{{project_name_short}}/derivative-maker/blob/master/GPLv3>.
-->
<!--
The {{project_name_short}} MAC Address wiki page is forked from the Tails Enable MAC Changer page, from this exact source <https://git.immerda.ch/?p=amnesia.git;a=blob;f=wiki/src/doc/advanced_topics/mac_changer.mdwn;hb=770c6f26f8dcd06452fef1c57dafb2878e0dee11> and on the Tails macchanger page from this exact source <https://git.immerda.ch/?p=amnesia.git;a=blob;f=wiki/src/todo/macchanger.mdwn;hb=f27853e23d7985594d54f00f30153b6acd97312e>.
-->
{{Header}}
{{#seo:
|description=MAC Address Spoofing and Tracking Threats
|image=MACaddress2131.jpg
}}
[[File:MACaddress2131.jpg|thumb]]
{{intro|
MAC Address Spoofing and Tracking Threats
}}
= MAC Address Documentation =

{{upstream_wiki}}

== Auto-connect Risk ==

Apart from the difficulty in creating an appropriate MAC address for spoofing purposes, there are also technical hurdles to overcome in the form of preventing automatic network connections.

It is futile to prepare a spoofed MAC address if the computer instantly connects to the public network after booting, disclosing the user's real MAC address in the process:

* <u>Physical Isolation:</u> {{project_name_gateway_long}} automatically connects to Tor after start.
* <u>USB Wi-FI Device:</u> Automatic connections might also occur, depending on the configuration.
* <u>VM users:</u> The host operating system most likely automatically connects via updates, perhaps time sync, and other avenues.

= Other Location Tracking Risks =

== Tor Entry Guard Fingerprinting ==

Dealing with the MAC address problem is only one piece of the larger location tracking puzzle. Users must also contend with changing the usual Tor entry guards used for connections across different locations, in order to prevent guard fingerprinting. To mitigate this threat, follow <u>one</u> of the  [[Tor_Entry_Guards#Mitigate_the_Threat_of_Guard_Fingerprinting|recommended configurations]]:

# [[Tor_Entry_Guards#Clone_Whonix-Gateway_(sys-whonix)_with_New_Entry_Guards|Clone {{project_name_gateway_short}} ({{project_name_gateway_vm}}) with New Entry Guards]].
# [[Tor_Entry_Guards#Regenerate_the_Tor_State_After_Saving_the_Tor_State_Folder|Regenerate the Tor State File after Saving the Current Tor State]].
# Configure Tor to use [[Tor_Entry_Guards#Alternating_Bridges|Alternating Bridges]].
# If moving to a new location permanently, create [[Tor_Entry_Guards#Fresh_Tor_Entry_Guards_by_Regenerating_the_Tor_State_File|Fresh Tor Entry Guards by Regenerating the Tor State File]].

To fully thwart this threat, entry guard changes are necessary for every Tor instance on the user's machine host (apt-transport-tor) and guest.

= Using Personal Computers in a Public Network =

{{mbox
| type      = notice
| image   = [[File:Ambox_notice.png|40px|alt=Info]]
| text    = This refers to using a personal laptop, desktop or any other Internet-facing device in a public network.
}}

In this scenario, the MAC address <u>must</u> be changed and a [[Tor_Entry_Guards#Mitigate_the_Threat_of_Guard_Fingerprinting|new set of Tor entry guards]] should also be configured. <ref>This process involves removal of the ''/var/lib/tor/state'' file.</ref> Attempts should be made to disguise the use of Tor from the administrator of the public network. Depending on the user's configuration, this may involve using an obfsproxy bridge or the tunneling of traffic through [[Tunnels/Connecting_to_SSH_before_Tor|SSH]] or a [[Tunnels/Connecting_to_a_VPN_before_Tor|VPN]] prior to connecting to the Tor network.

Depending on the user's threat model, changing the MAC address and using Tor might rule out revisiting that public network again in the future. If the same public network will be reused, then it is necessary to decide whether to use the same MAC address (and set of Tor entry guards) or to generate a new one.

If MAC address logging by the administrator is suspected, it is unwise to change the MAC address and arouse suspicion. If it is assessed the network is sufficiently public and observation is unlikely, then it might be safe to use a new MAC address -- with a popular vendor ID and random/unique second part (identifier) -- each time the network is used.

For further discussion on this rather complex topic, see [[Dev/MAC]].

= Changing MAC Addresses =

== Whonix ==

TODO: please help to test and improve these instructions.

{{Box|text=
'''1.''' Edit the network interfaces file.

* Standard-[[Download|{{project_name_short}}]]-Version (VM) users: Edit ''/etc/network/interfaces'' on the host.
* [[Dev/Build_Documentation/Physical_Isolation|Physical Isolation]] users: Edit ''/etc/network/interfaces'' on {{project_name_gateway_short}}.

'''2.''' Install macchanger.

In a terminal, run.

{{CodeSelect|code=
su
}}

{{CodeSelect|code=
apt update && apt install macchanger
}}

'''3.''' Change the MAC address.

{{mbox
| type      = notice
| image   = [[File:Ambox_notice.png|40px|alt=Info]]
| text    = The following steps will manually change the MAC address for the device. An example is provided for a wireless device (<code>wlan0</code>). Replace <code>wlan0</code> to match the device being spoofed, such as an ethernet device (<code>eth0</code>) and so on.
}}

{{CodeSelect|code=
su
}}

{{CodeSelect|code=
ifconfig wlan0 down
}}

{{CodeSelect|code=
macchanger -a wlan0
}}

{{CodeSelect|code=
ifconfig wlan0 up
}}

If instructions from Step 1+ did not work, the following steps might also work without macchanger. Replace <code>wlan0</code> to match the specific device.
{{CodeSelect|code=
su
}}

{{CodeSelect|code=
ifconfig wlan0 down
}}

{{CodeSelect|code=
ifconfig wlan0 hw ether 00:AA:BB:CC:DD:EE
}}

{{CodeSelect|code=
ifconfig wlan0 up
}}

Or use iproute2 commands to change the MAC address.
{{CodeSelect|code=
ip link set down wlan0
}}

{{CodeSelect|code=
ip link set wlan0 address 00:AA:BB:CC:DD:EE
}}

{{CodeSelect|code=
ip link set up wlan0
}}

'''4.''' Complete the MAC address change.

Below <code>iface eth0 inet dhcp</code>, add.

{{CodeSelect|code=
hwaddress ether 00:00....
}}

'''5.''' ''Optional:'' Automatically randomize the MAC address on boot.

If this is desired, add.

{{CodeSelect|code=
pre-up macchanger -e eth0
}}

'''6.''' Change new network interfaces settings.

To prevent new network interfaces being brought up automatically, comment the following.

{{CodeSelect|code=
auto eth0
}}

Then configure manual bring ups with the following setting.

{{CodeSelect|code=
sudo ifup eth0
}}
}}

= References =
{{reflist|close=1}}

= License =
{{License_Amnesia|{{FULLPAGENAME}}}}

{{Footer}}

[[Category:Documentation]]