Prevent device tracking by untrusted access points

Warning

This guide is deprecated. It does not currently work due to https://tracker.pureos.net/T775

Overview

Untrusted access points (e.g. your free coffee shop wifi) can recognise and track your device using your device-specific MAC address. The following procedure will cycle your MAC address by default, preventing device tracking by arbitrary access points.

It will also demonstrate how to declare a stable MAC address for trusted access points (e.g. your office ethernet). This is used, for example, by a trustworthy syadmin to assign you a permanent IP address.

This technique is sometimes called “MAC address spoofing”.

Procedure

1. Install macchanger. When prompted, answer “Yes” to cycle your MAC address.

sudo apt install macchanger

2. List all known connections

nmcli connection show

3. Enable a stable address for trusted connection (replace “Office Wi-Fi” with the name of the trusted connection).

nmcli connection modify "Office Wi-Fi" \
wifi.cloned-mac-address stable

4. Repeat step 3 for all trusted connections.

5. Make a connection

6. List all known connections and note the Device of the active connection

nmcli connection show

7. Confirm that your “current” and “permanent” MAC addresses are different (replace DEVICE with the value from step 6)

macchanger --show DEVICE
# for example, macchanger --show wlp1s0

Notes

1. macchanger runs with the --ending setting, so vendor bytes remain the same

2. For trusted connections a third, stable address will be used. This can be confirmed in Network Settings under the “Identity” tab. The “Cloned address” field will show “stable”. Use the following command to find out the MAC address (replace “CONNECTION NAME” with the connection name):

nmcli connection show
nmcli connection show "CONNECTION NAME" | grep mac-address

3. Tested with the following versions:

   • macchanger-1.7.0-5.4

   • network-manager-1.14.6-2

Alternate configuration

Alternatively you can trust all access points, and cycle your MAC address only for untrusted access points. In this case you don’t need to install macchanger, just use the following command (replace “CONNECTION NAME” with the connection name):

nmcli connection modify "CONNECTION NAME" wifi.cloned-mac-address random

See also

• https://perot.me/mac-spoofing-what-why-how-and-something-about-coffee

• https://packages.debian.org/stable/macchanger

• https://blogs.gnome.org/thaller/2016/08/26/mac-address-spoofing-in-networkmanager-1-4-0/