security-misc
security-misc copied to clipboard
Kicksecure
Implement MAC randomization to copy Androids behavior
https://source.android.com/docs/core/connect/wifi-mac-randomization-behavior
The MAC randomization feature randomizes the address by setting the locally administered bit to 1, and the unicast bit to 0. The other 46 bits are randomized.
To make randomization look like the way android phone implements their randomization feature the X bit:
0X:00:00:00:00:00 could only be 2,6,a, or e [26ae] if my understanding is correct?
Documentation: https://man.archlinux.org/man/nm-settings.5 https://www.systutorials.com/docs/linux/man/5-nm-system-settings.conf/
802-3-ethernet.generate-mac-address-mask (wired) 802-11-wireless.generate-mac-address-mask (wireless)
With "cloned-mac-address" setting "random" or "stable", by default all bits of the MAC address are scrambled and a locally-administered, unicast MAC address is created. This property allows to specify that certain bits are fixed. Note that the least significant bit of the first MAC address will always be unset to create a unicast MAC address.
If the property is NULL, it is eligible to be overwritten by a default connection setting. If the value is still NULL or an empty string, the default is to create a locally-administered, unicast MAC address.
If the value contains one MAC address, this address is used as mask. The set bits of the mask are to be filled with the current MAC address of the device, while the unset bits are subject to randomization. Setting "FE:FF:FF:00:00:00" means to preserve the OUI of the current MAC address and only randomize the lower 3 bytes using the "random" or "stable" algorithm.
If the value contains one additional MAC address after the mask, this address is used instead of the current MAC address to fill the bits that shall not be randomized. For example, a value of "FE:FF:FF:00:00:00 68:F7:28:00:00:00" will set the OUI of the MAC address to 68:F7:28, while the lower bits are randomized. A value of "02:00:00:00:00:00 00:00:00:00:00:00" will create a fully scrambled globally-administered, burned-in MAC address.
If the value contains more than one additional MAC addresses, one of them is chosen randomly. For example, "02:00:00:00:00:00 00:00:00:00:00:00 02:00:00:00:00:00" will create a fully scrambled MAC address, randomly locally or globally administered.
This is what the string would be:
00:00:00:00:00:00 02:00:00:00:00:00 06:00:00:00:00:00 0a:00:00:00:00:00 0e:00:00:00:00:00
..but i'm not sure how it would be added to in /usr/lib/NetworkManager/conf.d/80_randomize-mac.conf ?
[connection-mac-randomization]
ethernet.generate-mac-address-mask
wifi.generate-mac-address-mask
Reasoning is MAC Address randomization would look like GrapheneOS and Android users.
related or even duplicate:
- https://github.com/Kicksecure/security-misc/issues/184
@adrelanos So tested this and it indeed does work (followed this Qubes Guide) It copied the behavior of androids mac spoofing by using NetworkManager's mac-address-mask settings which I'm sure many are unaware of even exists. Also did not revert back to permanent MAC Address from what I can tell from checking after disconnecting and reconnecting.
[device]
wifi.scan-rand-mac-address=yes
wifi.scan-generate-mac-address-mask=02:00:00:00:00:00 06:00:00:00:00:00 0A:00:00:00:00:00 0E:00:00:00:00:00
[connection]
wifi.cloned-mac-address=stable
wifi.generate-mac-address-mask=02:00:00:00:00:00 06:00:00:00:00:00 0A:00:00:00:00:00 0E:00:00:00:00:00
ethernet.cloned-mac-address=stable
ethernet.generate-mac-address-mask=02:00:00:00:00:00 06:00:00:00:00:00 0A:00:00:00:00:00 0E:00:00:00:00:00
connection.stable-id=${CONNECTION}/${BOOT}
I think this would be better then the 80_randomize-mac.conf and should replace it. However I did not check with wireshark for leaks.
As stated above it would provide a better anonymity set then the default full random cause atleast it would look like and android phones randomization behaivor. That said I could not find any way to blacklist the MAC Address NIC bit with network manager. For futureproof implementations something like using a systemd service might be better since NetworkManager has had some issues in the past with leakage and reverting back to the real MAC Address, idk if that is no longer the case though.
So to not cause any confusion to anyone reading this I want to clarify some things.
-
What this network manager configuration will do:
-
Spoof the full MAC address the OUI (beginning) and the NIC (ending) bits.
-
Spoofing the MAC address the same way that Android phones do by setting the locally administered bit to 1, and the unicast bit to 0
To achieve this the second digit of the MAC address can only be set to a 2, 6, A, or E.
(Instead of 0, 1, 2 ,3 ,4 ,5 ,6, 7, 8, 9, A, B, C, D, E, or F as the second bit.)
The use ofwifi.scan-generate-mac-address-mask,wifi.generate-mac-address-mask,ethernet.generate-mac-address-maskare used to set this. -
Generates a random MAC address each boot and doesn't revert back to permanent MAC address when disconnecting/reconnecting.
This is set byconnection.stable-id=${CONNECTION}/${BOOT}
-
That said I could not find any way to blacklist the MAC Address NIC bit with network manager
This might have come out confusing.
This configuration randomizes the NIC aswell as the OUI but there is still a chance always with randomization that the random string generated for the NIC bit could be the same as the permanent address. What I mean is to blacklist the NIC in the case that if randomization ever generated the same NIC as permanent it would restart generation.
Tails OS implements a way to restart the randomization if the randomized Mac's NIC is the same as the permanent address. Also noted they are not relying on network manager to spoof the mac and instead macchanger.