Randomize your MAC address using NetworkManager

Today, users run their notebooks everywhere. To stay connected you use the local wifi to access the internet, on the couch at home or in a little cafe with your favorite coffee. But modern hotspots track you based on your MAC address, an address that is unique per network card, and in this way identifies your device. Read more below about how to avoid this kind of tracking.

Why is this a problem? Many people use the word “privacy” to talk about this issue. But the concern is not about someone accessing the private contents of your laptop (that’s a separate issue). Instead, it’s about legibility — in simple terms, the ability to be easily counted and tracked. You can and should read more  about legibility. But the bottom line is legibility gives the tracker power over the tracked. For instance, timed WiFi leases at the airport can only be enforced when you’re legible.

Since a fixed MAC address for your laptop is so legible (easily tracked), you should change it often. A random address is a good choice. Since MAC-addresses are only used within a local network, a random MAC-address is unlikely to cause a collision.

Configuring NetworkManager

To apply randomized MAC-addresses by default to all WiFi connections, create the following file /etc/NetworkManager/conf.d/00-macrandomize.conf :

[device]
wifi.scan-rand-mac-address=yes

[connection]
wifi.cloned-mac-address=stable
ethernet.cloned-mac-address=stable
connection.stable-id=${CONNECTION}/${BOOT}

Afterward, restart NetworkManager:

systemctl restart NetworkManager

Set cloned-mac-address to stable to generate the same hashed MAC every time a NetworkManager connection activates, but use a different MAC with each connection. To get a truly random MAC with every activation, use random instead.

The stable setting is useful to get the same IP address from DHCP, or a captive portal might remember your login status based on the MAC address. With random you may be required to re-authenticate (or click “I agree”) on every connect. You probably want “random” for that airport WiFi. See the NetworkManager blog post for a more detailed discussion and instructions for using nmcli to configure specific connections from the terminal.

To see your current MAC addresses, use ip link. The MAC follows the word ether.

$ ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp2s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN mode DEFAULT group default qlen 1000
    link/ether 52:54:00:5f:d5:4e brd ff:ff:ff:ff:ff:ff
3: wlp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DORMANT group default qlen 1000
    link/ether 52:54:00:03:23:59 brd ff:ff:ff:ff:ff:ff

When not to randomize your MAC address

Naturally, there are times when you do need to be legible. For instance, on your home network, you may have configured your router to assign your notebook a consistent private IP for port forwarding. Or you might allow only certain MAC addresses to use the WiFi. Your employer probably requires legibility as well.
To change a specific WiFi connection, use nmcli to see your NetworkManager connections and show the current settings:

$ nmcli c | grep wifi
Amtrak_WiFi    5f4b9f75-9e41-47f8-8bac-25dae779cd87 wifi -- 
StaplesHotspot de57940c-32c2-468b-8f96-0a3b9a9b0a5e wifi -- 
MyHome         e8c79829-1848-4563-8e44-466e14a3223d wifi wlp1s0 
...
$ nmcli c show 5f4b9f75-9e41-47f8-8bac-25dae779cd87 | grep cloned
802-11-wireless.cloned-mac-address:     --
$ nmcli c show e8c79829-1848-4563-8e44-466e14a3223d | grep cloned
802-11-wireless.cloned-mac-address:     stable

This example uses a fully random MAC for Amtrak (which is currently using the default), and the permanent MAC for MyHome (currently set to stable). The permanent MAC was assigned to your network interface when it was manufactured. Network admins like to use the permanent MAC to see manufacturer IDs on the wire.

Now, make the changes and reconnect the active interface:

$ nmcli c modify 5f4b9f75-9e41-47f8-8bac-25dae779cd87 802-11-wireless.cloned-mac-address random
$ nmcli c modify e8c79829-1848-4563-8e44-466e14a3223d 802-11-wireless.cloned-mac-address permanent
$ nmcli c down e8c79829-1848-4563-8e44-466e14a3223d
$ nmcli c up e8c79829-1848-4563-8e44-466e14a3223d
$ ip link
...

You can also install NetworkManager-tui to get the nmtui command for nice menus when editing connections.

Conclusion

When you walk down the street, you should stay aware of your surroundings, and on the alert for danger. In the same way, learn to be aware of your legibility when using public internet resources.

Using Software

22 Comments

  1. Akarshan Biswas

    Excellent article. It would much easier if gnome network applet offers that.(Just for non tech savvy users). 🙂

    • The NetworkManager applet in Cinnamon can set the cloned-mac policy. It is under Network Connections. I don’t use Gnome3, but I strongly suspect there is a way to do it hidden somewhere in the GUI – and hopefully a Gnome expert can let us know where it is.

      • Flo

        How it works in Gnome 3:

        Under Settings go to ‘Wi-Fi’, then click on the cogwheel (connection-specific settings). Under Identity, the second tab, you can set both MAC address and Cloned Address. Cloned address can be ‘stable’, ‘random’, ‘permanent’ (and maybe something else?).

        You can do the same for wired connections.

    • Peter

      I haven’t found it either. Maybe somebody could give us an hint.

        • I installed Gnome3 in a VM, and I can set cloned MAC policy via nmcli for virtual “wired” device ens3. However, the GUI will only accept a MAC. When I set “random” via nmcli and then display in GUI, it shows “random” in red – flagging it as a user entry error.

          While there is no virtual wireless for the VM, I suspect the behavior is the same for WiFi.

          nmtui, on the other hand, works perfectly well – and is the way to go for those who need menus and data entry fields.

          • Flo

            Sorry for the misinformation. I had thought that’s where you set in Gnome 3.

            I changed the wifi.cloned-mac-address=random using CLI and the string would show up in NetworkManager in a red frame. I think that’s a bug in NetworkManager. It should either show the cloned MAC address or not show anything at all, but not the value of wifi.cloned-mac-address.

            Worth reporting?

            @Paul: Of course, CLI commands as described in the article or nmtui will do the job. The question here was if the same can be achieved using gnome’s NetworkManager. The answer seems to be No.

            It’s time for yet another Gnome extension…

        • Peter

          At least I don’t see it…. I get the following dialog: http://de.tinypic.com/r/f9f37q/9
          I dont’s see any option random or permanent…

          • The NetworkManager command line or nmtui will work to do what you want; see the article for info.

            • Peter

              I belief you. Never the less, with the goal to be as user-friendly as possible I’d find it better if the solution as described by Flo would work also for me and any other Gnome user 🙂

              • It’s a common misconception that an undocumented option is somehow better than no option. There are better ways to be user-friendly, though. To do this properly would need a more rigorous user-centric design.

  2. svsv sarma

    … so much for a novice like me! I better leave it at that and continue. I feel sometimes ignorance is bliss.

  3. Hans Meiser

    Great article! Many thanks!

  4. Frederik

    If you’re having problems on a Microsoft Surface 3 (and possible other models) where the wifi is horribly unstable, disabling randomized MAC will help a lot. Particularly with 4.17+ kernels, where the wifi simply doesn’t work with randomized MACs.

    • The “stable” option (keep the same hashed MAC for a given connection) should work with those situations. That still reduces legibility compared to using the same MAC across all connections. (Where “connection” is a NetworkManager connection object, not a “connection activation”, which is confusingly called a “connection” in other contexts.)

  5. … is an interesting article as a solution, I do not consider it a practical solution. In relation to an internet provider I would prefer a selinux with software (browser, web server) or network traffic encryption.

    • Don’t confuse privacy with legibility. Protecting the content of your transmissions is very important also, but does not address legibility. You can see a similar distinction in news discussions where certain government agencies track phone calls – which numbers called which other numbers – without necessarily recording or decrypting the actual content of the call.

  6. dekks herton

    Maybe not worth the effort on 2 fronts, many wifi chips have buggy implementations & this https://www.theregister.co.uk/2017/03/10/mac_address_randomization/

    • The 2017 paper you mention notes bugs in Android implementations (not relevant for Fedora), and a hardware bug in RTS/CTS protocol for most (nearly all) WiFi chipsets. You can see whether Fedora was able to successfully set the MAC by using ip link or ifconfig.

      The hardware bug works like this:

      WiFi clients send RTS to a WAP when they want to transmit, and the WAP responds with CTS. The attack works on WiFi chipsets that support AP mode. If you send RTS to the permanent MAC of the WiFi chipset, even if it is currently a client, it will respond with CTS based on radio conditions as if it were an AP. The CTS response does not contain the MAC, but it only responds to its permanent MAC in the RTS (when radio conditions would be clear for a client to send).

      Thus the attack requires guessing the permanent MAC of the device in the RTS, and using a random MAC in the RTS. Since a lot of RTS/CTS packets are used for WiFi, you get a lot of guesses. When you get a CTS response to the random MAC used in the RTS, you know your guess of the permanent MAC was correct.

      This does not directly divulge the permanent MAC, but confirms a guess of the permanent MAC. The guess does not have to be random, however. For instance, if you have ever used your permanent MAC, it can be added to a database of MACs to guess at. A little creative thought can come up with more ways to utilize this correct guess confirmation flaw.

  7. Zac

    Thanks for writing something on privacy. I appreciate the time spent to do this and to share some wisdom. Like many things with privacy, its very individual to the person and situation. I never perceived this article to provide absolute protection, and I don’t think that was the intent of the author. This article however, is yet another tool to put in our toolbox to use. I hope others will see this as well.

    Thanks

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. Fedora Magazine aspires to publish all content under a Creative Commons license but may not be able to do so in all cases. You are responsible for ensuring that you have the necessary permission to reuse any work on this site. The Fedora logo is a trademark of Red Hat, Inc. Terms and Conditions

%d bloggers like this: