I wanted to chime in about this.
It's pretty easy, I'd say trivial to see if its the same device if you
where to look at an example of what network logs or dhcp logging may
look like:
```
| Time | Source MAC | Hostname | Destination MAC
| Protocol | Source Port | Destination Port | Length | Info
| Client IP |
|----------------|---------------------|------------|----------------------|----------|-------------|------------------|--------|--------------------------------|-------------------|
| 11:47:12.654 | 88:12:4e:5a:db:4c | | 00:25:86:df:9a:5e
| ARP | - | - | 42 | Who has
192.168.1.100? | 192.168.1.100 |
| 11:47:13.987 | 98:10:e8:64:55:da | Iphone16 | 00:25:86:df:9a:5e
| ARP | - | - | 42 | Who has
192.168.1.101? | 192.168.1.101 |
| 11:47:15.320 | 00:04:23:a2:8c:fb | Windows11 | 00:25:86:df:9a:5e
| ARP | - | - | 42 | Who has
192.168.1.102? | 192.168.1.102 |
| 11:47:16.653 | 88:12:4e:b4:36:4c | | 00:25:86:df:9a:5e
| ARP | - | - | 42 | Who has
192.168.1.103? | 192.168.1.103 |
| 11:47:18.986 | 88:12:4e:0a:16:a5 | | 00:25:86:df:9a:5e
| ARP | - | - | 42 | Who has
192.168.1.104? | 192.168.1.104 |
| 11:47:20.319 | 00:b3:62:96:a2:4d | JohnsPhone | 00:d0:e1:12:f6:ee
| TCP | 54321 | 80 | 1500 | HTTP GET
/index.html | 192.168.1.50 |
| 11:47:21.652 | 88:12:4e:fb:27:e9 | | 7c:1b:4d:22:8e:ef
| UDP | 12345 | 12345 | 100 | DNS Query
| 192.168.1.120 |
| 11:47:22.985 | 88:12:4e:d3:5f:e0 | | 40:61:86:2e:8f:9c
| ICMP | - | - | 56 | Echo Request
| 192.168.1.130 |
| 11:47:24.318 | 98:10:e8:64:55:da | Iphone16 | 34:21:9d:81:5f:4c
| TCP | 80 | 54321 | 1200 | HTTP Response
| 192.168.1.150 |
| 11:47:25.651 | 88:12:4e:1a:0e:0e | | 50:7b:9d:12:34:56
| ARP | - | - | 42 | Who has
192.168.1.105? | 192.168.1.105 |
| 11:47:27.984 | 00:04:23:a2:8c:fb | Windows11 | 60:1e:5c:3a:2b:4d
| ARP | - | - | 42 | Who has
192.168.1.106? | 192.168.1.106 |
```
All one has to do is look for devices with the same OUI in the MAC
address and no hostname...
(Bellow is the table in html if above doesn't format correctly in the email)
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Network Traffic</title>
<style type="text/css">
body {
margin: 0;
padding: 0;
font-family: Arial, sans-serif;
}
table {
width: 100%;
border-collapse: collapse;
margin: 20px 0;
}
th, td {
padding: 12px;
border: 1px solid #ddd;
text-align: left;
}
th {
background-color: #f0f0f0;
}
</style>
</head>
<body>
<table>
<tr>
<th>Time</th>
<th>Source MAC</th>
<th>Hostname</th>
<th>Destination MAC</th>
<th>Protocol</th>
<th>Source Port</th>
<th>Destination Port</th>
<th>Length</th>
<th>Info</th>
<th>Client IP</th>
</tr>
<tr>
<td>11:47:12.654</td>
<td>88:12:4e:5a:db:4c</td>
<td></td>
<td>00:25:86:df:9a:5e</td>
<td>ARP</td>
<td>-</td>
<td>-</td>
<td>42</td>
<td>Who has 192.168.1.100?</td>
<td>192.168.1.100</td>
</tr>
<tr>
<td>11:47:13.987</td>
<td>98:10:e8:64:55:da</td>
<td>Iphone16</td>
<td>00:25:86:df:9a:5e</td>
<td>ARP</td>
<td>-</td>
<td>-</td>
<td>42</td>
<td>Who has 192.168.1.101?</td>
<td>192.168.1.101</td>
</tr>
<tr>
<td>11:47:15.320</td>
<td>00:04:23:a2:8c:fb</td>
<td>Windows11</td>
<td>00:25:86:df:9a:5e</td>
<td>ARP</td>
<td>-</td>
<td>-</td>
<td>42</td>
<td>Who has 192.168.1.102?</td>
<td>192.168.1.102</td>
</tr>
<tr>
<td>11:47:16.653</td>
<td>88:12:4e:b4:36:4c</td>
<td></td>
<td>00:25:86:df:9a:5e</td>
<td>ARP</td>
<td>-</td>
<td>-</td>
<td>42</td>
<td>Who has 192.168.1.103?</td>
<td>192.168.1.103</td>
</tr>
<tr>
<td>11:47:18.986</td>
<td>88:12:4e:0a:16:a5</td>
<td></td>
<td>00:25:86:df:9a:5e</td>
<td>ARP</td>
<td>-</td>
<td>-</td>
<td>42</td>
<td>Who has 192.168.1.104?</td>
<td>192.168.1.104</td>
</tr>
<tr>
<td>11:47:20.319</td>
<td>00:b3:62:96:a2:4d</td>
<td>JohnsPhone</td>
<td>00:d0:e1:12:f6:ee</td>
<td>TCP</td>
<td>54321</td>
<td>80</td>
<td>1500</td>
<td>HTTP GET /index.html</td>
<td>192.168.1.50</td>
</tr>
<tr>
<td>11:47:21.652</td>
<td>88:12:4e:fb:27:e9</td>
<td></td>
<td>7c:1b:4d:22:8e:ef</td>
<td>UDP</td>
<td>12345</td>
<td>12345</td>
<td>100</td>
<td>DNS Query</td>
<td>192.168.1.120</td>
</tr>
<tr>
<td>11:47:22.985</td>
<td>88:12:4e:d3:5f:e0</td>
<td></td>
<td>40:61:86:2e:8f:9c</td>
<td>ICMP</td>
<td>-</td>
<td>-</td>
<td>56</td>
<td>Echo Request</td>
<td>192.168.1.130</td>
</tr>
<tr>
<td>11:47:24.318</td>
<td>98:10:e8:64:55:da</td>
<td>Iphone16</td>
<td>34:21:9d:81:5f:4c</td>
<td>TCP</td>
<td>80</td>
<td>54321</td>
<td>1200</td>
<td>HTTP Response</td>
<td>192.168.1.150</td>
</tr>
<tr>
<td>11:47:25.651</td>
<td>88:12:4e:1a:0e:0e</td>
<td></td>
<td>50:7b:9d:12:34:56</td>
<td>ARP</td>
<td>-</td>
<td>-</td>
<td>42</td>
<td>Who has 192.168.1.105?</td>
<td>192.168.1.105</td>
</tr>
<tr>
<td>11:47:27.984</td>
<td>00:04:23:a2:8c:fb</td>
<td>Windows11</td>
<td>60:1e:5c:3a:2b:4d</td>
<td>ARP</td>
<td>-</td>
<td>-</td>
<td>42</td>
<td>Who has 192.168.1.106?</td>
<td>192.168.1.106</td>
</tr>
</table>
</body>
</html>
On 6/15/25 00:54, Joe via Tails-dev wrote:
Dear Tails Development Team,
I hope this message finds you well. I am writing to bring to your
attention an important consideration regarding the MAC spoofing feature
in Tails. The existing MAC spoofing feature in Tails OS is a step in the
right direction, as it checks for NIC existence and retries if
necessary, treating the NIC as a unique identifier for WiFi cards. While
the current implementation effectively changes the NIC part of the MAC
address, it leaves the OUI (Organizationally Unique Identifier) exposed,
which can potentially compromise user anonymity.
The OUI part of the MAC address identifies the device manufacturer, and
if left unchanged, it can be used for device fingerprinting. This is
particularly concerning for users such as journalists and whistleblowers
who rely on Tails for privacy. The current setup inadvertently makes
these users unique, as the OUI remains constant, even when the NIC is
spoofed.
As noted in the Tails documentation on MAC address limitations, tools
like Macchiato may rely on outdated OUI lists, potentially increasing
uniqueness. Ironically, the current Tails implementation already risks
this by maintaining a consistent OUI, making it trivial for entities
like ISPs to track devices across sessions. If you are using tails at
home your ISP or anyone monitoring your network that its the same device
on the network since the OUI is always the same.
This especially true for users on dedicated devices such as journalists
or whistleblowers. I'm sure many journalists, whistleblowers, or privacy
folks may strictly have a separate computer or throwaway dedicated
device that they only use with Tails. Well, those devices most likely
have a common or unique OUI especially if they are older devices. Many
such users might also attempt mitigations, like purchasing external
ethernet or WiFi adapters, but this often deanons them through traceable
purchases since most are going to purchase these through sites like
Amazon which require credit cards.
Mind you the best case of action would to be spoofing both OUI and NIC
in the mac address design. Most notably android and Iphone already
support this and do this though their design is flawed since it is only
per network and not per connection to a network. Up until recently it
was discovered that iOS prior to version 17.1, leaked real MAC on port 5353.
* Proposed Solution *
To enhance anonymity, I propose spoofing both the OUI and NIC parts of
the MAC address. While systems like Android and iOS have similar
implementations, they are limited to per-network changes. However, the
approach can be adapted and improved for Tails.
* DHCP Considerations *
When implementing full MAC spoofing, it's crucial to handle DHCP leasing
correctly. If a spoofed MAC is already leased, the device may fail to
obtain an IP address or fail to connect to the internet. To mitigate
this, I suggest integrating an ARP check using `arping` to ensure the
new MAC is not already in use before connecting.
If the DHCP server detects that the MAC address is already associated
with an active lease, it may refuse to assign a new IP address to your
system. Send a DHCP NAK (negative acknowledgment) to your system,
indicating that it cannot assign an IP address. If does the allow you to
connect with an already leased MAC you most likely will not be able to
connect to the internet. In environments with MAC spoofing detection,
such as those using Dynamic ARP Inspection (DAI), the spoofed ARP
requests could be ignored or flagged, potentially leading to no
responses. However, these advanced security features are less common on
public WiFi networks with captive portals, where basic DHCP setups
predominate, reducing the likelihood of such detections.
To my knowledge NetworkManager or Linux in general will not explicitly
retry with a new spoofed mac if there is already is a device leased with
the same MAC address already on a network.
Currently it looks like `iputils-arping` is not installed on tails but
could possibly be incorporated into the existing design?
* Example Code Implementation *
The following is example code modifications that could can be
incorporated to include the ARP check:
**Modify `spoof_mac` Function:**
```bash
spoof_mac() {
local max_retries=3
local attempt=1
local msg
local new_mac
local gateway_ip
gateway_ip=$(ip route show | grep default | awk '{print $3}')
set +e
while [ "${attempt}" -le "${max_retries}" ]; do
msg="$(macchanger -e "${1}" 2>&1)"
ret="${?}"
set -e
if [ "${ret}" != 0 ]; then
log "macchanger failed for NIC ${1}, returned ${ret} and
said: ${msg}"
unset NEW_MAC
break
fi
NEW_MAC="$(get_current_mac_of_nic "${1}")"
if [ "${OLD_MAC}" != "${NEW_MAC}" ]; then
log "Spoofed MAC for NIC ${1} is: ${NEW_MAC}"
log "Checking if MAC ${NEW_MAC} is already leased..."
if arping -c 1 -I "${1}" -s "${NEW_MAC}" "${gateway_ip}"
&> /dev/null; then
log "MAC ${NEW_MAC} is already leased or in use on NIC
${1}."
attempt=$((attempt + 1))
continue
else
log "No conflict detected for MAC ${NEW_MAC}."
return 0
fi
fi
attempt=$((attempt + 1))
done
set +e
return 1
}
```
**Add Error Handling and Logging:**
```bash
for i in 1 2 3; do
if ! spoof_mac "${NIC}"; then
unset NEW_MAC
break
fi
NEW_MAC="$(get_current_mac_of_nic "${NIC}")"
if [ "${OLD_MAC}" != "${NEW_MAC}" ]; then
log "Checking if MAC ${NEW_MAC} is already leased..."
if arping -c 1 -I "${NIC}" -s "${NEW_MAC}" "${gateway_ip}" &> /
dev/null; then
log "MAC ${NEW_MAC} is already leased, retrying spoofing..."
continue
fi
break
fi
done
```
Enhancing MAC spoofing to include both OUI and NIC, along with ARP
checks, would significantly improve user anonymity in Tails and avoid
failure if a leased device on a network already has the same MAC as the
Spoofed one. If there is not way to anonymously check DHCP leases with
leaking the real MAC address through ARP ping/requests then forget this
but rather focus on new mac spoofing design that spoofs full mac address.
Thank you for your dedication to Tails and user privacy.
Namaste,
Joe
_______________________________________________
Tails-dev mailing list
Tails-dev@boum.org
https://www.autistici.org/mailman/listinfo/tails-dev
To unsubscribe from this list, send an empty email to
tails-dev-unsubscr...@boum.org.
_______________________________________________
Tails-dev mailing list
Tails-dev@boum.org
https://www.autistici.org/mailman/listinfo/tails-dev
To unsubscribe from this list, send an empty email to
tails-dev-unsubscr...@boum.org.
