Enabling MAC randomization
-
@gpatel-fr I agree your approach using overlayfs is better, puts the file in the same place we would regularly put our customizations.
-
@fredldotme said in Enabling MAC randomization:
using overlayfs is better
Well, using overlayfs was mostly an experiment on my part (finding on the Internet an example of a mount unit with overlayfs was surprising difficult - finally I had to test on my PC to find a form that actually works - and the official way does not seem to work on Ubuntu 24.04 - it's possible than systemd is bugged at this point)
The downside is, as each port has its own kernel, having overlayfs available is not a sure thing as having the possibility of bind-mounting. As I had no more experience with bind-mount than overlayfs, I used the most exciting possibility
-
@gpatel-fr I have not tried this idea. I realized this is such an "extreme" way of settings this (also looking at the other replies) that I asked here first.
My key question is : Is this the right direction or is there a simple, clean and reliable way of enabling MAC randomization.
-
@nielsbasjes said in Enabling MAC randomization:
Is this the right direction or is there a simple, clean and reliable way of enabling MAC randomization.
If you don't know about it, @fredldotme is a pillar of UT, certainly the second ranked; so if he don't advise for a 'simpler, cleaner' solution, you can assume that there is no obvious one. Having the rootfs read-only is certainly a solid part of the core tenets of UT.
-
@nielsbasjes mac random addresses are now pretty much a standart, it would be great if this implementation is shipped on our system by default , if you manage to get this working and send it upstream, thatโd be awesome
-
@uxes I'm going to try it this weekend. If it works, where can I find the issue tracker/git repo to submit a patch proposal?
-
@uxes said in Enabling MAC randomization:
shipped on our system by default
I am not sure that any phone is doing that by default.
It has also a downside for anyone using this phone with ssh, that is, the IP address affected by the Dhcp server (the wifi access point) will change often.
It's not a big deal but it can be annoying. -
While I don't have a formal, tangible report to cite, my practical experience dealing with a network of around a hundred devices daily at my company confirms this: Android, iOS, and macOS absolutely randomize their MAC addresses. This behavior makes reliable device tracking within the company difficult, though it admittedly ensures a better degree of anonymity for our users.
https://source.android.com/docs/core/connect/wifi-mac-randomization-behavior
https://support.apple.com/en-us/102509
By default, your device improves privacy by using a different MAC address for each Wi-Fi network. -
@gpatel-fr
You could fix IP (as I did) -
@Vlad-Nirky said in Enabling MAC randomization:
@gpatel-fr
You could fix IPThe option does not seem to be available in the phone UI - I guess that it can be done with some command line trickery. This is not something that is commonly done in Wifi networks where devices are rarely servers.
-
@uxes said in Enabling MAC randomization:
Android, iOS, and macOS absolutely randomize their MAC addresses
there seem to be yet some level of configuration:
what is done by the trick I posted is mostly the highest level, non persistent randomization (except the 'new Mac address every few days'). The article suggests that this can be too strong for some internal 'enterprise' networks that have special requirements. So some level of configuration could be necessary, no size fits all. When adding options in the UI, it gets so much more complicated to program that you begin to understand why it was not done before for UT.
-
@gpatel-fr
Not so hard and usefull
you must know which yaml file is used for the wifi in /etc/netplan
as root cd /etc/netplan and cat yaml files.
nano 90-NM-5f1fe55a-2996-4485-b6b3-a75fe76edc62.yaml (ie)
Then in the wifi one
replacedhcp4: true with dhcp4: false addresses: - [your wanted IP]/24 (or less) routes: - to: default via: [your router IP] nameservers: addresses: [your DNS1, your DNS2]save it
and validate it by
netplan apply -
@Vlad-Nirky said in Enabling MAC randomization:
Not so hard and usefull
yes that's a possibility. Another could be to stop and disable the mount unit + restarting the phone when staying at home.
-
What we did:
To test
The
/run/is reset on every reboot so we first created/run/NetworkManager/conf.d/20-randomwifimacaddress.confwith[device] wifi.scan-rand-mac-address=yes [connection] wifi.cloned-mac-address=random- Restart NetworkManager:
systemctl restart NetworkManager
The observed effects:
- The MAC address was random everytime (as configured).
- The
wifi network scanning no longer worksin the config app.
Scanning from the command line does still work.nmcli radio wifi on && nmcli device wifi rescan && nmcli device wifi list && nmcli radio wifi off
I could really use some help on that one.
To make permanent
- Created
/userdata/system-data/etc/NetworkManager/conf.d/ - Copied the existing
/etc/NetworkManager/conf.d/default-wifi-powersave-on.confto/userdata/system-data/etc/NetworkManager/conf.d/. - Created
/userdata/system-data/tmp/ - Created the described
/userdata/system-data/etc/systemd/system/etc-NetworkManager-conf.d.mount
[Unit] Description=Mount unit for /etc/NetworkManager/conf.d DefaultDependencies=no Requires=system.slice dev-sda17.device -.mount Conflicts=umount.target Before=umount.target local-fs.target Before=network-pre.service Wants=network-pre.service [Mount] Where=/etc/NetworkManager/conf.d What=/userdata/system-data/etc/NetworkManager/conf.d Options=rw,relatime,upperdir=/userdata/system-data/etc/NetworkManager/conf.d,lowerdir=/etc/NetworkManager/conf.d,workdir=/userdata/system-data/tmp Type=overlay [Install] WantedBy=network.target- Created
/userdata/system-data/etc/NetworkManager/conf.d/20-randomwifimacaddress.confwith
[device] wifi.scan-rand-mac-address=yes [connection] wifi.cloned-mac-address=random- Ran commands
systemctl daemon-reloadsystemctl start etc-NetworkManager-conf.d.mount
- Verify it was correctly mounted and had the right files
- Ran commands
systemctl enable etc-NetworkManager-conf.d.mount
Summary so far
- MAC Randomization works
- Wifi network scanning in the config app no longer works (and it does work using nmcli). If we disable the scan mac randomization then the config app works again.
- Restart NetworkManager:
-
@nielsbasjes said in Enabling MAC randomization:
Wifi network scanning in the config app no longer works
if you mean that the other networks don't appear when disabling and enabling wifi in settings/wifi, I don't repro. I can still see them. I think it has happened to me even without randomisation, the problem is a bit random itself
-
@gpatel-fr Correct, the list in the config UI does not show any of the available networks. On the FP5 we have it seems to be directly related to the scan randomisation setting.
-
Since the grand total of devices in the test is 2 it's difficult to conclude anything.
Does it happen in any neighboroud ? I mean has it been only tested in an enterprise context with special enterprise wifi access point? which version of UT do you use ?
If the problem really interests you, you could enter the lxc android container (sudo lxc-attach --name android -- sh) and use logcat or take a look at the android wifi logs (/data/vendor/wifi/wlan_logs) while disabling/enabling the wifi in the Ui to see if any interesting error message does appear at this time.
-
said in Enabling MAC randomization:
the problem is a bit random itself
actually, it's a bit clearer now; when I enable wifi, I see the whole bunch of other wifi access points around my place; if I close settings and come back after some time (don't remember, maybe half an hour) and I open wifi settings again, I don't see anymore any other access points that the one I am connected to.
-
@gpatel-fr The tests I did were in a residential setting with the Wifi SSIDs of serveral neighbors showing up.
-
that's a bit annoying that the same change on the same hardware leads to 2 different results. There must be a reason but it's difficult to imagine it. As for the moment there is no one to step up to share a result in a different context and I'm definitely not about to buy a new phone to do a different test. I will wait for an idea to come to me
