Enabling MAC randomization

nielsbasjes

@uxes I'm going to try it this weekend. If it works, where can I find the issue tracker/git repo to submit a patch proposal?

gpatel-fr

@uxes said in Enabling MAC randomization:

shipped on our system by default

I am not sure that any phone is doing that by default.
It has also a downside for anyone using this phone with ssh, that is, the IP address affected by the Dhcp server (the wifi access point) will change often.
It's not a big deal but it can be annoying.

uxes

@gpatel-fr

While I don't have a formal, tangible report to cite, my practical experience dealing with a network of around a hundred devices daily at my company confirms this: Android, iOS, and macOS absolutely randomize their MAC addresses. This behavior makes reliable device tracking within the company difficult, though it admittedly ensures a better degree of anonymity for our users.

https://source.android.com/docs/core/connect/wifi-mac-randomization-behavior

https://support.apple.com/en-us/102509
By default, your device improves privacy by using a different MAC address for each Wi-Fi network.

Vlad Nirky

@gpatel-fr
You could fix IP (as I did)

gpatel-fr

@Vlad-Nirky said in Enabling MAC randomization:

@gpatel-fr
You could fix IP

The option does not seem to be available in the phone UI - I guess that it can be done with some command line trickery. This is not something that is commonly done in Wifi networks where devices are rarely servers.

gpatel-fr

@uxes said in Enabling MAC randomization:

Android, iOS, and macOS absolutely randomize their MAC addresses

there seem to be yet some level of configuration:

https://android.stackexchange.com/questions/225839/get-new-random-mac-for-same-ssid-without-factory-reset-on-android-10

what is done by the trick I posted is mostly the highest level, non persistent randomization (except the 'new Mac address every few days'). The article suggests that this can be too strong for some internal 'enterprise' networks that have special requirements. So some level of configuration could be necessary, no size fits all. When adding options in the UI, it gets so much more complicated to program that you begin to understand why it was not done before for UT.

Vlad Nirky

@gpatel-fr
Not so hard and usefull
you must know which yaml file is used for the wifi in /etc/netplan
as root cd /etc/netplan and cat yaml files.
nano 90-NM-5f1fe55a-2996-4485-b6b3-a75fe76edc62.yaml (ie)
Then in the wifi one
replace

      dhcp4: true 
with
      dhcp4: false
      addresses:
        - [your wanted IP]/24 (or less)
      routes:
        - to: default
          via: [your router IP]
      nameservers:
        addresses: [your DNS1, your DNS2]

save it
and validate it by
netplan apply

gpatel-fr

@Vlad-Nirky said in Enabling MAC randomization:

Not so hard and usefull

yes that's a possibility. Another could be to stop and disable the mount unit + restarting the phone when staying at home.

nielsbasjes

What we did:

To test

The /run/ is reset on every reboot so we first created /run/NetworkManager/conf.d/20-randomwifimacaddress.conf with

[device]
wifi.scan-rand-mac-address=yes

[connection]
wifi.cloned-mac-address=random

Restart NetworkManager: systemctl restart NetworkManager

The observed effects:

The MAC address was random everytime (as configured).
The wifi network scanning no longer works in the config app.
Scanning from the command line does still work. nmcli radio wifi on && nmcli device wifi rescan && nmcli device wifi list && nmcli radio wifi off

I could really use some help on that one.

To make permanent

Created /userdata/system-data/etc/NetworkManager/conf.d/
Copied the existing /etc/NetworkManager/conf.d/default-wifi-powersave-on.conf to /userdata/system-data/etc/NetworkManager/conf.d/.
Created /userdata/system-data/tmp/
Created the described /userdata/system-data/etc/systemd/system/etc-NetworkManager-conf.d.mount

[Unit]
Description=Mount unit for /etc/NetworkManager/conf.d
DefaultDependencies=no
Requires=system.slice dev-sda17.device -.mount
Conflicts=umount.target
Before=umount.target local-fs.target
Before=network-pre.service
Wants=network-pre.service

[Mount]
Where=/etc/NetworkManager/conf.d
What=/userdata/system-data/etc/NetworkManager/conf.d
Options=rw,relatime,upperdir=/userdata/system-data/etc/NetworkManager/conf.d,lowerdir=/etc/NetworkManager/conf.d,workdir=/userdata/system-data/tmp
Type=overlay

[Install]
WantedBy=network.target

Created /userdata/system-data/etc/NetworkManager/conf.d/20-randomwifimacaddress.conf with

[device]
wifi.scan-rand-mac-address=yes

[connection]
wifi.cloned-mac-address=random

Ran commands
- systemctl daemon-reload
- systemctl start etc-NetworkManager-conf.d.mount
Verify it was correctly mounted and had the right files
Ran commands
- systemctl enable etc-NetworkManager-conf.d.mount

Summary so far

MAC Randomization works
Wifi network scanning in the config app no longer works (and it does work using nmcli). If we disable the scan mac randomization then the config app works again.

gpatel-fr

@nielsbasjes said in Enabling MAC randomization:

Wifi network scanning in the config app no longer works

if you mean that the other networks don't appear when disabling and enabling wifi in settings/wifi, I don't repro. I can still see them. I think it has happened to me even without randomisation, the problem is a bit random itself