Enabling MAC randomization

gpatel-fr

@Vlad-Nirky said in Enabling MAC randomization:

@gpatel-fr
You could fix IP

The option does not seem to be available in the phone UI - I guess that it can be done with some command line trickery. This is not something that is commonly done in Wifi networks where devices are rarely servers.

gpatel-fr

@uxes said in Enabling MAC randomization:

Android, iOS, and macOS absolutely randomize their MAC addresses

there seem to be yet some level of configuration:

https://android.stackexchange.com/questions/225839/get-new-random-mac-for-same-ssid-without-factory-reset-on-android-10

what is done by the trick I posted is mostly the highest level, non persistent randomization (except the 'new Mac address every few days'). The article suggests that this can be too strong for some internal 'enterprise' networks that have special requirements. So some level of configuration could be necessary, no size fits all. When adding options in the UI, it gets so much more complicated to program that you begin to understand why it was not done before for UT.

Vlad Nirky

@gpatel-fr
Not so hard and usefull
you must know which yaml file is used for the wifi in /etc/netplan
as root cd /etc/netplan and cat yaml files.
nano 90-NM-5f1fe55a-2996-4485-b6b3-a75fe76edc62.yaml (ie)
Then in the wifi one
replace

      dhcp4: true 
with
      dhcp4: false
      addresses:
        - [your wanted IP]/24 (or less)
      routes:
        - to: default
          via: [your router IP]
      nameservers:
        addresses: [your DNS1, your DNS2]

save it
and validate it by
netplan apply

gpatel-fr

@Vlad-Nirky said in Enabling MAC randomization:

Not so hard and usefull

yes that's a possibility. Another could be to stop and disable the mount unit + restarting the phone when staying at home.

nielsbasjes

What we did:

To test

The /run/ is reset on every reboot so we first created /run/NetworkManager/conf.d/20-randomwifimacaddress.conf with

[device]
wifi.scan-rand-mac-address=yes

[connection]
wifi.cloned-mac-address=random

• Restart NetworkManager: systemctl restart NetworkManager

The observed effects:

• The MAC address was random everytime (as configured).
• The wifi network scanning no longer works in the config app.
  Scanning from the command line does still work. nmcli radio wifi on && nmcli device wifi rescan && nmcli device wifi list && nmcli radio wifi off

I could really use some help on that one.

To make permanent

• Created /userdata/system-data/etc/NetworkManager/conf.d/
• Copied the existing /etc/NetworkManager/conf.d/default-wifi-powersave-on.conf to /userdata/system-data/etc/NetworkManager/conf.d/.
• Created /userdata/system-data/tmp/
• Created the described /userdata/system-data/etc/systemd/system/etc-NetworkManager-conf.d.mount

[Unit]
Description=Mount unit for /etc/NetworkManager/conf.d
DefaultDependencies=no
Requires=system.slice dev-sda17.device -.mount
Conflicts=umount.target
Before=umount.target local-fs.target
Before=network-pre.service
Wants=network-pre.service

[Mount]
Where=/etc/NetworkManager/conf.d
What=/userdata/system-data/etc/NetworkManager/conf.d
Options=rw,relatime,upperdir=/userdata/system-data/etc/NetworkManager/conf.d,lowerdir=/etc/NetworkManager/conf.d,workdir=/userdata/system-data/tmp
Type=overlay

[Install]
WantedBy=network.target

• Created /userdata/system-data/etc/NetworkManager/conf.d/20-randomwifimacaddress.conf with

[device]
wifi.scan-rand-mac-address=yes

[connection]
wifi.cloned-mac-address=random

• Ran commands
  • systemctl daemon-reload
  • systemctl start etc-NetworkManager-conf.d.mount
• Verify it was correctly mounted and had the right files
• Ran commands
  • systemctl enable etc-NetworkManager-conf.d.mount

Summary so far

• MAC Randomization works
• Wifi network scanning in the config app no longer works (and it does work using nmcli). If we disable the scan mac randomization then the config app works again.

gpatel-fr

@nielsbasjes said in Enabling MAC randomization:

Wifi network scanning in the config app no longer works

if you mean that the other networks don't appear when disabling and enabling wifi in settings/wifi, I don't repro. I can still see them. I think it has happened to me even without randomisation, the problem is a bit random itself

nielsbasjes

@gpatel-fr Correct, the list in the config UI does not show any of the available networks. On the FP5 we have it seems to be directly related to the scan randomisation setting.

gpatel-fr

@nielsbasjes

Since the grand total of devices in the test is 2 it's difficult to conclude anything.

Does it happen in any neighboroud ? I mean has it been only tested in an enterprise context with special enterprise wifi access point? which version of UT do you use ?

If the problem really interests you, you could enter the lxc android container (sudo lxc-attach --name android -- sh) and use logcat or take a look at the android wifi logs (/data/vendor/wifi/wlan_logs) while disabling/enabling the wifi in the Ui to see if any interesting error message does appear at this time.

gpatel-fr

said in Enabling MAC randomization:

the problem is a bit random itself

actually, it's a bit clearer now; when I enable wifi, I see the whole bunch of other wifi access points around my place; if I close settings and come back after some time (don't remember, maybe half an hour) and I open wifi settings again, I don't see anymore any other access points that the one I am connected to.

nielsbasjes

@gpatel-fr The tests I did were in a residential setting with the Wifi SSIDs of serveral neighbors showing up.

gpatel-fr

@nielsbasjes

that's a bit annoying that the same change on the same hardware leads to 2 different results. There must be a reason but it's difficult to imagine it. As for the moment there is no one to step up to share a result in a different context and I'm definitely not about to buy a new phone to do a different test. I will wait for an idea to come to me

nielsbasjes

@gpatel-fr I wasn't clear. The SSIDs showed when wifi.scan-rand-mac-address was disabled and none (not even the current one) were shown when it was enabled.

gpatel-fr

@nielsbasjes said in Enabling MAC randomization:

none (not even the current one)

Now, even when I don't see the other access points, which is quite often when I swipe out the settings and come back in it, I always see my own access point with "Connected" in green. Like I said, I only see the other access points when first enabling Wifi (and it don't crash the phone, but that's another story).
I'm curious how it appears, could you share a screenshot please ?

gpatel-fr

said in Enabling MAC randomization:

Another could be to stop and disable the mount unit + restarting the phone when staying at home.

I have finally decided to finish this matter and found a way to enable randomization (reenable the mount) while keeping the ability to connect automatically to the phone via my local wifi, so i'll be able to test it more seriously.
I'll see how it works.

With 24.04.1.1 I still don't see any problem with getting the list of networks, I even disabled wifi without intending it and after reenabling it immediately my phone did not crash.
Maybe I was lucky this time or the fix for this problem has been merged.

gpatel-fr

said in Enabling MAC randomization:

I'll see how it works.

10 days later, I have not seen any problem running with Mac randomization, and I use Wifi every day.

On the 'getting the list of stations' subject, I have noticed something new: when I go to Wifi settings and there is nothing displayed (except the access point the phone is connected to, that is), if in a (ssh) console I enter

sudo iw dev wlan0 scan

the phone screen displays magically the list that was scanned. I don't know what this could mean, maybe the list is cached somewhere and sometimes the cache is stale and not refreshed automatically or it's something else. The cache hypothesis is confirmed just now, I had left displayed a list of wifi stations, left the phone rest for some time, after unlocking it the list has disappeared.

There is a wrinckle though: sometimes entering the refresh command, the reply of the command is 'scan aborted!'. This could also be what happens when it does not work. Unfortunately in both cases, the command is displayed in the system journal, but when something goes wrong nothing more is displayed. Sometimes the list vary from one execution to the next a few seconds later, but maybe it's because it's radio after all. Or there is a too short timeout. More investigation is needed (but I'm not giving up, this is only a follow-up).

Last thing: the 'scan' command has a [randomise[=<addr>/<mask>] flag, so the randomization can be at 2 levels (scan and normal use) and can not to be done at the scan level, although I don't see why this could have 2 different results on 2 configuration that seem the same. I don't even know why there are 2 levels in the Mac randomization. The only thing I know for sure is that there are some wifi hardware/firmware/driver (?) that do not support Mac randomization (because I have read it in the configuration files for the FP5) so it could be remotely possible that some configuration don't support the randomization at the scan level while supporting it for normal use.