Picking a MAC address for a FreedomBox

By Jonathan Corbet
December 5, 2012

The FreedomBox project is working toward the creation of an inexpensive, in-home device that can be used for secure and private communications. The initial plan is to create a version of the Debian distribution that can be installed on a device like the DreamPlug; the resulting configuration should "just work" for nontechnical users in potentially hostile situations. The project has many challenges to overcome, one of which — the choice of MAC address for the network interface — shows how tricky this problem space can be.

An interface's MAC address is a unique number identifying the interface to any other devices it may communicate directly with. Ethernet-style MAC addresses are six-byte quantities; half of those bytes identify the manufacturer while the other half are meant to be a unique serial number. The MAC address for the Ethernet interface on the system where this article being typed is:

    18:03:73:be:76:4a

This MAC address identifies the relevant system as having been manufactured by Dell. If Dell has done its job properly (and there is no evidence to the contrary), no other Ethernet interface on the planet should have that same MAC address.

FreedomBox developer Nick Daly recently started pondering the question of how a FreedomBox should set its MAC address. The hardware will come with an address provided by the manufacturer, of course, but that address can be changed by the kernel and there may well be good reasons for doing so. Many of those were outlined in this lengthy message from John Gilmore, which is well worth reading in its entirety; it forms the basis of this summary.

One obvious problem is that a static MAC address is a unique number identifying a particular system. Most interfaces never operate with anything but the vendor-supplied address; if a hostile party learns that address, they can quickly identify the system it belongs to. So, while a FreedomBox device might move around, a suitably informed observer will always know which device it is. That allows the correlation of activities over time and the monitoring of specific devices.

Current technologies make things worse. Quoting John:

Apple iPhones record the MAC addresses that are nearby, report these to Apple, and Apple uses them to return a physical position fix. This is used to more rapidly cause the GPS algorithm to converge on a position, and also used when GPS isn't working. The phones often report their GPS position and any nearby MAC addresses back to Apple servers... It's easy for hackers to query that database of MAC addresses and locations, by pretending to be an iPhone seeking its location.

In other words, a hostile entity might not have to drive around a city in an attempt to detect a device with a specific MAC address; instead, it is just a matter of asking Apple, which has a widespread surveillance network in place and can simply say where that device is to be found. Similar information is maintained by other parties — Google, for example.

John also pointed out that it is often trivial to determine which IP address is assigned to a device; it is often just a matter of sending a DNS query to the MAC address of interest. That can enable the identification of the location from which specific network activity has been generated.

Finally, there is the matter of that manufacturer identification number found in every MAC address. If FreedomBox becomes a widely used and effective system, certain authorities might develop a strong interest in knowing where DreamPlug systems are to be found. The identifying information found in the MAC address makes that identification a relatively simple task. Turning on a DreamPlug could be a way of painting a target on a specific location — not the sort of dream the owner may have been looking for.

The obvious conclusion is that FreedomBox systems should not normally run with the default MAC address provided by the vendor. They should, instead, generate a new address, and that address should be changed frequently. Fortunately, much of this is easy to do; any even remotely contemporary hardware will allow the host system to provide a new MAC address, and the data link layer (and above) protocols are pretty good about responding to MAC address changes. So there is no obvious technical barrier preventing frequent changing of a system's MAC address.

But there is still the question of what that address should be. Nick had suggested defaulting to 00:00:00:00:00:00 by default, a choice that would clearly prevent the identification of specific FreedomBoxes. But there are problems with that choice, starting with the fact that confusion would result as soon as two FreedomBoxes appeared on the same network. So something a little smarter is needed.

One obvious possibility is to simply generate a six-byte random number and use that. Care would have to be taken to avoid MAC address collisions on any given net, but that is not a particularly hard problem to solve. There are also the usual issues with having enough entropy available to generate a proper random number at boot time; without an adequate level of care, that random address might be far less random than people expect. Once again, that is a problem that should be amenable to a proper solution.

But, as John pointed out, there is another problem: real-world MAC addresses follow a specific pattern; a random address, being unlikely to fit that pattern, would probably stand out like a neon sign to anybody who is looking for it. To be convincing, a system-chosen MAC address cannot be completely random. It should have a recognized manufacturer number, preferably a manufacturer that actually makes contemporary wireless network interfaces. The serial number also needs to fit into a range that was actually shipped by that manufacturer. In other words, a random MAC address will only blend in if it makes the device look like some other random piece of real-world hardware.

These problems are all tractable, but the solution requires a great deal of due care if it is not to expose its users to unwanted consequences. Indeed, the whole system must be designed and implemented with that level of care; that is part of why the FreedomBox has not come to fruition as quickly as many would have liked. Privacy is a surprisingly difficult problem, with many pitfalls for those who try for a quick solution.

Index entries for this article
Security	Home network
Security	Internet

Picking a MAC address for a FreedomBox

Posted Dec 6, 2012 6:16 UTC (Thu) by smoogen (subscriber, #97) [Link] (4 responses)

18:03:73:be:76:4a
This MAC address identifies the relevant system as having been manufactured by Dell. If Dell has done its job properly (and there is no evidence to the contrary), no other Ethernet interface on the planet should have that same MAC address.

====

Is that meant to be true anymore? I know it used to be, but I have seen a lot of collisions from various vendors. Usually we were told that they only tried to keep the probability down to no MAC collisions in say a Class A network, but that they couldn't guarantee more than that.

====
00:00:00:00:00:00

I remember trying that on a couple of networks and that caused all kinds of issues with routers that used 00:00:00.. as a sort of 0.0.0.0 in broadcasts and such.

Picking a MAC address for a FreedomBox

Posted Dec 6, 2012 6:35 UTC (Thu) by jreiser (subscriber, #11027) [Link] (2 responses)

I have seen a lot of collisions from various vendors. Data, please. I have seen duplicates, too, but they were twenty years ago in the early 1990s, and they were from deliberate reproduction by cloners who were producing counterfeit boxes.

Picking a MAC address for a FreedomBox

Posted Dec 7, 2012 15:58 UTC (Fri) by shane (subscriber, #3335) [Link] (1 responses)

I have an Android phone I ordered from China that arrived a couple weeks ago which has a MAC address not present in the IEEE database, so it is likely that it can collide with some properly-registered device at some point in the future.

I checked here:

http://standards.ieee.org/develop/regauth/oui/oui.txt

The MAC address starts with d2:a1:42, which is not present.

Picking a MAC address for a FreedomBox

Posted Dec 7, 2012 16:48 UTC (Fri) by TomH (subscriber, #56149) [Link]

That address has the "locally administered" bit set so at least they've done that right and aren't trampling on any address that will ever be assigned to somebody else.

Picking a MAC address for a FreedomBox

Posted Dec 6, 2012 12:36 UTC (Thu) by lkundrak (subscriber, #43452) [Link]

Well, there surely are vendors that use addresses that they should not. According to [1], following ones are using locally administered address (& 0x020000). Also, note the "not registered" ones.

020406	BBN				internal usage (not registered)
020701	Interlan [now Racal-InterLAN]	DEC (UNIBUS or QBUS), Apollo, Cisco
020701	Racal-Datacom
026060	3Com
026086	Satelcom MegaPac (UK)
02608C	3Com				IBM PC; Imagen; Valid; Cisco; Macintosh
02A0C9	Intel
02AA3C	Olivetti
02CF1F	CMC				Masscomp; Silicon Graphics; Prime EXL
02E03B	Prominet Corporation		Gigabit Ethernet Switch
02E6D3	BTI (Bus-Tech, Inc.)		IBM Mainframes
2E2E2E	LAA (Locally Administered Address) for Meditech Systems
475443	GTC (Not registered!)		(This number is a multicast!)
525400	Realtek (UpTech? also reported)
52544C	Novell 2000
5254AB	REALTEK (a Realtek 8029 based PCI Card)
565857	Aculab plc			audio bridges
AA0000	DEC				obsolete
AA0001	DEC				obsolete
AA0002	DEC				obsolete
AA0003	DEC				Global physical address for some DEC machines
AA0004	DEC				Local logical address for DECNET systems
E20C0F	Kingston Technologies

[1] http://www.cavebear.com/archive/cavebear/Ethernet/vendor.html

Picking a MAC address for a FreedomBox

Posted Dec 6, 2012 6:35 UTC (Thu) by dw (subscriber, #12017) [Link] (3 responses)

s/sending a DNS query to the MAC address/sending an ARP request to the MAC address/

Picking a MAC address for a FreedomBox

Posted Dec 6, 2012 21:18 UTC (Thu) by jimparis (guest, #38647) [Link] (2 responses)

s/sending a DNS query to the MAC address/sending an ARP request to the MAC address/

Actually, while this LWN sentence was confusingly brief, the original post *was* talking about DNS queries. ARP on the LAN will just get you the LAN IP address. John's original post was suggesting:

Get victim's wifi MAC address (which can be correlated with location by one of the companies that surveil this)
Connect to the open wifi (which will often let DNS through even if it's a captive portal)
Send a DNS request for attacker.com, which tells attacker.com's nameservers the victim's public IP address (if no intermediate DNS servers are used).

Now you've correlated victim's public IP address with location.

Picking a MAC address for a FreedomBox

Posted Dec 8, 2012 15:36 UTC (Sat) by felixfix (subscriber, #242) [Link] (1 responses)

s/John/Jon/g

Picking a MAC address for a FreedomBox

Posted Dec 8, 2012 15:41 UTC (Sat) by felixfix (subscriber, #242) [Link]

Oh geez, it's Jon quoting John. This is what happens when I post before waking up. If there had been only one, I would have not noticed, but when my brain saw a second one, it went off the rails.

Picking a MAC address for a FreedomBox

Posted Dec 6, 2012 8:27 UTC (Thu) by oever (guest, #987) [Link] (5 responses)

How can the Apple database be queried to get MAC addresses? From the description, it seems the Apple location system takes MAC addresses and returns an approximate location. What is the need for that system to return MAC addresses?

Picking a MAC address for a FreedomBox

Posted Dec 6, 2012 12:30 UTC (Thu) by njwhite (guest, #51848) [Link] (2 responses)

One answer is that if you're a government in a country in which Apple is keen to operate, you can simply ask them, perhaps providing various "incentives".

One could also imagine such a database being a worthwhile target for skilled attackers.

But yes, John was talking about sending MAC addresses and getting locations back. Which would certainly be useful for tracking the movement of devices.

Picking a MAC address for a FreedomBox

Posted Dec 8, 2012 15:35 UTC (Sat) by felixfix (subscriber, #242) [Link] (1 responses)

s/John/Jon/g

Picking a MAC address for a FreedomBox

Posted Dec 8, 2012 15:42 UTC (Sat) by felixfix (subscriber, #242) [Link]

s/amused poster/sleepy commentator/

Picking a MAC address for a FreedomBox

Posted Dec 6, 2012 19:45 UTC (Thu) by dlang (guest, #313) [Link]

MAC address only _have_ to show up on the local lan (wireless or wired). If you are talking to something through a router, you don't see the MAC address, just the IP address.

However, Apple devices tend to use the MAC address as a device identifier (it is after all a unique value for each device), and they make extensive use of that unique value in their apple proprietary infrastructure.

One of the 'hacks' that has happened 'recently' was someone noticed that accessing iDevice info on the ATT website used the MAC address in the URL, changing the MAC address provided gave you access to other people's information.

I don't know anyone other than Apple that does this same thing.

Picking a MAC address for a FreedomBox

Posted Dec 9, 2012 16:08 UTC (Sun) by bboissin (subscriber, #29506) [Link]

Just to be clear (I think the article is very confusing), I don't think Apple (or anyone else) uses a database of MAC address. Instead they have a database of BSSID (which is the MAC address for the wireless access point).

Looking at the freedombox website, it's not even clear they can be used as a wireless access point.

Picking a MAC address for a FreedomBox

Posted Dec 6, 2012 15:26 UTC (Thu) by rahulsundaram (subscriber, #21946) [Link] (6 responses)

surprised noone mentioned macchanger

http://www.alobbs.com/macchanger

It can do the job of emulating an address that looks it is coming from a particular vendor. I have a NM script in my Fedora box that changes MAC address every time I connect to my wireless network. It is rather trivial to do.

Picking a MAC address for a FreedomBox

Posted Dec 8, 2012 6:31 UTC (Sat) by mathstuf (subscriber, #69389) [Link] (5 responses)

Is your NM script available somewhere? Maybe one of these days, I'll move to NM from WPA_supplicant, but the bugs (or missing features if you want) I care about probably still exist.

Picking a MAC address for a FreedomBox

Posted Dec 8, 2012 17:24 UTC (Sat) by rahulsundaram (subscriber, #21946) [Link] (4 responses)

I have a file named 00-a-machanger in /etc/NetworkManager/dispatcher.d

#! /bin/bash

/bin/macchanger -r wlan0 2>&1 > /dev/null

That's all it takes.

Picking a MAC address for a FreedomBox

Posted Jan 21, 2013 16:52 UTC (Mon) by mcortese (guest, #52099) [Link] (3 responses)

/bin/macchanger -r wlan0 2>&1 > /dev/null

The redirection looks weird: stdout goes to null, while stderr goes to stdout! ;-)

Picking a MAC address for a FreedomBox

Posted Jan 21, 2013 19:00 UTC (Mon) by rahulsundaram (subscriber, #21946) [Link]

Use whatever redirection works for you.

Picking a MAC address for a FreedomBox

Posted Jan 22, 2013 0:32 UTC (Tue) by dlang (guest, #313) [Link] (1 responses)

that is the routine redirect combination that admins use when they don't plan to look at whatever output is generated and want it to be quiet. The result is that all output is thrown away.

Picking a MAC address for a FreedomBox

Posted Jan 22, 2013 1:04 UTC (Tue) by ABCD (subscriber, #53650) [Link]

No it isn't. command 2>&1 >/dev/null first copies fd 1 to fd 2 (thus sending stderr to where stdout is currently going), then sets fd 1 (stdout) to /dev/null. The standard "show me nothing" line is command >/dev/null 2>&1, which sets fd 1 to /dev/null, then copies fd 1 to fd 2.

To see the difference, compare the following:

$ to_stderr() { echo "$@" >&2; }
$ to_stderr test 2>&1 >/dev/null
test
$ to_stderr test >/dev/null 2>&1

Picking a MAC address for a FreedomBox

Posted Dec 6, 2012 15:43 UTC (Thu) by raven667 (subscriber, #5198) [Link] (2 responses)

I think they should do the same thing that other systems do in this same position (like VMware) which is to register themselves as a vendor and have the device generate a random device address periodically. You'd be able to tell that the device _was_ a FreedomBox but you wouldn't be able to track _which_ one it was. If that is sufficient obfuscation; problem solved.

Picking a MAC address for a FreedomBox

Posted Dec 6, 2012 20:43 UTC (Thu) by Fats (guest, #14882) [Link] (1 responses)

You'd be able to tell that the device _was_ a FreedomBox but you wouldn't be able to track _which_ one it was.

I think the FreedomBox people want to avoid exactly that. Giving away the FreedomBox identity is in certain places enough to draw attention.

Picking a MAC address for a FreedomBox

Posted Dec 6, 2012 21:44 UTC (Thu) by raven667 (subscriber, #5198) [Link]

Fair enough.

Another poster pointed out that there is a large range set aside for locally generated addresses which is widely used that the FreedomBox could safely use without giving itself away.

Picking a MAC address for a FreedomBox

Posted Dec 6, 2012 16:15 UTC (Thu) by brouhaha (subscriber, #1698) [Link] (1 responses)

To do it right, you don't want a six byte random number, but only 46 random bits. Two of the MAC address bits are reserved to distinguish unicast vs. multicast, and globally unique (OUI) vs. locally administered. For a random MAC address for normal (unicast) use, these bits should be set to 0 and 1, respectively. They are the least significant bit and next to the least significant bits of the first octet, so the first octet in binary should be xxxxxx01.

By using a locally administered MAC address you avoid both having everyone that sees the MAC address able to determine what entity assigned the address, and the possibility of collision with any other device on your network that uses a "normal" MAC address (globally unique). You still have the possibility of collision with a locally administered MAC address on your local network.

There also seems to be a lot of confusion in general (but not in this article) about how MAC addresses are used. When you use your web browser to get a web page from a server off in the internet somewhere, that server generally does not get your MAC address, but only your IP address. The MAC address is only used on your Local Area Network (LAN), which is Ethernet or Wifi. However, as stated in the article, other devices on your same LAN, including iPhones and such using Wifi, do get to see your MAC address.

Picking a MAC address for a FreedomBox

Posted Dec 6, 2012 18:46 UTC (Thu) by BenHutchings (subscriber, #37955) [Link]

The interface's MAC address is used for the local part of its IPv6 addresses, by default. (The 'privacy extensions' for IPv6 allow you to randomise the local part, but this is not robust to local attack.) And the gateway router or DHCP server on the LAN might log or otherwise expose the MAC address to remote peers.

Picking a MAC address for a FreedomBox

Posted Dec 6, 2012 18:17 UTC (Thu) by marcH (subscriber, #57642) [Link] (2 responses)

> But, as John pointed out, there is another problem: real-world MAC addresses follow a specific pattern; a random address, being unlikely to fit that pattern, would probably stand out like a neon sign to anybody who is looking for it. To be convincing, a system-chosen MAC address cannot be completely random.

I don't understand why a random (and obviously changing) MAC address should look not random. Could someone summarize the problem here?

Picking a MAC address for a FreedomBox

Posted Dec 6, 2012 18:42 UTC (Thu) by BenHutchings (subscriber, #37955) [Link] (1 responses)

The MAC address isn't going to 'obviously change'; it's the only thing identifying your hardware so without some sophisticated fingerprinting at a higher level there is nothing to tie the old and new addresses together as being a single device.

However, randomised MAC addresses are normally flagged as 'locally-assigned', per the IEEE 802 standard, which could become an indicator of 'something to hide' if most devices use fixed globally-assigned addresses. (I don't know how true that is; quite a few Linux network device drivers support boards without NVRAM fitted, for which they generate a random address at boot.) Even if you decide to violate the standard and 'steal' a globally-assigned address, you'd then want to be sure to pick an OUI (22-bit manufacturer ID) that has actually been assigned.

Picking a MAC address for a FreedomBox

Posted Dec 6, 2012 23:53 UTC (Thu) by marcH (subscriber, #57642) [Link]

> The MAC address isn't going to 'obviously change';

In the context of these articles (randomizing a MAC address) the address should obviously not be randomized just once but be changed on a regular basis, otherwise it could be followed just like a factory address can.

This is just the main point of the article.

> it's the only thing identifying your hardware so without some sophisticated fingerprinting at a higher level there is nothing to tie the old and new addresses together as being a single device.

... so changing it on regular basis works. Violent agreement?!

> However, randomised MAC addresses are normally flagged as 'locally-assigned', per the IEEE 802 standard, which could become an indicator of 'something to hide'

This does not really seem to match what Jon wrote above, but it is clearer and does answer my question; thanks.

Picking a MAC address for a FreedomBox

Posted Dec 6, 2012 22:25 UTC (Thu) by hpa (guest, #48575) [Link]

There are a lot of users of random MAC addresses, so although they may stand out, they would stand out in a pretty big forest. Standard practice is to set the "locally assigned" bit; the bit pattern of the last octet is xxxxxx10 (not xxxxxx01 as was incorrectly stated earlier in this thread.) This gives 46 bits of entropy, and cannot by design collide with assigned values.

If you care about stealth you probably need to reassign the MAC with some regularity.

Picking a MAC address for a FreedomBox

Posted Dec 7, 2012 0:48 UTC (Fri) by docwhat (guest, #40373) [Link] (1 responses)

If the goal is to blend in, then why not:

Collect nearby MAC vendor codes.
Run it through a blacklist.
Then randomly choose a vendor code.
Randomize the remaining parts.

This should cause it to blend in better.

Alternatively, get a list of vendor codes to emulate (based on region or something similar), and randomize based on those vendor codes.

I suppose in some places, owning a DELL Laptop would spell as much trouble as owning a FreedomBox; so picking a good list of vendor codes would be needed.

Picking a MAC address for a FreedomBox

Posted Dec 16, 2012 15:24 UTC (Sun) by ekj (guest, #1524) [Link]

This was my idea too: Listen passively for a few seconds, or until you've gathered a handful of MACs being used near you. Then randomly choose one of those vendor-ids while randomising the remaining bits.

This should make you blend in nicely with whatever other devices are on the network-segment you connect to.

Picking a MAC address for a FreedomBox

Posted Dec 7, 2012 14:09 UTC (Fri) by NRArnot (subscriber, #3033) [Link] (1 responses)

One other problem.

I once saw the consequence of two PCs on the same LAN with the same MAC address. (How? Some foul-up by the NIC manufacturer. I suspect a whole batch of boards out there with that same MAC; we'd bought two of them).

It wasn't pretty. Looked somewhat like an intermittent NIC failure or cabling fault. One went down whenever the other came up ...

Anyway, it occurs to me that causing a MAC collision in some environments might be regarded as an actively hostile act ... espionage, or even sabotage. Even if not, it will most certainly attract attention if one's random address just happens to be the same address that some local system will try to use in a few minutes time.

Is there a way to detect this and back off as soon as it happens, before the other system's owner gets annoyed?

Picking a MAC address for a FreedomBox

Posted Dec 7, 2012 14:49 UTC (Fri) by etienne (guest, #25256) [Link]

> Is there a way to detect this and back off as soon as it happens, before the other system's owner gets annoyed?

You send a RARP, reverse ARP request, asking for who has this ARP to reply with its own IP, if no response nobody has such a MAC.
You can also change your MAC by sending an unsolicited gratuitous ARP with your IP address and your new MAC, without breaking TCP or UDP connections.
Unfortunately these systems fails if one of the PC on the subnet is not listening, in a deep sleep mode or temporarily disconnected from the wire (a HUB maintains LINK-UP to the PC but the upstream HUB link goes down).
Then, next time the PC wakes up and try to continue using the old MAC address to continue a TCP connection, it will talk to an unrelated PC and receive a RST packet, without checking that this MAC address is still valid for the TCP IP address.

Picking a MAC address for a FreedomBox

Posted Dec 14, 2012 14:24 UTC (Fri) by Felix_the_Mac (guest, #32242) [Link]

A random (or semi-random) MAC address would not be a give away if enough other devices used the same scheme.

Therefore:

1. submit patch to Linux kernel for random MAC address assignment.
2. Get feature turned on by default.
3. Get Google to use feature in Android - millions of phones with random MAC addresses

Problem solved!