mac_spoofing.mdwn 5.6 KB
Newer Older
1
[[!meta title="MAC address spoofing"]]
2

3 4 5 6 7 8 9 10 11 12 13 14
[[!toc]]

What are MAC addresses?
=======================

Every network card — wired or Wi-Fi — has a [[!wikipedia MAC address]] which is
a serial number defined for each card from factory by its vendor. MAC addresses
are used on the local network to identify the communications of each network
card.

While your IP address identifies where you are on the Internet, your MAC address
identifies which device you are using on the local network. MAC addresses are
15 16 17 18 19 20
only useful on the local network and are not sent over the Internet.[^portal]

[^portal]: Some [[!wikipedia captive portals]] might send your MAC address over
the Internet to their authentication servers. This should not affect your
decision regarding MAC address spoofing. If you decide to disable MAC address
spoofing your computer can already be identified by your ISP.
21

22 23
Having such a unique identifier used on the local network can harm your privacy.
Here are two examples:
24

25
1. If you use your laptop to connect to several Wi-Fi networks, the
26 27 28 29
same MAC address of your Wi-Fi card is used on all those local networks. Someone
observing those networks can recognize your MAC address and **track your
geographical location**.

30 31 32 33
2. As explained in our documentation on [[network
fingerprint|about/fingerprint]], someone observing the traffic coming out of
your computer on the local network can probably see that you are using Tails. In
that case, your MAC address can **identify you as a Tails user**.
34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73

What is MAC address spoofing?
=============================

Tails can temporarily change the MAC address of your network cards to random
values for the time of a working session. This is what we call "MAC address
spoofing". MAC address spoofing hides the serial number of your network card,
and so to some extend, who you are, to the local network.

MAC address spoofing is enabled by default in Tails because it is usually
beneficial. But in some situations it might also cause connectivity problems or
suspicious network activity. This documentation explains whether to use MAC
spoofing or not, according to your situation.

When to keep MAC address spoofing enabled
=========================================

**MAC address spoofing is enabled by default for all network cards.** This is
usually beneficial, even if you don't want to hide your geographical location.

Here are a few examples:

* **Using your own computer on an public network without registration**, for
  example a free Wi-Fi in an airport where you don't need to register with your
  identity. In this case, MAC address spoofing hides the fact that your computer
  is connected to this network.

* **Using your own computer on a network that you use frequently**, for example
  at a friend's place, at work, at university, etc. You already have a strong
  relationship with this place but MAC address spoofing hides the fact that your
  computer is connected to this network *at a particular time*. It also hides
  the fact that you are the one running Tails on this network.

When to disable MAC address spoofing
====================================

In some situations MAC address spoofing is not useful but can instead be
problematic. In such cases, you might want to disable MAC address spoofing from
<span class="application">[[Tails Greeter|startup_options#greeter]]</span>.

74 75 76 77 78 79 80
Note that even if MAC spoofing is disabled, your anonymity on the Internet is
preserved:

  - An adversary on the local network can only see encrypted connections to the
    Tor network.
  - Your MAC address is not sent over the Internet to the websites that you are
    visiting.
81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99

However, disabling MAC address spoofing makes it possible again for the local
network to track your geographical location. If this is problematic, consider
using a different network device or moving to another network.

Here are a few examples:

- **Using a public computer**, for example in an Internet café or a library.
  This computer is regularly used on this local network, and its MAC address is
  not associated with your identity. In this case, MAC address spoofing can make
  it impossible to connect. It can even **look suspicious** to the network
  administrators to have an unknown MAC address used on that network.

- **Using your own computer on a restricted network** where you had to register
  with your identity or credit card. In this case, you already revealed your
  geographical location to the local network by other means.

- **MAC address spoofing is impossible on your network card** due to a
  limitation in your hardware or its drivers. In this case, Tails temporarily
Tails developers's avatar
Tails developers committed
100
  disables your network card if you keep MAC address spoofing enabled.
101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121

- **MAC address spoofing makes it impossible to connect to a network**. Some
  local networks only accept connections from a list of authorized MAC
  addresses. If you were granted access to this network in the past, then MAC
  address spoofing might prevent you from connecting to this network.

- **Using your own computer at home**. Your identity and the MAC address of your
  computer are already associated to this local network, so MAC address spoofing
  is probably useless. But if your local network has a restricted access based
  on MAC addresses it might be impossible to connect with a spoofed MAC address.

Other considerations
====================

- **Other means of surveillance** can reveal your geographical location: video
  surveillance, mobile phone activity, credit card transactions, social
  interactions, etc.

- When using **mobile phone connectivity**, such as 3G or GSM, the number of
  your SIM card (IMSI) and the serial number of your phone (IMEI) are always
  revealed to the phone network.