Commit a9e0e7bb authored by Tails developers's avatar Tails developers
Browse files

Rework the MAC spoofing documentation

parent 27f1906f
......@@ -70,5 +70,6 @@ Then click on the <span class="button">Forward</span> button.
Here is a list of options that you can set using <span class="application">Tails
- [[Set an administration password|administration_password]]
- [[Activate Windows Camouflage|windows_camouflage]]
\ No newline at end of file
- [[Administration password|administration_password]]
- [[Windows camouflage|windows_camouflage]]
- [[MAC address spoofing|mac_spoofing]]
[[!meta title="MAC address spoofing"]]
# Background
Every network device (wired, Wi-Fi/wireless, 3G/mobile) has a so
called [[!wikipedia MAC address]], which is a unique identifier used
to address them on the local network. Broadcasting a unique identifier
in this manner introduces a couple of potential privacy issues for
Tails users. Geographical location tracking is the main one;
observing a MAC address at a particular location and time ties the
corresponding device to the same location and time. If the real
identity of the device's owner is known, his or her movements can be
determined. To prevent this one can temporarily change the MAC address
to something random at each boot, which is referred to as "MAC address
As mentioned above, MAC addresses are normally only used on the
*local* network, and are not supposed to ever reach the Internet.
However, [[!wikipedia captive portals]] may send MAC addresses of
users accessing its services to authentication servers. In any case it
should be noted that the location tracking issue we are talking about
here ha no effect on Internet anonymity, like Tails' web-browser.
# When to keep MAC address spoofing enabled
Tails spoofs the MAC addresses of all network devices **by default**.
It can be disabled by unchecking the corresponding option in Tails
Greeter but in general it is beneficial (or of little or no
consequence) to keep it enabled even if one doesn't care about hiding
one's geographical location.
Here are a few examples of when you may want to leave this option
enabled in order to hide you geographical movement while using Tails:
* **Running Tails on your computer on an *open* public network**. With
an "open" public network we mean a network that doesn't require any
kind of registration (with you real identity) in order to access.
* **Running Tails on your computer at a friend's place**. This rule
also applies to "workplace", "school/university" or other locations
you have a strong relationship with. The relationship ties you to
the location any way but sometimes one may want to not be associated
to the place at a *particular* *time*, which makes keeping this
option enabled worthwhile.
# When to disable MAC address spoofing
In some situations MAC address spoofing won't add any benefits but
instead only cause suspicious network activity or connection
issues. Therefore, in the following situations we recommend disabling
this option:
* **Running Tails at home**. The deep association to the location
makes this essentially meaningless, and may cause connection issues
(some ISP-provided modems or routers restrict access based on MAC
* **Running Tails on a public computer**, like a library
computer. Since it's not your device, it's not associated to you
directly, so spoofing its MAC address is pointless. Not only that,
it can cause connection issues, or worse, attract suspicion from the
network administrators, so it should really be avoided.
* **Running Tails on your computer using a *restricted* public
network**. As opposed to an "open" public network, with "restricted"
we mean that real identity registration is required.
* **When you experience network issues** due to MAC address
restrictions on the network, or problems with your network devices
(or its driver). In this case MAC address spoofing simply isn't
available, so disabling it is the only way to get a working network
connect. However, disabling it brings back location tracking, so if
that is of importance the only option may be to either use a
different network device, or move to a location without MAC address
restrictions, depending on which of them that caused the issue.
# Other considerations
* We urge users to disable [[!wikipedia Intel AMT]] since it may leak
the *real* MAC address before Tails starts and is able to do
anything about it.
* If you have MAC address spoofing enabled and then reboot your
computer to another operating system (like Windows or Mac OS X) you
will give away your geographical location any way.
* Otherwise "open" public networks should perhaps be considered as
"restricted" in case heavy video surveillance (or similar) is
employed. Note that you may want to consider the memory of employees
or other regulars at the place as surveillance.
What are MAC addresses?
Every network card — wired or Wi-Fi — has a [[!wikipedia MAC address]] which is
a serial number defined for each card from factory by its vendor. MAC addresses
are used on the local network to identify the communications of each network
While your IP address identifies where you are on the Internet, your MAC address
identifies which device you are using on the local network. MAC addresses are
only useful on the local network and are usually not sent over the Internet.
Having such a unique identifier used on the local network can harm your privacy:
1. For example, if you use your laptop to connect to several Wi-Fi networks, the
same MAC address of your Wi-Fi card is used on all those local networks. Someone
observing those networks can recognize your MAC address and **track your
geographical location**.
2. Someone observing the traffic coming out of your computer on the local
network can probably **suspect you of being a Tails users**, as explained in our
documentation on [[network fingerprint|about/fingerprint]].
What is MAC address spoofing?
Tails can temporarily change the MAC address of your network cards to random
values for the time of a working session. This is what we call "MAC address
spoofing". MAC address spoofing hides the serial number of your network card,
and so to some extend, who you are, to the local network.
MAC address spoofing is enabled by default in Tails because it is usually
beneficial. But in some situations it might also cause connectivity problems or
suspicious network activity. This documentation explains whether to use MAC
spoofing or not, according to your situation.
When to keep MAC address spoofing enabled
**MAC address spoofing is enabled by default for all network cards.** This is
usually beneficial, even if you don't want to hide your geographical location.
Here are a few examples:
* **Using your own computer on an public network without registration**, for
example a free Wi-Fi in an airport where you don't need to register with your
identity. In this case, MAC address spoofing hides the fact that your computer
is connected to this network.
* **Using your own computer on a network that you use frequently**, for example
at a friend's place, at work, at university, etc. You already have a strong
relationship with this place but MAC address spoofing hides the fact that your
computer is connected to this network *at a particular time*. It also hides
the fact that you are the one running Tails on this network.
When to disable MAC address spoofing
In some situations MAC address spoofing is not useful but can instead be
problematic. In such cases, you might want to disable MAC address spoofing from
<span class="application">[[Tails Greeter|startup_options#greeter]]</span>.
Note that even if MAC spoofing is disabled, your anonymity on Internet is
preserved: an adversary on the local network can only see encrypted connections
to the Tor network.
However, disabling MAC address spoofing makes it possible again for the local
network to track your geographical location. If this is problematic, consider
using a different network device or moving to another network.
Here are a few examples:
- **Using a public computer**, for example in an Internet café or a library.
This computer is regularly used on this local network, and its MAC address is
not associated with your identity. In this case, MAC address spoofing can make
it impossible to connect. It can even **look suspicious** to the network
administrators to have an unknown MAC address used on that network.
- **Using your own computer on a restricted network** where you had to register
with your identity or credit card. In this case, you already revealed your
geographical location to the local network by other means.
- **MAC address spoofing is impossible on your network card** due to a
limitation in your hardware or its drivers. In this case, Tails temporarily
disables your network card.
- **MAC address spoofing makes it impossible to connect to a network**. Some
local networks only accept connections from a list of authorized MAC
addresses. If you were granted access to this network in the past, then MAC
address spoofing might prevent you from connecting to this network.
- **Using your own computer at home**. Your identity and the MAC address of your
computer are already associated to this local network, so MAC address spoofing
is probably useless. But if your local network has a restricted access based
on MAC addresses it might be impossible to connect with a spoofed MAC address.
Other considerations
- We recommend you to **disable [[!wikipedia Intel AMT]]** because it might
reveal your MAC address before Tails starts and enables MAC address spoofing.
XXX How do I know I have Intel AMT? XXX How do I do that? XXX
- **Other means of surveillance** can reveal your geographical location: video
surveillance, mobile phone activity, credit card transactions, social
interactions, etc.
- As mentioned above, MAC addresses are normally only used on the local network,
and are not supposed to be sent over the Internet. However, some
**[[!wikipedia captive portals]]** might send your MAC address over the
Internet to authentication servers.
- When using **mobile phone connectivity**, such as 3G or GSM, the number of
your SIM card (IMSI) and the serial number of your phone (IMEI) are always
revealed to the phone network.
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment