TAILS MAC Address Spoofing [Security Fix]

Originally created by @humanrightsdefender on #15208 (Redmine)

Hello!

As a human rights defender for me my security is extremly important!
*
Tails currently have a problem with spoofing MAC* because when you connect to a network Tails will expose the half of your permanent MAC address which is in my opinion very serious since if this bug if not fixed correctly as I will describe below than the issue will gives law enforment a very good idea about the permanent MAC address of the targeted individual who uses Tails on the same network a few times. The seizure of the device where Tails used will be inevitable considering that the law enforcement or spy agencies already have the half of your permanent MAC. In my case that can be fatal and I beleive that activists who using Tails must have default configuration which spoofing and preserve a fully random MAC address.

This is how your MAC has been exposed partly on the current and previous versions of Tails:

after boot (looks good until this point)
amnesia@amnesia:~$ macchanger wlan0 -s
Current MAC: 4a:9b:c2:12:69:0c (unknown)
Permanent MAC: ae:fe:70:72:2a:1d (Intel Corporate)

after connecting to a network (the permanent MAC partly exposed)
amnesia@amnesia:~$ macchanger wlan0 -s
Current MAC: ae:fe:70:d5:8d:49 (Intel Corporate)
Permanent MAC: ae:fe:70:72:2a:1d (Intel Corporate)

FIXING MAC SPOOFING ON TAILS

Edit /live/persistence/TailsData_unlocked/macchanger/spoof-mac.conf as follows:

<code class="text">
[device]
wifi.scan-rand-mac-address=yes

[connection]
wifi.cloned-mac-address=stable
ethernet.cloned-mac-address=stable
</code>

Than cp -avf /live/persistence/TailsData_unlocked/macchanger/spoof-mac.conf to /etc/NetworkManager/conf.d/spoof-mac.conf

Now let’s add the following line to /live/persistence/TailsData_unlocked/persistence.conf

<code class="text">
/etc/NetworkManager/conf.d source=macchanger
</code>

If you followed and saved everything than you can reboot now.
That’s all! Now you have a spoofed fully random MAC address which is not exposing the half of your permanent MAC and manufacturer!

Related issues

Edited by humanrightsdefender