WiFi Privacy network experiment at IETF91

What is the trial about?

As part of the Internet Privacy efforts in coordination between IAB/IESG and IEEE802, we are performing a trial to randomise the MAC address of some user's Wi-Fi devices. Instructions on how to participate in this trial are described below.

Trial participation instructions

We need your help to make this a successful experiment!

We need some information to gather statistics from the experiment and also to be able to contact you in case we see an unexpected behaviour. If you want to participate in the trial, please do the following:

Linux (tested on Debian testing/unstable, Ubuntu 13.10*, and Fedora 20)

The following instructions make the GNU/Linux’s Network Manager automatically use a random MAC address whenever a new WLAN connection is established. In addition to the Network Manager, you need to install the macchanger tool, included on most package repositories. Once installed, download the following script-1, copy it to /etc/NetworkManager/dispatcher.d/random_wlan_mac (note that you need root permissions to do that) and make it executable. There are three variables at the beginning of the script that you need to check that are fine with your system (although default values should be fine for most cases): WLANIFACE (should match your system’s wireless interface), MACCHANGER (should match the path to the macchanger tool) and LOGFILE (path to the file where tool logs are saved). Edit the file /etc/dhcp/dhclient.conf and add or modify the dhcp-client-identifier parameter. This specifies either an NVT ASCII string enclosed in double quotes, or a series of octets specified in hexadecimal, separated by colons. Please use a value that is likely to be unique among all the participants of the trial (e.g., avoid using “test”). Some examples are included below:

send dhcp-client-identifier = 1:0:a0:24:ab:fb:9c;
send dhcp-client-identifier = "Luke Skywalker";

Download this script-2 and save it your filesystem. Check that the two first variables defined at the beginning of the file are fine with your system’s configuration. Execute the script with superuser privileges and keep it running for the time you want to participate in this trial.

*Note: The process was also tested on Ubuntu, 12.04, 14.04 and 14.10. In these platforms, the MAC randomization works properly only if the WiFi networking is first completely disabled and then re-enabled from the Network Manager's applet. In the other platforms, the MAC randomization takes places by simply picking a new WLAN from the Network Manager applet, or by clicking on the “disconnect” button.

Mac OS X (tested on Version 10.10, alias Yosemite)

Open a terminal and execute the following sequence of commands every time you want to connect to a WiFi Network:

MAC_ADDR=`openssl rand -hex 6 | sed 's/\(..\)/:\1/g;s/^.\(.\)[0-3]/\12/;s/^.\(.\)[4-7]/\16/; s/^.\(.\)[89ab]/\1a/;s/^.\(.\)[cdef]/\1e/'`; sudo ifconfig <WLANIFACE> ether $MAC_ADDR; networksetup -setairportnetwork <WLANIFACE> <ESSID> <WiFi KEY>; echo $MAC_ADDR >> <PATH_TO_LOGFILE>

Note that you have to specify the name of your wireless interface (usually en0), the ESSID of the wireless network (ietf-PrivRandMAC) and specify the WiFi key (ietf-priv). The path to a log file used to save the randomized MAC addresses used has to also be specified.

You need to select and use a DHCP client identifier that is likely to be unique among all the participants of the trial (e.g., avoid using “test”). To do so, open System Preferences, open Network Then click on the Wireless interface on the left to highlight it and then click Advanced at the lower right.Click the TCP/IP tab. Locate the DHCP Client ID area and type in the name you want. Click OK, then click Apply.

Windows (tested on Windows 7)

For changing the MAC address in Windows you need to download a script and run it in PowerShell (Windows 7 and PowerShell 2.0 or later versions are required). The script can be found here. Download the scripts file and look in the Day4-IPSec/Wireless-RADIUS folder for the script named New-MACaddress.ps1.

Run PowerShell as administrator and execute the script:

PS C:\TEMP> .\New-MACaddress.ps1 -Wireless

If there are multiple network interfaces (NIC) you will get a prompt asking for which card to change the MAC address. After confirming the NIC (if there are many) the script will change the address and will reload the driver. The process can take several seconds. To delete the registry value for the custom MAC address so that the built-in MAC of the NIC will be used instead (revert to factory default), change the -Wireless switch by -resetdefault. More information about the scripts and the files can be found in Jason Fossen’s blog.

You need to select and use a DHCP client identifier that is likely to be unique among all the participants of the trial (e.g., avoid using “test”). To do so, type the following in the command window:

C:\>ipconfig /setclassid "Wireless Network Connection" MyNewDhcpID

If there are multiple wireless interfaces you might need to change the name of the Wireless Network Connection interface (NIC) you want to use. You can confirm the DHCP client ID (DHCPv4 Class ID) settings and NIC name by typing:

C:\>ipconfig /all
Troubleshooting/FAQ

macchanger is available in the package repositories of most GNU/Linux distributions. For .deb based system you can install it by typing:

sudo apt-get install macchanger

while in .rpm based systems the command is:

sudo yum install macchanger

If your system does not support the sudo utility, log in as root and type the commands without the sudo keyword. If macchanger is not available in your repository, you can proceed to the manual installation after downloading the sources available here

The script works in the background with no need to be manually executed by the user. The script detects that a WLAN connection went “down” and generates a random MAC address for the specified interface that will be used for next operations and connections. A connection goes “down” when, from the Network Manager applet, the user clicks on the “disconnect” button, or while connected to a WLAN the user switches to a new one, or when the WiFi networking is disabled.

* //The script-1 for GNU/Linux apparently does not work//

Check the owner and permissions of script-1, which must belong to and be executed by root:

-rwxr-xr-x 1 root root /etc/NetworkManager/dispatcher.d/random_wlan_mac

First check if the variables defined in the script's header are ok, then check the log file /var/log/random_wlan_mac.log (or the file you specified for logging) for possible errors. It is likely that macchanger is not properly executed.

The script must be manually executed by root or a user with superuser permissions. The scripts runs in a terminal polling the system's connections. While the WLAN is disconnected the script periodically changes the WLAN interface's MAC address.

Make sure you run it as root or with sudo. The script prints its log in the terminal where it is executed so that the user can quickly see what is going on. If the problem is related to the nmcli utility, check if Network Manager is installed in your system and then the syntax of the nmcli command specific for your system to check the status of the system's interfaces.

Contact Info

More information about the IEEE 802 Privacy group and instructions about how to join the discussion list can be found at the IEEE 802 Privacy SG site:

http://www.ieee802.org/PrivRecsg/

If you need more information about the trial during IETF 91 you can send an email to ietf91-mac-privacy@ietf.org or contact Juan Carlos Zuniga at j.c.zuniga@ieee.org.