<!--
Copyright:

   {{project_name_long}} MAC Address wiki page Copyright (C) Amnesia <amnesia at boum dot org>
   {{project_name_short}} MAC Address wiki page Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 3 of the License, or
   (at your option) any later version.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.

   You should have received a copy of the GNU General Public License
   along with this program; if not, write to:

    Free Software Foundation, Inc.
    51 Franklin St, Fifth Floor
    Boston, MA 02110-1301, USA.

On Debian GNU/Linux systems, the complete text of the GNU General Public
License can be found in the /usr/share/common-licenses' directory.

The complete text of the GNU General Public License can also be found online on gnu.org <https://www.gnu.org/licenses/gpl.html>, in {{project_name_short}} virtual machine images in /usr/share/common-licenses/GPL-3 file or on Github <https://github.com/{{project_name_short}}/derivative-maker/blob/master/GPLv3>.
-->
<!--
The {{project_name_short}} MAC Address wiki page is forked from the Tails Enable MAC Changer page, from this exact source <https://git.immerda.ch/?p=amnesia.git;a=blob;f=wiki/src/doc/advanced_topics/mac_changer.mdwn;hb=770c6f26f8dcd06452fef1c57dafb2878e0dee11> and on the Tails macchanger page from this exact source <https://git.immerda.ch/?p=amnesia.git;a=blob;f=wiki/src/todo/macchanger.mdwn;hb=f27853e23d7985594d54f00f30153b6acd97312e>.
-->
{{Header}}
{{#seo:
|description=MAC Address Spoofing and Tracking Threats
|image=MACaddress2131.jpg
}}
[[File:MACaddress2131.jpg|thumb]]
{{intro|
MAC Address Spoofing and Tracking Threats
}}

= MAC Address Documentation =

{{upstream_wiki}}

== Auto-connect Risk ==

Beyond the challenge of generating an appropriate spoofed MAC address, there are technical hurdles related to preventing automatic network connections.

A spoofed MAC address is ineffective if the computer automatically connects to a public network after booting, thereby exposing the real MAC address:

* <u>Physical Isolation:</u> {{project_name_gateway_long}} automatically connects to Tor upon startup.
* <u>USB Wi-Fi Device:</u> Automatic connections may occur depending on the configuration.
* <u>VM Users:</u> The host operating system is likely to automatically connect to the internet for updates, time synchronization, or other background services.

= Other Location Tracking Risks =

== Tor Entry Guard Fingerprinting ==

Addressing MAC address concerns is only one part of a broader location tracking problem. Users must also consider how Tor entry guards are used across different locations to avoid guard fingerprinting. To mitigate this risk, follow <u>one</u> of the [[Tor_Entry_Guards#Mitigate_the_Threat_of_Guard_Fingerprinting|recommended configurations]]:

# [[Tor_Entry_Guards#Clone_Whonix-Gateway_(sys-whonix)_with_New_Entry_Guards|Clone {{project_name_gateway_short}} ({{project_name_gateway_vm}}) with New Entry Guards]].
# [[Tor_Entry_Guards#Regenerate_the_Tor_State_After_Saving_the_Tor_State_Folder|Regenerate the Tor State File after Saving the Current Tor State]].
# Configure Tor to use [[Tor_Entry_Guards#Alternating_Bridges|Alternating Bridges]].
# If relocating permanently, create [[Tor_Entry_Guards#Fresh_Tor_Entry_Guards_by_Regenerating_the_Tor_State_File|Fresh Tor Entry Guards by Regenerating the Tor State File]].

To fully mitigate this threat, entry guard changes must be applied to every Tor instance on both the host (e.g., apt-transport-tor) and guest systems.

= Using Personal Computers in a Public Network =

{{mbox
| type      = notice
| image   = [[File:Ambox_notice.png|40px|alt=Info]]
| text    = This applies to using a personal laptop, desktop, or any other internet-facing device in a public network.
}}

In this scenario, the MAC address <u>must</u> be changed, and a [[Tor_Entry_Guards#Mitigate_the_Threat_of_Guard_Fingerprinting|new set of Tor entry guards]] should be configured. <ref>This process involves removing the ''/var/lib/tor/state'' file.</ref> Additionally, efforts should be made to obscure Tor usage from the network administrator. Depending on the user's setup, this may involve using an obfsproxy bridge or tunneling traffic through [[Tunnels/Connecting_to_SSH_before_Tor|SSH]] or a [[Tunnels/Connecting_to_a_VPN_before_Tor|VPN]] before connecting to the Tor network.

Depending on the threat model, changing the MAC address and using Tor may prevent revisiting the public network. If reuse is needed, the user must choose between keeping the same MAC address and Tor entry guards or generating new ones.

If the network administrator is suspected of logging MAC addresses, changing the MAC may arouse suspicion. Conversely, if the network is sufficiently public and individual observation is unlikely, it may be safe to use a new MAC address each time -- one that features a popular vendor ID and a random second part.

For further discussion on this complex topic, see [[Dev/MAC]].

= Changing MAC Addresses =

== Whonix ==

'''TODO: Please help test and improve these instructions.'''

{{Box|text=
'''1.''' Edit the network interfaces file.

* Standard-[[Download|{{project_name_short}}]]-Version (VM) users: Edit ''/etc/network/interfaces'' on the host.
* [[Dev/Build_Documentation/Physical_Isolation|Physical Isolation]] users: Edit ''/etc/network/interfaces'' on {{project_name_gateway_short}}.

'''2.''' Install macchanger.

In a terminal, run:

{{CodeSelect|code=
su
}}

{{CodeSelect|code=
apt update && apt install macchanger
}}

'''3.''' Change the MAC address.

{{mbox
| type      = notice
| image   = [[File:Ambox_notice.png|40px|alt=Info]]
| text    = The following steps manually change the MAC address for a device. An example is provided for a wireless device (<code>wlan0</code>). Replace <code>wlan0</code> with the appropriate device, such as an ethernet device (<code>eth0</code>).
}}

{{CodeSelect|code=
su
}}

{{CodeSelect|code=
ifconfig wlan0 down
}}

{{CodeSelect|code=
macchanger -a wlan0
}}

{{CodeSelect|code=
ifconfig wlan0 up
}}

If the steps above do not work, the following method might work without macchanger. Replace <code>wlan0</code> with the correct device name.

{{CodeSelect|code=
su
}}

{{CodeSelect|code=
ifconfig wlan0 down
}}

{{CodeSelect|code=
ifconfig wlan0 hw ether 00:AA:BB:CC:DD:EE
}}

{{CodeSelect|code=
ifconfig wlan0 up
}}

Alternatively, use iproute2 commands to change the MAC address.

{{CodeSelect|code=
ip link set down wlan0
}}

{{CodeSelect|code=
ip link set wlan0 address 00:AA:BB:CC:DD:EE
}}

{{CodeSelect|code=
ip link set up wlan0
}}

'''4.''' Complete the MAC address change.

Below <code>iface eth0 inet dhcp</code>, add:

{{CodeSelect|code=
hwaddress ether 00:00....
}}

'''5.''' ''Optional:'' Automatically randomize the MAC address on boot.

To enable this, add:

{{CodeSelect|code=
pre-up macchanger -e eth0
}}

'''6.''' Modify network interface settings.

To prevent new network interfaces from being automatically activated, comment out the following line:

{{CodeSelect|code=
auto eth0
}}

Then, configure manual activation with:

{{CodeSelect|code=
sudo ifup eth0
}}
}}

= References =
{{reflist|close=1}}

= License =
{{License_Amnesia|{{FULLPAGENAME}}}}

{{Footer}}

[[Category:Documentation]]