Author: Shinz39 Date: To: tails-dev@boum.org Subject: Re: [Tails-dev] Improve MAC Spoofing in Tails for Better Anonymity
In Tails, the effort to hide the device’s hostname (by omitting DHCP Option 12) is a key step in reducing the chance of fingerprinting. Hostname is typically a unique identifier that can be used to track a device across different networks. By omitting the hostname, Tails ensures that this piece of information is not easily tied back to a specific user. However, this action inadvertently makes the device more recognizable because most devices do however broadcast the hostname.
This makes you more unique in logs since all one has to do is see all devices connected/ing that don't have a hostname. Then the fact that they all have the same OUI make it trivial to identify. One could easily see its the same device connecting on either a home network or public wifi since looking at logs you could narrow it down to devices with no hostname and same OUI.
This feels like a inconsistency of the current privacy measures since the goal of Tails is to minimize the amount of unique identifying information that a device broadcasts. If you’re going through the effort of hiding the hostname (which is amnesia which is also unique), it’s inconsistent to leave the OUI exposed. This creates an anomaly in the device’s behavior, you're concealing one identifier, yet still broadcasting another identifier (OUI) that is often tied to the physical hardware vendor. If your intent is to increase privacy, exposing the OUI contradicts this effort, as it makes the device identifiable in certain circumstances. In a worst-case scenario, this could lead to the de-anonymization of the user, as it becomes easier to link the same device across different locations.
Given this issue, it would make sense to fully randomize the MAC address. If the goal is to anonymize the device, why not take the extra step to ensure that the OUI is also randomized? This would eliminate the possibility of an observer correlating the MAC address with a specific manufacturer, thus protecting against the leakage of identifying information.
Moreover, if Tails were to fully randomize the full MAC address might want to add a check that checks that the OUI is not same as all looped through interface names to avoid leaking that also possibly the same as the NIC check functionality that currently exists.
To my knowledge to be fair when I looked with wireshark I didn't see certain DHCP options that could be fingerprinted other then DHCP option 55 Parameter Request List and 61 (OUI in Client Identifier). Since NetworkManager is set to use Internal it could be seen as or rather fingerprinted as Linux which is specific as I recall the length is same and number order is also. I don't know if this is ideal but maybe could looked into or if someone know exactly if what I'm about to say is correct, which is maybe looking into low level DHCP spoofing? Android/Windows sends a custom Vendor Class Identifier (option 60) and Parameter Request List (option 55) I know you can set the Vendor Class Identifier in NetworkManager but I'm not quite sure you can set the option 55? However I do recall reading you could set the Parameter Request List with dhcpd which I do believe Android uses.
In closing thoughts or summery I would say if Tails is already gonna go out of its way to hide the hostname (amnesia) then it would make sense to also hide the OUI part of the MAC Address with Full mac spoofing. I think trying to blend in with other DHCP clients might be to hard to do or require constant updates I just thought I would mention as many may not know about DHCP fingerprinting which Tails does good job of avoiding but should hide the OUI in 61 (MAC Address) being sent.
