• General

  • NOTE: You may want to turn off full MAC randomization

MAC addresses are used in dynamic local networks (LANs, WLAN/Wifi networks) to know who is who.

They are useful and essential to how all that currently works.

BUT by default they are unique and a fix number inside the device. This is called a "device MAC".

Using this, just like any Windows PC or Android phone, has big privacy implications, as your movements can be tracked across Wifi networks, if for example malicious actors install multiple networks, or monitor multiple ones.

That is why GrapheneOS, and Fedora Linux now too, use randomized MAC addresses, which are not the device MAC. But they are different ones:

static randomized: Your device uses a single randomized MAC per Wifi network and keeps using that. Fedora does this by default, and GrapheneOS has an option for it.

fully randomized: Your device uses a new MAC for every connection, no matter the Wifi network. GrapheneOS uses this by default.

While the second option is very private (and can possibly protect against attacks where Wifi networks use a different Name/SSID to catch a MAC?) it has 2 implications:

  • some home routers may struggle if you connect with a new MAC every time. They try to store all those "devices", may get slow and other devices like mesh repeaters may fail to connect. I had this one.
  • you may not use public Wifis, because your device needs to log in at every new node. This is relevant for networks like public transport, where at every stop there is a new node. If you use the same MAC, login works automatically. This means you can avoid using cell data / turning off airplane mode, which is a huge privacy improvement.

In both cases, switching certain networks to "static randomized MACs" can have important benefits. I advise you to look if this applies to you.

In my case I can now rely more on public Wifis and keep airplane mode on. Cell connections allows providers to track your device, linked often to a name (required for SIM registration), and the phone network is pretty insecure too.

    missing-root A name is not always required for sim registration. It is not uncommon, country dependent, to be able to walk into a supermarket and buy one with cash, and top it up with cash. That is certainly the case in the UK. You should state location when making such inclusive statements

        I did this for a hotel stay which only allowed a limited number of devices to connect. With randomized MAC, each connection is a "device." Helpfully, you can adjust these settings on a per network basis without changing your default.

        a month later

        I set my home router to disallow new connection to the main WiFi network for security reasons. I need to disable this setting manually to allow new connections. This lead to issues with GrapheneOS because it kept registering to the router as a new device because of the MAC randomization.

        I solved this issue by connecting the phone to the guest network and keeping a Wireguard connection to the home network open. I would love to have an option to set a static MAC for trusted networks.

          DeletedUser88 it doesn't really matter if you use it only in your home network. It's still a unique MAC used in no other network. This would only be a problem if physical security was involved.

            CuriousFox

            There are 3 options, either "per network randomized mac" or "per device mac" will use single MAC on a single router.

              Xtreix I'm seeing a lot of stuff in there about privacy, but not much about security. The mobile network making location tracking easy is a problem for privacy, but bad privacy doesn't mean insecure.

              Insecure protocols doesn't mean you're putting yourself at risk whenever you use them. Insecure protocols in this case means nothing is stopping a third party from being able to view the data being transmitted, and potentially interfering with it. This is explained in the FAQ article you link, and the same risks apply when connecting to a wifi network not owned by you. As is explained in that same article, simply using HTTPS is enough to avoid that problem. For anything else (old apps or websites that never upgraded to using encrypted communications), use a VPN like you would on any untrusted network.

              It should be noted that using a VPN for unencrypted communications means you'll be trusting the VPN provider with your unencrypted data instead, so you might prefer to avoid apps or websites that don't do encryption instead.

              If you live in a country where you really can't afford to have your location tracked, then yeah, cellular network would be a security risk. but otherwise it would be nice if people stopped equating privacy with security. We can't come up with the right solutions to problems unless we properly differentiate the two (or you end up with garbage like Librewolf and Ungoogled Chromium claiming to be more secure browsers...)

                  2 months later

                  Ammako I may be wrong but I don't think if it was secure Graphene would have an option to only allow LTE for reducing attack surface because. Historically it was used to attack a lot of devices with NSO software etc.

                    missing-root back in the day, anti cheat companies used to serve bans to hackers and cheaters in certain video games based of MAC address. Was referred to as a Hardware ban.

                    Sucked to see that as a pre teenager, knowing u could never play that game ever again.

                      CuriousFox In Settings > Network and Internet > Internet > Saved networks > click on the Wi-Fi network you want to change > Privacy > select "Use per-network randomized MAC".

                          Ammako Cellular networks are neither secure nor private. There is abundant scientific literature on the topic.

                            missing-root This might have solved the weirdest WiFi issue I was having. Even with Cisco hardware (admittedly old). Why would the WiFi controller store all the MAC addresses for old sessions? Never would have guessed.

                                Carpool7341 Cisco hardware

                                Can you feel the pain already?

                                Jokes aside, hardware, especially when it's a little older, doesn't know the concept of MAC randomization. Some (most) DHCP implementations use MAC addresses to recognize devices, so that they can reserve an IP per device. This of course leads to DHCP pool flooding/DHCP starvation where the whole address pool gets eaten up by "dead" leases. Especially with longer lease times, this can lead to constant issues.