Opened 5 years ago

Last modified 19 months ago

#11096 assigned enhancement

Randomize MAC address before start of Tor

Reported by: csoghoian Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-security
Cc: gk Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I realize this is a tricky ask, as changing the MAC address of a computer requires root privileges. However, I think it is worth finding a suitable way of doing this.

Based on analysis of court documents and conversations with people in the government malware industry, it is my understanding that US government malware that has targeted Tor users (via TBB exploits) has specifically sought out the MAC address of the infected target's machine. Knowing the MAC address allows the government, at a later date, to verify that the machine they probed with their malware is the same device as the one they have seized through a raid of the person's home or office.

As long as the government is going to use the MAC address as a unique identifier, we might as well try to make it difficult for them.

Child Tickets

Change History (6)

comment:1 Changed 5 years ago by cypherpunks

Protecting against malware after it is already running on your system is very difficult and way out of tor's scope. Also, most network cards don't support permanently changing your MAC (you can see this when you run macchanger, it shows your permanent MAC) so the malware could just read the permanent MAC anyway.

However, changing your MAC *is* good for preventing LAN adversaries from linking your presence/activity in different locations, and Tails can do this (and hopefully will do it by default soon): https://tails.boum.org/doc/advanced_topics/mac_changer/index.en.html

Non-Tails users who are worried about network adversaries linking their presence in multiple locations should be aware of #10969 (set of guard nodes can act as a linkability fingerprint) which is much more significant than the MAC address since the guard connections are visible to the user's ISP as opposed to just their LAN. (Tails doesn't use persistent guards (yet), so this isn't a problem there.)

comment:2 Changed 5 years ago by gk

Cc: gk added

comment:3 Changed 5 years ago by erinn

Keywords: needs-triage added

comment:4 Changed 3 years ago by nobody

Severity: Blocker

I do agree.

I always run:

macchanger -r --another eth0

Unfortunately if I forget to do so, or if the connection fails, the system takes the permanent MAC back.

Furthermore it should be nice if the mac were chosen among a good set, where by "good" I mean "compatible" with the used HW

Ticket #10969 (an old one) says:
«It's well understood that your set of guard nodes can act as a fingerprint.»
Well, currently I always connect to the very same guard node (which is a safe one, btw)
Can anyone pls clarify this point?

None the less, may be somebody is behind a router or a wan, so even changing his local Mac, wouldn't be enough to mask him...

comment:5 Changed 3 years ago by bugzilla

Component: Applications/Tor bundles/installationApplications/Tor Browser
Keywords: tbb-security added; needs-triage removed
Owner: changed from erinn to tbb-team
Severity: BlockerNormal
Status: newassigned

Meaningful part of this ticket is

TBB exploits

So, propose renaming it to something like "Investigate methods of hardening of Firefox to prevent MAC stealing".

comment:6 in reply to:  5 Changed 19 months ago by cypherpunks

Replying to bugzilla:

Meaningful part of this ticket is

TBB exploits

So, propose renaming it to something like "Investigate methods of hardening of Firefox to prevent MAC stealing".

This is not too difficult. A MAC address is obtained by using either an IOCTL (SIOCGIFHWADDR), or the NETLINK protocol (AF_NETLINK). Just blocking those syscalls when that argument is used should be sufficient, assuming other more obvious issues like arbitrary filesystem access or the ability to bypass Tor to phone home is mitigated.

Note: See TracTickets for help on using tickets.