13

Since it is possible to set custom MAC addresses, wouldn't it make sense to have a new one as often as possible/convenient (i.e. on bootup)?

It would seem that is useful to both attacker and victim (harder to log/less problems with undirected attacks). Is that the case? If it is, why isn't everyone doing it?

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
McEnroe
  • 233
  • 2
  • 6

8 Answers8

18

MAC addresses are link-local only. Most attacks don't (have to) come from the same subnet, so most rely on higher-layer addressing. Changing your mac address does little to hide you.

There are a variety of problems with changing your MAC address often. One, off the top of my head, would be that DHCP reservations wouldn't work. It could be marginally less efficient for switches. Also, it makes troubleshooting marginally more difficult; the first 24 bits of your MAC address identify the hardware vendor, and programs like Wireshark helpfully decode this into a friendly name. That would be nonsense for a random address.

Attackers may want to change their MAC addresses, but that's a very different (and very specialized) circumstance.

But mostly, I just don't think it's that useful.

Steve Dispensa
  • 3,441
  • 16
  • 20
  • I see. I'm in a university setting and every single student has a laptop so there are quite a few clients on the same subnet. I was thinking that attackers could build up databases of students and uniquely identify them. Wouldn't random macs make this harder? – McEnroe Sep 06 '11 at 03:36
  • 7
    The point is that nobody attacks you by MAC address; they're all attacking you by IP address or (likely) something else. As soon as your computer boots and gratuitous arps, they'll know you're there. – Steve Dispensa Sep 06 '11 at 03:38
  • Yes, I can see that in an attack setting. I don't quite understand it in a tracking/information gathering setting yet: If the computer keeps on changing its MAC, dhcp (let's say it gives out quasi-static IPs) will likely keep giving new ones. That would make unique identification harder, wouldn't it? – McEnroe Sep 06 '11 at 03:43
  • Hypothetical local attackers are probably port-scanning indiscriminately and stumbling on you, or maybe watching for your traffic. Other attackers -- the common ones -- are using your e-mail and browsing (cookies, etc) to target you. But, you're right that there may be some benefit to randomizing your IP address, and if randomizing your MAC address causes DHCP servers to hand you random IP's, then I can sort of see it. I still don't think it's super important, though - if you're targeted, there are plenty of other ways to find you, and if you aren't, your address doesn't matter anway. – Steve Dispensa Sep 06 '11 at 04:58
  • -1. What Rory McCune said below. Some operation systems that support (say, OpenBSD) IPv6 also has support for randomizing the hardware address of network cards. – Alex Holst Sep 06 '11 at 19:40
  • OK, fair point, my thoughts here were really limited to IPv4. I had the sense that that's what the questioner had in mind, but on re-reading it, it might not have been. – Steve Dispensa Sep 06 '11 at 19:54
15

MAC addresses are supposed to be unique worldwide, so that no two devices use the same MAC address. This matters when several devices are on the same link: if two devices have the same MAC address, things do not work well at all, in a hard-to-diagnose way. It is possible to force that by changing your MAC address, but then you did it on purpose; with a random MAC address, "normal users" may encounter trouble.

So randomizing the MAC looks like a bad idea, on the usability side of things. On the other hand, the security benefit of a random MAC address looks slight, at best. There might be a very small privacy benefit, but most security issues are not privacy issues, and your OS and Web browser broadcast a lot of data which uniquely identifies you besides the MAC address anyway.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • 2
    Yes, as someone that's TWICE now had to deal with duplicate MACs on the same network segment (once duplicate from the manufacturer, second time a user did it to himself), PLEASE don't change your MAC addresses! – Brian Knoblauch Sep 06 '11 at 14:01
7

Whilst at the moment (as mentioned in other answers) MAC addresses are generally link local (although there are some protocols which leak that information to remote networks), it's interesting to note that when IPv6 becomes more prevalent MAC addresses are likely to be more important.

A common way of constructing an IPv6 host address is to include the MAC address of the network card, so in that case your changing your MAC address would effectively change your IP address.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
  • I didn't know that it was a recommended way to create the address - my assumption was that each organisation would just pick a framework. Very interesting. – Rory Alsop Sep 06 '11 at 09:17
  • 3
    yeah if it ends up being the defacto method it will have a lot of potential security implications. The one I thought of is tieing that to geolocated databases of wireless access points, could reveal someones physical location from a traceroute.. – Rory McCune Sep 06 '11 at 10:20
6

It has a downside in enterprise environments - switches optimise traffic flow by various methods, including remembering which port traffic from a particular MAC address comes in - so that traffic back to that MAC is only sent out that port.

MAC tables are updated in switches as new data comes in, but changing MAC addresses all the time would add overhead...for no real gain in security. Your MAC address really isn't that important to an attacker.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
5

I suppose it depends on what problem you are trying to solve. If you are trying to maximize your anonymity then yes, I could see MAC address randomization as a part of a larger solution focused on remaining anonymous.

I could imagine a scenario where a vulnerability existed in a given vendor's NIC firmware and by targeting a vendor's NICs by their MAC address you'd then make an attack. It might be better to not just randomly select a MAC in this case but to ensure you never chose a MAC whose vendor ID matched yours.

Edit: I should have said NIC firmware or driver. If you wanted to attack a driver because you knew of a particular vendor's vulnerability going after the MACs for that vendor would be your first filter.

scottsh
  • 96
  • 3
5

I see one good defensive value of routinely changing the MAC address for your wireless card when using laptop.

Even when using encryption, your client mac address is leaked out in the air whenever your laptop is turned on. When it probes for known access points, or sending traffic to associated access-points.

An attacker can track a victim by setting up wireless sniffers at key locations.

I know this sound a bit paranoid, but I think it would be awesome to have a couple of wireless nodes spread around the city. Then I would be able to track everyone I know who travel with laptops.

Dog eat cat world
  • 5,759
  • 1
  • 27
  • 46
4

I see your solution as security through obscurity, it is really not that important to change your mac address after each bootup. But I can see it from your perspective, people mapping the networks and such, will have a "huge list" of computers suddenly, from all sorts of vendors (Depends on how often you reboot your pc). And thus, will make it harder for him to see a legit target. (Or existing, because you've changed mac address since last boot)..

On the other hand, I dont expect malicious users to identify pc's by mac addresses. They will use port scans/cookies/session highjacking etc.

psalomonsen
  • 1,054
  • 7
  • 7
1

If you are looking for a tool to do that on windows check this one : http://www.irongeek.com/i.php?page=security/madmacs-mac-spoofer

null
  • 1,193
  • 6
  • 16