Give every AP an unique address

[M-Makise-Kurisu]

I'm getting trouble with an Access point that have MAC address filter. Every time I reboot system, software will give me a new address. So I can't connect to my AP. we should add a new pattern that give every AP a unique address, just like what we got from iOS14

[halo]

Hi @M-Makise-Kurisu Thank you for your idea 👍🏻

I think I understand what you mean when you describe the problem, but could you please try to expand a little bit on what exactly the solution is you envision? And what feature of iOS14 do you mean?

[M-Makise-Kurisu]

Hi @halo

Sure thing. The feature of iOS14 is called private WiFi address, you can check it here: https://support.apple.com/en-us/HT211227

simply put, this feature will give every access point a unique address. Which mean when you connect to a new AP, you will get a new address. When you reconnect to a known AP, the address will set to the same one when you first time connect to it.

Maybe we can make a file that note every WiFi we connected with the address we assigned. When WiFi is connected, it will compare to known WiFi list. if it found, we will give the same address as before. if not, we will random a new address and add it to the list.

Let me know if you have further question. I will be more than glad to help (>^ω^<)

[halo]

Ok, I see, thank you. Let me brainstorm the scenarios:

Scenario A) You're concerned about privacy and don't want to leak your real MAC address before you connect to any AP. In other words, only reveal one MAC address to the AP.

Scenario B) You use an AP with a MAC filter and need to make sure you're matching that MAC for that AP. Otherwise you want the MAC address to be random (that is, for all other APs).

The first thing I'd have to determine is: How do we know which AP is out there right now?

I see two options:

Determination Mode 1) Look at the list of APs that announce themselves right now in my surrounding and set a MAC address based on a pure guess as to which one we're planning on connecting to (if there are multiple known ones at the same time). This is the only way to somewhat hide your MAC address (unless your MacBook connects automatically and you have the original hardware MAC set)

Determination Mode 2) When you have connected to an AP, change the MAC address immediately. This is more reliable in terms of which MAC address to use, but you would of course loose connection there. Not to mention that you reveal that you connected with another MAC address a few moments earlier.

In a way, it's really like this issue: https://github.com/halo/LinkLiar/issues/37 which I hoped I'd never have to implement :) I know that WiFiSpoof is focused on such features. I do not know though whether they use Determination Mode 1 or 2. Not to mention that Apple might come around and implement this for macOS in the near future.

I guess my biggest problem is understanding the scenario. Is this a threat? Or is it just for convenience? Is MAC filtering not going to die out now that private WiFi addresses are more widespread used via iOS? When you're locked in by a MAC filter, you would have to hope it's already a random address? If it's your hardware MAC, then you're somewhat in trouble anyway having to switch between original and random.

When you reconnect to a known AP, the address will set to the same one when you first time connect to it.

This is very useful and works because it's implemented by the OS, which changes the address before it connects (because the OS knows which AP it is going to connect to in a moment).

Maybe we can make a file that note every WiFi we connected

Technically this is not a problem. LinkLiar already has a config file. We could use that (maybe not), or use another file in the same directory (I recommend that).

if it found, we will give the same address as before. if not, we will random a new address and add it to the list.

The main problem I see is that you'll loose connection for a while. The OS is pretty fast in connecting to a known AP. And then the system administrator maybe gets concerned if you used your Wi-Fi credentials with multiple MAC addresses.

😄

[M-Makise-Kurisu]

@halo Thanks for respond

Mode 2 is what I was thinking. in order to avoid leak your trace. we can randomize address when we disconnect.

I understand this will take two time to connect a WiFi. But I think take longer time is better than never happen ´д` ;

I wound put scenario as convenience. Linkliar did great job of protect address tracing. But sometime we still need deal with address filter. It's very upset I can't use Linkliar in those situation :(

When you're locked in by a MAC filter, you would have to hope it's already a random address?

I was hoping it would be a random address. But then I realize a problem. We don't know what will be our address before connect to AP. In that case, I have two option: 1) Let us manually set AP to a random address. Program will ask us to type in WiFi SSID(or other things that can identify an AP). then it will random an address and let us know what it is. 2) Note that AP even thought it failed to connect. Let us know what address did program assigned. I think no matter which option do we go. it will be convenience if we can check the list of known AP.

And then the system administrator maybe gets concerned if you used your Wi-Fi credentials with multiple MAC addresses.

That's a good point. I have never think about that. But I think it's more like a social problem rather than technical problem

[halo]

Linkliar did great job of protect address tracing. But sometime we still need deal with address filter. It's very upset I can't use Linkliar in those situation :(

I've been thinking about this issue and I believe we should do the smallest change possible to facilitate your use-case. It is not clear whether anybody needs one MAC address per AP, maybe that's a feature nobody needs. It's a little bit too much.

So let's just add an option to one interface in the menu that says "Access Points >" and there you can enter an SSID name and a MAC address. LinkLiar will then make sure when that AP is connected, it will quickly assign the specified address to that interface.

Let's keep it simple and focus on the specific problem you're facing 👍🏻

[halo]

or other things that can identify an AP

I'm not sure whether we should allow to enter a BSSID. In a university there will be many APs with different BSSIDs throughout the campus even though it is the same SSID for all of them.

But for a private home with one router it would be much better to specify the BSSID rather than the SSID.

[M-Makise-Kurisu]

So let's just add an option to one interface in the menu that says "Access Points >" and there you can enter an SSID name and a MAC address. LinkLiar will then make sure when that AP is connected, it will quickly assign the specified address to that interface.

👍

I'm not sure whether we should allow to enter a BSSID. In a university there will be many APs with different BSSIDs throughout the campus even though it is the same SSID for all of them. But for a private home with one router it would be much better to specify the BSSID rather than the SSID.

BSSID will be more secure but may not work in every situation. if we want this feature work universally, we should use SSID. (Or use both of them 😂)

[ntn-x2]

+1 here for a similar feature! I have a Unifi Dream Machine at home, and it is very annoying to see the same device (my Mac) as several different ones because the MAC has changed over time. My simpler feature request would be to perhaps whitelist some APs (not sure whether by SSID or BSSID), so that the same MAC address is used over time. I think the scope of this change would be less work, and I would also be happy to contribute 😁

[halo]

@Diiaablo95 Ah I see. I have the same "problem" with my router. But I don't think that problem can be solved. Because as the feature is planned right now, this would happen when you open the lid of your Macbook:

1. Wifi connects to router using a random MAC address
2. LinkLiar notices that the AP is known and changes to a specific MAC address
3. It takes a few seconds but then you've got Internet connection
4. Your router will have seen two MAC addresses

So this feature can only be implemented to overcome a MAC address filter on the AP (with some delay).

But I think it's not possible to avoid duplicate MAC address registrations in your AP. Because I don't see how to to change the MAC address before connecting to a particular AP. When the lid of your Macbook opens, it immediately connects to any known AP. One millisecond later LinkLiar could change the MAC address, but it would already be too late - the AP saw the MAC address used at first.

[ntn-x2]

I haven't delved into the codebase at all honestly, but why does the Mac try to connect as soon as the lid is open? Is this a MacOS feature? If so, how does LinkLiar injects a random MAC before the first request makes it to the AP? Or is there a delay between the first connection and when LinkLiar intervenes that leads to a MAC leak?

[halo]

Excellent questions!

Yes, macOS inherently connects to known APs as early as one can imagine when opening the lid.

LinkLiar's primary purpose is to make sure you don't expose your hardware MAC. LinkLiar changes your MAC once, when you start the GUI, and then the MAC address stays spoofed until you reboot your computer.

Now, when you reboot your computer, LinkLiar has a daemon which is started pretty early in the boot process (you can turn that daemon on or off if you wish). That early in the process, the MAC is randomized, so exposure of your original MAC is minimal (in best case, the daemon even randomizes before connecting to any AP, I haven't actually tested this, but I never had connection problems, so I think it's instant).

When you close your lid, that is when LinkLiar re-randomizes your MAC (if you enables that setting). You'll practically loose connection as you close the lid. When you open it (say, after you moved your computer to another location), that re-randomized MAC address is still there and used to connect to the AP.

I experimented with trying to re-randomize when opening the lid. I found out that I cannot intercept the connection to the AP or change the MAC address prior to connecting.

That's what makes this whole "MAC address based on APs" issue really complicated. I don't know how this app does it, but they offer that kind of feature. I assume the connection is briefly lost when opening the lid. I can't really imagine how else they'd be doing it.

I recognize MAC filtering as a legitimate use-case to briefly loose connection. But not exposing any MAC address before connect is going to be hard I think.

[halo]

Note to self:

I came up with an idea for the config file syntax for this:

{
  "version" : "3.0.3",
  "ssids:00:2a:a5:75:da:32" : {
    "Some Wifi Name" : "aa:bb:cc:dd:ee:ff",
    "Another SSID" : "11:22:33:44:55:66"
  },
  "ssids:00:2a:a5:11:3f:8b" : {
    "University SSID" : "55:55:55:55:55:55",
  },
}

• Where 00:2a:a5:75:da:32 is the hardware MAC of the WLAN interface.
• Some Wifi Name is the SSID of an access point
• aa:bb:cc:dd:ee:ff is the fake MAC address to use when this AP was detected.

[halo]

So, I'm trying to implement this by the end of the year. I'll first have to invent a GUI for it, though 😆

[ntn-x2]

Let me know if I can be of any support! I have a pretty decent router that monitors a lot of network and device info, so I could see almost everything that goes on in the network and out of my Mac. Great work!

[halo]

@ntn-x2 Would you need the LinkLiar alpha test as download? Or would you be willing to try out to install Xcode and press "run" yourself? 😄

[halo]

Ok, this issue turned out to be really complicated.

• A GUI cannot query the current SSID unless "Location Services" is activated and was granted by the user in the System Preferences.
• That's not a problem, though, because the background daemon only needs to check the current SSID.
• But the background daemon doesn't inherit the rights, even if "Location Services" was granted to LinkLiar.
• So I run /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport to find out the current SSID (by parsing it out of free text, because the --xml flag doesn't work as it should).
• At this point I need to actually disassociate from that network, otherwise a MAC change isn't possible.
• After switching the MAC address, I try to reconnect using /usr/sbin/networksetup -setairportnetwork en0 mySSID but it turns out that only works for passwordless networks.
• So I resort to turning off the Wi-Fi and turning it on again, which doesn't work reliably either.
• At this point LinkLiar isn't sure whether it should continue to set the desired MAC for a particular SSID, or fall back to randomizing as usual.

I would have to use a timer, say X seconds, and hope that the user connects manually to the SSID (by clicking on it in the Wi-Fi menu bar). If the user doesn't do that within X seconds, LinkLiar would change the MAC to random again (as it doesn't know whether we're going for that SSID or not any longer).

Alternatively, I might show a "shortcut" window in LinkLiar, so that wenn you open LinkLiar it'll say "hey, looks like you're connected to an SSID where you want MAC aa:bb:cc:dd:ee:ff, would you like to change to that MAC now? You have 10 seconds to reconnect manually to the network after clicking the button".

None of this is user-friendly. Not to mention the complex programming code.

PS: I could query which access points are currently available using .../airport -s but that command takes about 3 seconds and is probably resource intensive. So I cannot run it all the time.

[ntn-x2]

Hey @halo, sorry if I get back to this only now. I am not sure I am that deep into the workings to make sense of everything you mentioned 😁

If you would ask me, I guess option 2

I might show a "shortcut" window in LinkLiar, so that wenn you open LinkLiar it'll say "hey, looks like you're connected to an SSID where you want MAC aa:bb:cc:dd:ee:ff, would you like to change to that MAC now? You have 10 seconds to reconnect manually to the network after clicking the button".

would make sense, wouldn't it? But in this case, the MAC address would be randomized first, then if I click on "Yes", it would be changes and the WiFi turned off? If that is the case, it would be a pity to "leak" the random MAC in the first place.

But yeah, I agree the proposed solution would be hard to implement and even harder to maintain, given the amount of breaking changes between OSes over time, that it probably does not justify all the effort. Unfortunately I do not have a better solution, since I do not how the OS works in depth to be of any help. I could dig into the matter, if only I had enough time to do so...

[halo]

if only I had enough time to do so...

I know what you mean 😂😂

it would be a pity to "leak" the random MAC in the first place.

Yes, that's annoying. But the operating system is SO fast in connecting to any known access point, that there is no way to be faster. One could only choose not to connect to that access point automatically at all.

I think I'll try to have LinkLiar scan for access points (when you open the lid of your laptop, connect or disconnect from a network). That takes (exactly) 3 seconds. And then LinkLiar can change the MAC address as desired. So, you'll loose connection after having been connected for 3 seconds and then have to connect manually again.

I think that's a workable compromise.

[halo]

It works! If anybody wants to, you can download and test it.

Since this code is functional, I'll close this issue as "solved". I'll need still more time to fine-tune the GUI and to implement re-randomization, though.