WAN MAC address is static

[6t8k]

I think there is a privacy risk in the GL-E750 implementation that blue-merle could, but currently does not take into account:

The WAN MAC address, which is used for WiFi station / "repeater" mode[^1], is static. This can potentially cause a tracking risk:

• As the device hops across WiFi access points, an attacker could profile the user's location/movement
• An attacker with access to the admin panel or physical access to the device could take note of the factory default WAN MAC address, potentially linking the abovementioned profile to the user's identity (even after the user has changed the WAN MAC address, see below)

The "MAC clone" feature already allows for changing the WAN MAC address (there's even a handy one-shot randomization feature), although the factory default WAN MAC address cannot be changed this way. If the user wishes to protect herself from the described tracking risk[^2], then, currently, the WAN MAC address must be changed manually, every time.

I'd therefore like to propose the following:

• By default, automatically randomize the WAN MAC address on every boot, very similar to how the BSSIDs (and accompanying MAC addresses) are already randomized
• It should be easy to switch the WAN MAC address randomization off if needed (e.g. to avoid having to repeatedly fend off a hotel's captive portal)

Provided you agree to the above assessment, I could pack up my changes into a pull request that implements this.

Unfortunately, it seems nontrivial to place an on/off switch for this in GL.iNet's admin panel properly: the new field would have to go through the API binary at /www/api, for which the source code does not seem to be available. You seem to have had a bit of luck with adding the SIM switch choice :)

Either way, I'd at least provide a simple CLI command (e.g. uci set network.@interface[4].randomize_macaddr=0)

Very neat project!

[^1]: It might be used for the LAN port in WAN mode too, but I havent tested this yet, to be exact [^2]: I'd imagine users of blue-merle use WiFi or LAN less often than the cellular network to connect the Mudi to the internet (as I perceive IMEI randomization being the highlight), but it has its uses

[muelli]

I like the idea!

I believe that I have implemented this in 5c6976aa11d0a081f2fae87c721b98ac154656e7.

Check it out and let me know what you think!

[6t8k]

@muelli 5c6976a doesn't work on 3.217 - I assume it works on the 4.x firmware (which I didn't yet have the opportunity to try)? Edit: reading the updated README.md, it states that blue-merle 2.0 is for GL-E750(V2) firmware 4.x only, so this is answered I guess :-)

One suggestion for improvement would be to also add a convenient option to switch the WAN MAC address randomization off (ideally via the web UI), e.g. to avoid having to repeatedly fend off a captive portal if you stay at the same place for a while.

Good to see blue-merle being developed further, thank you :D