Feature #7380

Randomise MAC address when scanning for Wi-Fi networks even when MAC spoofing is disabled

Added by intrigeri over 5 years ago. Updated over 3 years ago.

Spoof MAC
Target version:
Start date:
Due date:
% Done:


Feature Branch:
Type of work:
Affected tool:


Apparently, Apple is going to introduce that:
Of course, they're going to spoof MAC only for proble requests, not when actually connecting to an AP.

It might be good for Tails to do that when MAC spoofing opted-out from in the Greeter: then, you reveal your real MAC address to the AP you actually connect to, but not to others. This way, users get the benefit of not spoofing, when they need to disable it (e.g. to connect to a filtering AP), but without the drawback of broadcasting their real MAC address around.

Related issues

Related to Tails - Feature #6453: Protect against fingerprinting via active Wi-Fi networks probing Confirmed 11/29/2013


#1 Updated by intrigeri over 5 years ago

  • Assignee set to anonym

anonym, may you please have a quick look, and set status to Confirmed + empty assignee, if it seems to be a good idea to you?

Then, the bit of (low-priority) needed research will be: can we actually do that with Linux Wi-Fi drivers?

#2 Updated by anonym over 5 years ago

  • Status changed from New to Confirmed
  • Assignee deleted (anonym)
  • Type of work changed from Research to Discuss

Since Tails has MAC spoofing enabled by default we already achieve what I suppose is the main goal of this feature, i.e. protecting our users against dragnet WiFi tracking. When explicitly opting out from MAC spoofing the user may have a good reason for doing so (e.g. avoiding chipset/driver issues when MAC spoofing, avoiding suspicion, which OTOH probably becomes less if iOS starts doing it) and I fail to see why we should go only half-way there.

I say we reject this.

#3 Updated by BitingBird over 5 years ago

  • Related to Feature #6453: Protect against fingerprinting via active Wi-Fi networks probing added

#4 Updated by sajolida over 5 years ago

  • Status changed from Confirmed to Rejected
  • Priority changed from Low to Normal

#5 Updated by intrigeri almost 5 years ago

Just for completeness, Linux 3.19 supports this al least for some Wi-Fi drivers:

#6 Updated by sajolida over 3 years ago

Note that in the UX design that I proposed on, the decision of enabling or not MAC spoofing would be done for each network (and not for each working session anymore). So scanning for networks should be done before choosing MAC spoofing, and thus always spoofed if possible.

If the hardware doesn't allow spoofing at all the UX should be different of course.

If we go this way we should reconsider the decision made on this ticket.

Also available in: Atom PDF