WiFi MAC randomization - good for privacy on public networks, but bad for home security?

[OpenSource Ghost]

I am trying to decide whether I should allow personal WiFi devices with MAC randomization capabilities to use MAC randomization in my network. MAC randomization improves privacy on public WiFi networks, but it makes it difficult to manage and administer home network. Assume that MAC randomization is performed on per-connection, not per-network basis. That means every time a device connects to the same network, it uses a different MAC address.

Doesn't WiFi MAC randomization also worsen security compared to static IP + static ARP/MAC? My reasoning is that in an environment where a network has a small number of clients, doesn't use DHCP for LAN/WLAN, assigns strict IP-to-MAC/ARP binding rules via Netfilter tools (IPTables + EBTables + ARPTables), on-device static IP settings + router WiFi MAC filtering, has L2 isolation for each device on router + VPN for each device (which also includes VPN-based L3 isolation), an attacker who already has WiFi password, WiFi device MAC address, and WiFi device static IP addresses, is mostly constrained/limited to MITM attacks.

A home network that allows for personal WiFi device MAC randomization can't permanently bind WiFi device MAC/ARP to IP's, and can't have the same strict Netfilter rules for WiFi devices for obvious reasons. If attackers obtain WiFi password in such an environment, they aren't constrained to MITM attacks. They can simply join the network and perform malicious activity from there.

Basically, a home network environment with non-random WiFi device MAC addresses and strict permanent static IP-to-MAC/ARP binding filtering rules make it easier for attackers to enumerate the network, but also limits types of attacks that can be performed once WiFi password is reveleated. Random MAC addresses only make it difficult for attackers to enumerate the network, but I am not sure if it helps with WiFi password cracking, and once password is obtained, attackers are not as restricted as they would be in a strict static MAC environment.

 

[SamirD]

I've never even heard of any of this. If you don't want wifi hitting the lan, use a physically separate network or vlans.

 

[Eulogy]

Based on your other post here, I'm not sure where you're coming from other than some odd place of paranoia. Let's break this one down, too, though, in the off-chance that you're not just trolling.

MAC randomization improves privacy on public WiFi networks

What? How? Do you understand what and how MAC randomization works? It just generated a new MAC per SSID it connects to.
Do you understand the OSI model? If so, what part does the MAC address play and how far does it traverse the network?
Like in your other tread, what are you actually trying to accomplish?

...but it makes it difficult to manage and administer home network.

Why? What kind of management are you doing at the MAC level?

That means every time a device connects to the same network, it uses a different MAC address.

Wrong. This is not universally true - each implementation of it handles it differently. Generally speaking, the random MACs are long lived enough that it's not going to be helpful for what I think you're trying to say.

Doesn't WiFi MAC randomization also worsen security compared to static IP + static ARP/MAC? My reasoning is that in an environment where a network has a small number of clients, doesn't use DHCP for LAN/WLAN, assigns strict IP-to-MAC/ARP binding rules via Netfilter tools (IPTables + EBTables + ARPTables), on-device static IP settings + router WiFi MAC filtering, has L2 isolation for each device on router + VPN for each device (which also includes VPN-based L3 isolation), an attacker who already has WiFi password, WiFi device MAC address, and WiFi device static IP addresses, is mostly constrained/limited to MITM attacks.

What in the fuck are your even spewing here? What company out there statically assigns everything? That's a failure on its own right there. Even on a home LAN that's incredibly short sighted and wasteful.
If an attacker has your WiFi password, you're fucked. Plain and simple.
What "attack" are you trying to prevent by using randomized MACs, even with your incorrect knowledge of how it works.

A home network that allows for personal WiFi device MAC randomization can't permanently bind WiFi device MAC/ARP to IP's

Because no one is doing this at home or in nearly any professional setting, because it's not an approach that will yield any benefits.

If attackers obtain WiFi password in such an environment, they aren't constrained to MITM attacks. They can simply join the network and perform malicious activity from there.

Are you suggesting that somehow MAC randomization helps with this?

Basically, a home network environment with non-random WiFi device MAC addresses and strict permanent static IP-to-MAC/ARP binding filtering rules make it easier for attackers to enumerate the network

What? This is non-sensical. If an "attacker" is on your WiFi, they don't need or even particularly care about MAC addresses. They'll just nmap and find all the devices in seconds.

but also limits types of attacks that can be performed once WiFi password is reveleated. Random MAC addresses only make it difficult for attackers to enumerate the network, but I am not sure if it helps with WiFi password cracking, and once password is obtained, attackers are not as restricted as they would be in a strict static MAC environment.

Ok, so, I'm not sure if you're a troll, a bot that's copy/pasting random shit from other sites, or just entirely ignorant of the topics you're posting. It's one of those though.
I'd honestly suggest starting over, and maybe spending a little bit of time learning how things work at a basic level before diving off on the deep end.

And before you write up another long post, answer the questions above, and in particular, answer what you're actually trying to accomplish and what attacks you're so scared of, and why.

 

[SamirD]

Ok, so, I'm not sure if you're a troll, a bot that's copy/pasting random shit from other sites...

I wasn't either and hence my simple answer.

 

[Eulogy]

I wasn't either and hence my simple answer.

I just looked at their other few posts, and, I'm pretty sure they're just some sort of batty paranoid. Which is understandable. If they wanna be, er, "secure", they need to learn a lot more, and this really isn't the place or way to learn what is needed very well. They should probably start with a lot of the basics of computing, then networking, and work up to security from there.

I'll chime in when able and have time, but, I'm not gonna write novel after novel on the topics. I took the time to do a lengthy reply above, more in the event that someone else comes along with similar thoughts.

 

[toast0]

You can't really do anything meaningfully secure with the mac address. If you really want a tight ship, run enterprise style certificate based auth on wifi and/or only allow vpn traffic on the wifi, so you're forced to have to good authentication and encryption. (Use sensible parameters for the vpn)

 

[OpenSource Ghost]

Are you saying that online information about MAC randomization helping to reduce device identification on public WiFI networks is utterly bogus? Perhaps you think developers of security and privacy focused GrapheneOS are also full of crap? They very much recommend random MAC per-connection + VPN for public WiFi networks.

What I want to accomplish is to create and maintain a secure, functional, private, and managable home network I can administer and control. I think that can only be achieved by paying attention to all of the OSI model layers. Learning WiFi password alone doesn't compromise all of those layers, just tapping a wired connection doesn't.

To administer my network, I must be able to identify all clients and make sure their ID's are not spoofed using whichever tools I have. If I use DHCP without assigning MAC's to specific IP's, then how do I know who is who? How can I manage a secure home network like that?

I use router GUI for basic network configuration and SSH for deeper control. Linux manpages help me learn how to harden my network configuration via variety of Netfilter tools, such as IPTables, EBTables, and ARPTables. Here's an example of anti-spoofing rules from https://ebtables.netfilter.org/examples/basic.html and other sources:

ebtables -A FORWARD -p IPv4 --ip-src 172.16.1.4 -s ! 00:11:22:33:44:55 -j DROP
iptables -A FORWARD -s 172.16.1.4 -m mac ! --mac-source 00:11:22:33:44:55 -j DROP
arptables -A INPUT -s 172.16.1.4 ! --source-mac 00:11:22:33:44:55 -j DROP
arp -i <iface> -s 172.16.1.4 00:11:22:33:44:55

There are plenty of other ways to reduce chances of spoofing, such as SysCTL kernel tweaks that force specific return paths (rp_filter), prevent source routing, redirection, disable gratuitous ARP, etc, etc, etc.

Then there is also a lot of stuff you can do to mitigate DDoS and other common attack types.

Do you not use those and think typical router GUI settings + VLAN isolation + strong WiFi password + VPN secure your WLAN???

 

[BlueLineSwinger]

Are you saying that online information about MAC randomization helping to reduce device identification on public WiFI networks is utterly bogus? Perhaps you think developers of security and privacy focused GrapheneOS are also full of crap? They very much recommend random MAC per-connection + VPN for public WiFi networks.

Yeah, MAC randomization is a decent hedge against some tracking. And a VPN will mitigate any holes presented by apps/sites that don't use SSL. But don't let the commercials for VPN services that show a menacing guy with a laptop at the Starbucks make you paranoid.

What I want to accomplish is to create and maintain a secure, functional, private, and managable home network I can administer and control. I think that can only be achieved by paying attention to all of the OSI model layers. Learning WiFi password alone doesn't compromise all of those layers, just tapping a wired connection doesn't.

Honestly, you're going in the opposite direction. You look to be piling on so many layers of configuration and control it's that much more likely something will slip through, and/or you'll get so sick and frustrated of your setup you'll eventually just throw up your hands and say, "screw it".

Proper WPA2/3 setup is just fine for any home/SOHO and even SMB WLAN. Any more and you're looking at WPA enterprise and 802.1x. You'd also need 802.1x for wired to ensure someone can't just plug into the network. Now you're dealing with things like RADIUS and certificates and have fun with all that if you're not getting paid to do it.

To administer my network, I must be able to identify all clients and make sure their ID's are not spoofed using whichever tools I have. If I use DHCP without assigning MAC's to specific IP's, then how do I know who is who? How can I manage a secure home network like that?

Set up your DHCP to add the hostname to the local DNS server. Boom, done. And you never have to manually add any new devices.

I use router GUI for basic network configuration and SSH for deeper control. Linux manpages help me learn how to harden my network configuration via variety of Netfilter tools, such as IPTables, EBTables, and ARPTables. Here's an example of anti-spoofing rules from https://ebtables.netfilter.org/examples/basic.html and other sources:

There are plenty of other ways to reduce chances of spoofing, such as SysCTL kernel tweaks that force specific return paths (rp_filter), prevent source routing, redirection, disable gratuitous ARP, etc, etc, etc.

OK, all that is basically useless:

• If the intruder is on the same subnet as the target, whether it be wired or wireless, it will never hit the router/firewall for the ACL to block.
• Common proper ACL rules will already mitigate pretty much anything improper coming across the firewall/router.
• MAC addresses are too easily spoofable for any ACL to rely on them.
• That looks like a huge admin headache that will quickly grow tiresome and things will fall through the cracks.

Then there is also a lot of stuff you can do to mitigate DDoS and other common attack types.

For a home/SOHO/SMB network? Like what? Sign up for Cloudflare? If I'm getting DDOSed that's on my ISP.

Do you not use those and think typical router GUI settings + VLAN isolation + strong WiFi password + VPN secure your WLAN???

By GUI settings if you mean a basic set of ACL rules then yes. For 99+% of users there's very little reason to get into the weeds and do more than that.

VLAN isolation? I'm assuming you mean putting the wired and wireless on separate VLANs/subnets? It's a decent idea, but unfortunately the way too damn many apps are made for various home devices it breaks things. The broadcasts, mDNS, etc. they use to find each other won't cross a router.

VPN to secure my own wireless? Yeah, no, that's unnecessary overkill. A strong WPA2/3 key is more than sufficient.

 

[Eulogy]

OP - you need to decide if you're asking about privacy or security.

 

[ThatITGuy]

Feels like trying to use a tank to kill a fly. Why are you worried about Public WIFI on your home network? Yes, MAC randomization + VPN can be helpful if you are putting your laptop (or phone/tablet) on public WIFI, like out at a coffee shop. For a machine that will only ever be on the home network, this seems entirely pointless. For an attacker to get the MAC address of a device on your internal network, they would already be inside your network, and thus VPN and MAC randomization would be of no benefit. Just because someone gets your MAC address while you are on Public WIFI, does not mean that they will be able to now access your home network. That would be a separate hoop they have to jump through.
As to your only actual question I saw "whether I should allow personal WiFi devices with MAC randomization capabilities to use MAC randomization in my network" - that is up to you. I keep devices I don't want to have access to my core network on their own VLAN, and set so that all those devices can access are internet and other devices on that VLAN. If you are asking for methods of handling the devices with randomized MAC on your home network/VLAN, some suggestions have already been given.

 

[Vermillion]

OP - You're honestly bringing a 10 megaton nuke to a knife fight.

Much of what you're talking about isn't even used in a corporate environment. Much of what you're talking about is irrelevant because if a bad actor is in your LAN you're fucked. Period.

You're worried way too much over this stuff.

My home network is very secure and I don't worry about any of the stuff you're talking about and I don't use any of it.

If you're worried about privacy/security when away from your home network then just spin up a VPN and have your devices connect to that when you're away. It's what I do. My cell phone auto connects to my WireGuard VPN (which is controlled by my OPNsense router/firewall) as soon as it disconnects from my WiFi. If I have my laptop with me I connect to my VPN. It really is that simple.

EDIT: Plus benefit of VPN access back into my own network means I maintain my Pi-hole filtering on my phone at all times. Also means I don't have to publicly open up my Plex server. I always have access.

 

[Valnar]

OP, you might want to try breaking into your own network with a clean slate before going too deep.

Mac randomization is a decent thing to leave on for public networks. It's called "Private WiFi" on my iPhone. I would turn it off for your own home WiFi, then you can have dhcp reservations if you like. You danced around that topic, but I think that's what you meant.

Having a good password on WPA2/3 is sufficient for most networks, unless you live in a building full of hackers in downtown San Francisco or NYC. If that's the case though, I wouldn't use WiFi at all! Or just separate it to a different vlan that is "internet only" and not the LAN.

If you truly want to take it one step further, then WPA2 Enterprise with 802.1x and/or certs is what I do for work.

 

[Nicklebon]

The OP needs to understand that privacy and security are two different things. Quite often you must sacrifice one for the other. If you are interested in security then your doing TLS deep inspection on everything. If you're interested in privacy then you likely think doing so is evil. Very often there are things pitched to consumers as privacy mechanisms that are actually the opposite. In other postings the OP has the idea that DoH is a security thing when in fact it is a security nightmare. Newsflash it isn't privacy thing either. Make no mistake it exists for the sole purpose of Google tracking and ad revenue.

 

[Born2Computer]

Oh man, funny. I was just going to post about this!

We have 13 iPads at work that started having major issues when I updated them to the recent release of iOS (15.4). Come to find out they didnt have random macs until just now (big version update)

We utilize RDP over Ubiquiti access points and were having disconnecting issues every few minutes. We added more AP's, Enabled fast roaming, and were watching this like a hawk.

Come to find out it was the Random Mac that is now on by default....

Its speculated that the iDevice will randomize its mac when hopping access points (Apple says "per SSID" but I read a lot that said that isnt exactly the case.) Because of this Ipads would get a new mac, in return need a new IP, and disconnect

Basically I turned off "wifi privacy" in Mosyle and they're working great now.

 

[Vermillion]

Make no mistake it exists for the sole purpose of Google tracking and ad revenue.

While I'm no fan of DoH (DoT is far better) I also don't hate it. The bad actors using it for their bullshit and it making life difficult for IT admins aside, DoH is not a bad thing for privacy for Joe Average.

That said you do realize that Google didn't dream up DoH right? It was originally proposed by Paul Hoffman of ICANN and Patrick McManus of Mozilla. https://datatracker.ietf.org/doc/html/rfc8484

Not to mention that DoH is supported by large swaths of DNS servers out there. Cloudflare, Google, Quad9, NextDNS, OpenDNS and many others. It's supported by all the major browsers and supported by macOS, iOS, Windows, and Android. Linux has support through various applications like Unbound.

But you go right on ahead saying Google uses it for tracking and ad revenue and that DoH has nothing to do with privacy.

 

[Nicklebon]

That said you do realize that Google didn't dream up DoH right? It was originally proposed by Paul Hoffman of ICANN and Patrick McManus of Mozilla. https://datatracker.ietf.org/doc/html/rfc8484

I never said they invented it. They are however the biggest cheerleaders as it plays right into their wallet. DoH is horrible for consumers as it allows app vendors to bypass any local DNS requirements and filtering to collect 100% of your dns searches from the app in question and return whatever they wish all they while serving ads. DoT is the far better for everyone except application vendors/piid farmers solution. There is nothing good about DoH.

 

[Valnar]

DoH/DoT is bad for "people in the know".

I never said they invented it. They are however the biggest cheerleaders as it plays right into their wallet. DoH is horrible for consumers as it allows app vendors to bypass any local DNS requirements and filtering to collect 100% of your dns searches from the app in question and return whatever they wish all they while serving ads. DoT is the far better for everyone except application vendors/piid farmers solution. There is nothing good about DoH.

I second this. There is nothing good about DoH from the consumer side. I'd be wary of anyone recommending otherwise.

 

[Eulogy]

I wasn't aware of real problems or exploits with DoH. Did a little bit of reading and the newest stuff is over a year old at this point, but, certainly shows some of the shortcomings. Not really sure there's a solution, either, to it. Since it's a protocol and in use, I can embrace it to use it for what I can, and don't really have options otherwise (i.e. the apps/devices with it will use it regardless of what I choose to use). Might as well get some of the personal benefit from it, small as it may be. Not really seeing how it directly benefits google or ad revenue, but I haven't spent much time on it yet. Maybe for other folks that are using Google branded things and just using all default settings? How is that different than non-DoH though.

We're kind of OT now and the OP vanished anyway

 

[Valnar]

You can disable DoH in the browser. If you have a Pihole or other DNS filtering utility at home, it's a requirement.

 

[BlueLineSwinger]

I never said they invented it. They are however the biggest cheerleaders as it plays right into their wallet. DoH is horrible for consumers as it allows app vendors to bypass any local DNS requirements and filtering to collect 100% of your dns searches from the app in question and return whatever they wish all they while serving ads. DoT is the far better for everyone except application vendors/piid farmers solution. There is nothing good about DoH.

FWIW, Android uses DoT when the private DNS option is enabled. Were there any advantage for Google to use DoH instead they would have. Aside from implmentation details, both protocols essentially work the same way.

Excepting web browsers, what phone app regularly looks up a large sampling of random hostnames? I'd think that by far most have maybe just a few set up by the producer themselves that they hit up. There are far easier and more effective ways to collect metrics from an app. I doubt that many are bypassing the libraries provided by the API to use the OS's resolver and writing their own, it's more work than it's worth.

Desktop web browsers only use DoH because they already know how to do HTTPS. One less thing for them to implement relative to DoT.

I second this. There is nothing good about DoH from the consumer side. I'd be wary of anyone recommending otherwise.

DoH does have a small theoretical advantage in that it obfuscates what is actually a DNS lookup. As far as anyone looking at the connection can tell it's just HTTPS. So you're not, say, locked into the DNS resolver provided by the local hotspot.

This is, unfortunately, what can also make it potentially problematic re: the aforementioned use by malware to bypass ACLs. But a network's choice of using DoT or DoH from the local resolver to Google/Cloudflare/etc. has no bearing on this.

* * *

We're getting into the weeds and off-topic a bit. There's another active thread on DoT/DoH.

 

[scrappymouse]

EnthusiastXYZ is that you?

 

[Eulogy]

EnthusiastXYZ is that you?

Ya know, now that you mention it...

 

[Eulogy]

OP OpenSource Ghost are you ever going to come back and address the questions and such in this thread?

 

[OFaceSIG]

I run a decently setup home network I believe. I don't allow my own devices to do MAC privacy when on the home lan via their wifi profiles in the devices themselves. So I know when my devices are online or not.

What do I do to up the security game? Separate VLANs, and SSIDs for those vlans, for Guests, IOT devices, and my primary devices.

My personal devices such as phones, laptops, desktops go on the Primary untagged VLAN. These devices can do or go to any VLAN.

Consoles, Wifi lightbulbs, wifi outlets, etc, go on a VLAN dedicated for IOT devices. I have a firewall rule in place that these devices cannot reach the primary vlan or guest VLAN.

Lets says you have guests staying with you, but you don't know if they have good internet hygiene? A guest VLAN. This guest vlan cannot reach the Primary or IOT VLANs via firewall rules.

You do the above and you have home network best practices nailed. Oh, and stay away from ISIS goat pr0n sites.

All that other stuff you're talking about? Overkill.

 

[OpenSource Ghost]

OP OpenSource Ghost are you ever going to come back and address the questions and such in this thread?

Silly me, got my answers (or at least constructive input), but forgot to say - THANK YOU

 

[GoldenTiger]

Silly me, got my answers (or at least constructive input), but forgot to say - THANK YOU

So that's a "no"?

 

[MrGuvernment]

Then there is also a lot of stuff you can do to mitigate DDoS and other common attack types.

The only way to mitigate a DDoS attack is to have more bandwidth than the attacker and hardware that can handle it all..., literally, there is nothing you can do on your own router / firewall / perimeter devices to mitigate a DDoS attack unless you are CloudFlare / Prolexic/Akami if it is big enough to take you down.
Other attack types are dependent on so many other factors.

 

[OpenSource Ghost]

What is a good modern guide on WPA2/3 Enterprise security? There are different types of authentication and are some, supposedly, add more risk than benefit. I hope it is also possible to self-generate key pairs of whichever certificates.

 

[Eulogy]

If you don't know about certificates and how to generate them, then you have a very long road ahead of you. Your intentionally turning your home network into a fragile hell. Good luck!

 

[MrGuvernment]

What is a good modern guide on WPA2/3 Enterprise security? There are different types of authentication and are some, supposedly, add more risk than benefit. I hope it is also possible to self-generate key pairs of whichever certificates.

There is no real "guide" because when you get to the enterprise level and you are configuring this, you have years of experience, or certificates around security or a vendor setting it all up for you.
Just start reading u pon what WPA2/3 is and how it can be implemented and what is used in business / ent environments.

 

[OpenSource Ghost]

If you don't know about certificates and how to generate them, then you have a very long road ahead of you. Your intentionally turning your home network into a fragile hell. Good luck!

I generally self-generate 4096-bit x509 OpenSSL keys (if possible) to replace weaker router keys and same goes for SSH (EdDSA or 4096-bit RSA), but I do that only for local access. WPA2/3-Enterprise allows for greater variety of certificates, but some info does suggest that certain WPA2/3 certificate types can worsen security. That is why I ask about them before committing to their use on my home network.

 

[Vermillion]

I generally self-generate 4096-bit x509 OpenSSL keys (if possible) to replace weaker router keys and same goes for SSH (EdDSA or 4096-bit RSA), but I do that only for local access. WPA2/3-Enterprise allows for greater variety of certificates, but some info does suggest that certain WPA2/3 certificate types can worsen security. That is why I ask about them before committing to their use on my home network.

You really love bringing a nuke to a knife fight don't you? Everything you talk about is such overkill.

 

[Eulogy]

You really love bringing a nuke to a knife fight don't you? Everything you talk about is such overkill.

Higher numbers are obviously better.

 

[OpenSource Ghost]

I generally self-generate 4096-bit x509 OpenSSL keys (if possible) to replace weaker router keys and same goes for SSH (EdDSA or 4096-bit RSA), but I do that only for local access. WPA2/3-Enterprise allows for greater variety of certificates, but some info does suggest that certain WPA2/3 certificate types can worsen security. That is why I ask about them before committing to their use on my home network.

So, about them Enterprise certificates? Which ones to avoid? Which ones can I self-generate?

 

[Vermillion]

So, about them Enterprise certificates? Which ones to avoid? Which ones can I self-generate?

Avoid them all. You don't need them. WPA3 with a good strong password.

Seriously, stop using a nuke to kill a fly.

 

[Valnar]

If you're worried about people getting on your home network, just use "regular" WPA2/3 security and crank up the logging. If you have enterprise grade hardware and a syslog server, that'll do it. See if it's even a concern over the period of months.

Heck, make it even easier for these so-called attackers if you want a honeypot. Setup a second SSID (that goes nowhere) with an easier password. With good data, you'll know whether you truly need enterprise security or if it's just paranoia not a concern.