Skip to content

Randomize your WiFi MAC address on Ubuntu 16.04

Your device’s MAC address can be used to track you across the WiFi networks you connect to. That data can be shared and sold, and often identifies you as an individual. It’s possible to limit this tracking by using pseudo-random MAC addresses.

A captive portal screen for a hotel allowing you to log in with social media for an hour of free WiFi

Image courtesy of Cloudessa

Every network device like a WiFi or Ethernet card has a unique identifier called a MAC address, for example b4:b6:76:31:8c:ff. It’s how networking works: any time you connect to a WiFi network, the router uses that address to send and receive packets to your machine and distinguish it from other devices in the area.

The snag with this design is that your unique, unchanging MAC address is just perfect for tracking you. Logged into Starbucks WiFi? Noted. London Underground? Logged.

If you’ve ever put your real name into one of those Craptive Portals on a WiFi network you’ve now tied your identity to that MAC address. Didn’t read the terms and conditions? You might assume that free airport WiFi is subsidised by flogging ‘customer analytics’ (your personal information) to hotels, restaurant chains and whomever else wants to know about you.

I don’t subscribe to being tracked and sold by mega-corps, so I spent a few hours hacking a solution.

MAC addresses don’t need to stay the same

Fortunately, it’s possible to spoof your MAC address to a random one without fundamentally breaking networking.

I wanted to randomize my MAC address, but with three particular caveats:

  1. The MAC should be different across different networks. This means Starbucks WiFi sees a different MAC from London Underground, preventing linking my identity across different providers.
  2. The MAC should change regularly to prevent a network knowing that I’m the same person who walked past 75 times over the last year.
  3. The MAC stays the same throughout each working day. When the MAC address changes, most networks will kick you off, and those with Craptive Portals will usually make you sign in again – annoying.

Manipulating NetworkManager

My first attempt of using the macchanger tool was unsuccessful as NetworkManager would override the MAC address according to its own configuration.

I learned that NetworkManager 1.4.1+ can do MAC address randomization right out the box. If you’re using Ubuntu 17.04 upwards, you can get most of the way with this config file. You can’t quite achieve all three of my requirements (you must choose randomor stable but it seems you can’t do stable-for-one-day).

Since I’m sticking with Ubuntu 16.04 which ships with NetworkManager 1.2, I couldn’t make use of the new functionality. Supposedly there is some randomization support but I failed to actually make it work, so I scripted up a solution instead.

Fortunately NetworkManager 1.2 does allow for spoofing your MAC address. You can see this in the ‘Edit connections’ dialog for a given network:

Screenshot of NetworkManager's edit connection dialog, showing a text entry for a cloned mac address

NetworkManager also supports hooks – any script placed in /etc/NetworkManager/dispatcher.d/pre-up.d/ is run before a connection is brought up.

Assigning pseudo-random MAC addresses

To recap, I wanted to generate random MAC addresses based on the network and the date. We can use the NetworkManager command line, nmcli, to show a full list of networks:

> nmcli connection
NAME                 UUID                                  TYPE             DEVICE
Gladstone Guest      618545ca-d81a-11e7-a2a4-271245e11a45  802-11-wireless  wlp1s0
DoESDinky            6e47c080-d81a-11e7-9921-87bc56777256  802-11-wireless  --
PublicWiFi           79282c10-d81a-11e7-87cb-6341829c2a54  802-11-wireless  --
virgintrainswifi     7d0c57de-d81a-11e7-9bae-5be89b161d22  802-11-wireless  --

Since each network has a unique identifier, to achieve my scheme I just concatenated the UUID with today’s date and hashed the result:


# eg 618545ca-d81a-11e7-a2a4-271245e11a45-2017-12-03

> echo -n "${UUID}-$(date +%F)" | md5sum

53594de990e92f9b914a723208f22b3f  -

That produced bytes which can be substituted in for the last octets of the MAC address.

Note that the first byte 02 signifies the address is locally administered. Real, burned-in MAC addresses start with 3 bytes designing their manufacturer, for example b4:b6:76 for Intel.

It’s possible that some routers may reject locally administered MACs but I haven’t encountered that yet.

On every connection up, the script calls nmcli to set the spoofed MAC address for every connection:

A terminal window show a number of nmcli command line calls

As a final check, if I look at ifconfig I can see that the HWaddr is the spoofed one, not my real MAC address:

> ifconfig
wlp1s0    Link encap:Ethernet  HWaddr b4:b6:76:45:64:4d
          inet addr:192.168.0.86  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::648c:aff2:9a9d:764/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:12107812 errors:0 dropped:2 overruns:0 frame:0
          TX packets:18332141 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:11627977017 (11.6 GB)  TX bytes:20700627733 (20.7 GB)

The full script is available on Github.

**Comment
This looks interesting, as a privacy technique.

 

Reference

https://www.paulfurley.com/randomize-your-wifi-mac-address-on-ubuntu-1604-xenial/

Advertisements

Thank you for Two Million hits

Do you know how this blog started?  During the final year of the BSc course, our tutors wanted to ensure that our research was on course.  Therefore we were asked to create a blog to support our thesis.

Comments from here indicated that everyone was intrigued with privacy, so the blog ventured heavily into tutorials for VPN’s.  At that point, traction started to increase dramatically.

Next, the privacy part of the thesis was selected for publication, and I had to present it to a room full of barristers, whilst standing on a gold podium.

Now, today, I have to say thank you for two million hits.

It’s been a real pleasure.

Finally, did you know the Uni gave me a First – and that listening to your comments were pivotal in that.

Thank you for Two Million hits – and for your comments.

Intel finds critical holes in secret Management Engine hidden in tons of desktop, server chipsets

Intel today admitted its Management Engine (ME), Server Platform Services (SPS), and Trusted Execution Engine (TXE) are vulnerable to multiple worrying security flaws, based on the findings of external security experts.

The firmware-level bugs allow logged-in administrators, and malicious or hijacked high-privilege processes, to run code beneath the operating system to spy on or meddle with the computer completely out of sight of other users and admins. The holes can also be exploited by network administrators, or people masquerading as admins, to remotely infect machines with spyware and invisible rootkits, potentially.

Meanwhile, logged-in users, or malicious or commandeered applications, can leverage the security weaknesses to extract confidential and protected information from the computer’s memory, potentially giving miscreants sensitive data – such as passwords or cryptographic keys – to kick off other attacks. This is especially bad news on servers and other shared machines.

In short, a huge amount of Intel silicon is secretly running code that is buggy and exploitable by attackers and malware to fully and silently compromise computers. The processor chipsets affected by the flaws are as follows:

  • 6th, 7th and 8th Generation Intel Core processors

  • Intel Xeon E3-1200 v5 and v6 processors

  • Intel Xeon Scalable processors

  • Intel Xeon W processors

  • Intel Atom C3000 processors

  • Apollo Lake Intel Atom E3900 series

  • Apollo Lake Intel Pentiums

  • Celeron N and J series processors

Intel’s Management Engine, at the heart of today’s disclosures, is a computer within your computer. It is Chipzilla’s much maligned coprocessor at the center of its vPro suite of features, and it is present in various chip families. It has been assailed as a “backdoor” – a term Intel emphatically rejects – and it is a mechanism targeted by researchers at UK-based Positive Technologies, who are set to reveal in detail new ways to exploit the ME next month.

The Management Engine is a barely documented black box. it has its own CPU and its own operating system – recently, an x86 Quark core and MINIX – that has complete control over the machine, and it functions below and out of sight of the installed operating system and any hypervisors or antivirus tools present.

It is designed to allow network administrators to remotely or locally log into a server or workstation, and fix up any errors, reinstall the OS, take over the desktop, and so on, which is handy if the box is so messed up it can’t even boot properly.

The ME runs closed-source remote-administration software to do this, and this code contains bugs – like all programs – except these bugs allow hackers to wield incredible power over a machine. The ME can be potentially abused by to install rootkits and other forms of spyware that silently snoop on users, steal information, or tamper with files.

SPS is based on ME, and allows you to remotely configure Intel-powered servers over the network. TXE is Intel’s hardware authenticity technology. Previously, the AMT suite of tools, again running on ME, could be bypassed with an empty credential string.

Today, Intel has gone public with more issues in its firmware. It revealed it “has identified several security vulnerabilities that could potentially place impacted platforms at risk” following an audit of its internal source code:

In response to issues identified by external researchers, Intel has performed an in-depth comprehensive security review of our Intel Management Engine (ME), Intel Server Platform Services (SPS), and Intel Trusted Execution Engine (TXE) with the objective of enhancing firmware resilience.

The flaws, according to Intel, could allow an attacker to impersonate the ME, SPS or TXE mechanisms, thereby invalidating local security features; “load and execute arbitrary code outside the visibility of the user and operating system”; and crash affected systems. The severity of the vulnerabilities is mitigated by the fact that most of them require local access, either as an administrator or less privileged user; the rest require you to access the management features as an authenticated sysadmin.

Intel 5th Generation Core processor with vPro

Intel ME controller chip has secret kill switch

READ MORE

But as Google security researcher Matthew Garrett pointed out in the past hour or so, the aforementioned AMT flaw, if not patched, could allow remote exploitation.

In other words, if a server or other system with the AMT hole hasn’t been updated to kill off that vulnerabilities, these newly disclosed holes will allow anyone on the network to potentially log in and execute malicious code within the powerful ME coprocessor.

“The ME compromise presumably gives you everything the AMT compromise gives you, plus more,” said Garrett via Twitter. “If you compromise the ME kernel, you compromise everything on the ME. That includes AMT, but it also includes PTT.”

He explained, “PTT is Intel’s ‘Run a TPM in software on the ME’ feature. If you’re using PTT and someone compromises your ME, the TPM is no longer trustworthy. That probably means your Bitlocker keys are compromised, but it also means all your remote attestation credentials are toast.”

Garrett said if an exploit allows unsigned data to be installed and interpreted by the ME, an attacker could effectively trigger the reinfection of malware after every ME reboot. Were that to happen, the only way to fix things would be to reflash the hardware by hand. At that point, he said, it would probably be cheaper just to get new hardware.

Intel said systems using ME Firmware versions 11.0, 11.5, 11.6, 11.7, 11.10, and 11.20, SPS Firmware version 4.0, and TXE version 3.0 are affected. The cited CVE-assigned bugs are as follows:

  • Intel Manageability Engine Firmware 11.0.x.x/11.5.x.x/11.6.x.x/11.7.x.x/11.10.x.x/11.20.x.x
    • CVE-2017-5705: “Multiple buffer overflows in kernel in Intel Manageability Engine Firmware 11.0/11.5/11.6/11.7/11.10/11.20 allow attacker with local access to the system to execute arbitrary code.” Logged-in superusers, or high-privilege programs, can execute code within the hidden Management Engine, below the OS and any other software.
    • CVE-2017-5708: “Multiple privilege escalations in kernel in Intel Manageability Engine Firmware 11.0/11.5/11.6/11.7/11.10/11.20 allow unauthorized process to access privileged content via unspecified vector.” Logged-in users or running apps can slurp confidential information out of memory. This is very bad news on a shared system.
    • CVE-2017-5711: “Multiple buffer overflows in Active Management Technology (AMT) in Intel Manageability Engine Firmware 8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20 allow attacker with local access to the system to execute arbitrary code with AMT execution privilege.” Logged-in superusers, or high-privilege programs, can execute code within the AMT suite, below the OS and any other software.
    • CVE-2017-5712: “Buffer overflow in Active Management Technology (AMT) in Intel Manageability Engine Firmware 8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20 allows attacker with remote Admin access to the system to execute arbitrary code with AMT execution privilege.” People with network access to a machine, and can log in as an admin, can execute code within the AMT suite.
  • Intel Manageability Engine Firmware 8.x/9.x/10.x
    • CVE-2017-5711: “Multiple buffer overflows in Active Management Technology (AMT) in Intel Manageability Engine Firmware 8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20 allow attacker with local access to the system to execute arbitrary code with AMT execution privilege.” Logged-in superusers, or high-privilege programs, can execute code within the AMT suite, below the OS and any other software.
    • CVE-2017-5712: “Buffer overflow in Active Management Technology (AMT) in Intel Manageability Engine Firmware 8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20 allows attacker with remote Admin access to the system to execute arbitrary code with AMT execution privilege.” People with network access to a machine, and can log in as an admin, can execute code within the AMT suite.
  • Server Platform Service 4.0.x.x
    • CVE-2017-5706: “Multiple buffer overflows in kernel in Intel Server Platform Services Firmware 4.0 allow attacker with local access to the system to execute arbitrary code.” Logged-in superusers, or high-privilege programs, can execute code within the hidden Management Engine, below the OS and any other software.
    • CVE-2017-5709: “Multiple privilege escalations in kernel in Intel Server Platform Services Firmware 4.0 allows unauthorized process to access privileged content via unspecified vector.” Logged-in users or running apps can slurp confidential information out of memory. This is very bad news on a shared system.
  • Intel Trusted Execution Engine 3.0.x.x
    • CVE-2017-5707: “Multiple buffer overflows in kernel in Intel Trusted Execution Engine Firmware 3.0 allow attacker with local access to the system to execute arbitrary code.” Logged-in superusers, or high-privilege programs, can execute code within the hidden Management Engine, below the OS and any other software.
    • CVE-2017-5710: “Multiple privilege escalations in kernel in Intel Trusted Execution Engine Firmware 3.0 allows unauthorized process to access privileged content via unspecified vector.” Logged-in users or running apps can slurp confidential information out of memory. This is very bad news on a shared system.

Chipzilla thanked Mark Ermolov and Maxim Goryachy at Positive for discovering and bringing to its attention the flaw CVE-2017-5705, which sparked the aforementioned review of its source code for vulnerabilities.

Intel advises Microsoft and Linux users to download and run the Intel-SA-00086 detection tool to determine whether their systems are vulnerable to the above bugs. If you are at risk, you must obtain and install firmware updates from your computer’s manufacturer, if and when they become available. The new code was developed by Intel, but it needs to be cryptographically signed by individual hardware vendors in order for it to be accepted and installed by the engine.

Lenovo was quick off the mark with patches for its gear ready to download.

We’ll give you a roundup of fixes as soon as we can. It’s not thought Apple x86 machines are affected as they do not ship with Intel’s ME, as far as we can tell.

Today’s news will no doubt fuel demands for Intel to ship components free of its Management Engine – or provide a way to fully disable it – so people can use their PCs without worrying about security bugs on mysterious secluded coprocessors. ®

Reference:

https://www.theregister.co.uk/2017/11/20/intel_flags_firmware_flaws/

Dell Response

http://www.dell.com/support/article/fr/fr/frbsdt1/sln308237/dell-client-statement-on-intel-me-txe-advisory–intel-sa-00086-?lang=en

Germany bans children’s smartwatches

A German regulator has banned the sale of smartwatches aimed at children, describing them as spying devices.

It had previously banned an internet-connected doll called, My Friend Cayla, for similar reasons.

Telecoms regulator the Federal Network Agency urged parents who had such watches to destroy them.

One expert said the decision could be a “game-changer” for internet-connected devices.

“Poorly secured smart devices often allow for privacy invasion. That is really concerning when it comes to kids’ GPS tracking watches – the very watches that are supposed to help keep them safe,” said Ken Munro, a security expert at Pen Test Partners.

“There is a shocking lack of regulation of the ‘internet of things’, which allows lax manufacturers to sell us dangerously insecure smart products.

“Using privacy regulation to ban such devices is a game-changer, stopping these manufacturers playing fast and loose with our kids’ security,” he added.

In a statement, the agency said it had already taken action against several firms offering such watches on the internet.

 

Reference:

http://www.bbc.com/news/technology-42030109

Intel’s super-secret Management Engine firmware now glimpsed, fingered via USB

Positive Technologies, which in September said it has a way to drill into Intel’s secretive Management Engine technology buried deep in its chipsets, has dropped more details on how it pulled off the infiltration.

The biz has already promised to demonstrate a so-called God-mode hack this December, saying they’ve found a way for “an attacker of the machine to run unsigned code in the Platform Controller Hub on any motherboard.”

 

For those who don’t know, for various processor chipset lines, Intel’s Management Engine sits inside the Platform Controller Hub, and acts as a computer within your computer. It runs its own OS, on its own CPU, and allows sysadmins to remotely control, configure and wipe machines over a network. This is useful when you’re managing large numbers of computers\, especially when an endpoint’s operating system breaks down and the thing won’t even boot properly.

Getting into and hijacking the Management Engine means you can take full control of a box, underneath and out of sight of whatever OS, hypervisor or antivirus is installed. This powerful God-mode technology is locked down to prevent miscreants from hijacking and exploiting the engine to silently spy on users or steal corporate data. Positive says it’s found a way to commandeer the Management Engine, which is bad news for organizations with the technology deployed.

For some details, we’ll have to wait, but what’s known now is bad enough: Positive has confirmed that recent revisions of Intel’s Management Engine (IME) feature Joint Test Action Group (JTAG) debugging ports that can be reached over USB. JTAG grants you pretty low-level access to code running on a chip, and thus we can now delve into the firmware driving the Management Engine.

With knowledge of the firmware internals, security vulnerabilities can be found and potentially remotely exploited ta a later date. Alternatively, an attacker can slip into the USB port and meddle the engine as required right there and then.

There have been long-running fears IME is insecure, which is not great as it’s built right into the chipset: it’s a black box of exploitable bugs, as was confirmed in May when researchers noticed you could administer the Active Management Technology software suite running on the microcontroller with an empty credential string over a network.

The JTAG revelation came to Vulture South‘s attention via a couple of tweets:

The linked blog post, in Russian, explains that since Skylake, Intel’s Platform Controller Hub, which manages external interfaces and communications, has offered USB access to JTAG interfaces. The new capability is DCI, Direct Connect Interface.

Aside from any remote holes found in the engine’s firmware code, any attack against IME needs physical access to a machine’s USB ports which as we know is really difficult.

We still don’t know all the details Positive Technologies will show off at Black Hat, but their trailers are sure fun to watch. ®

Bootnote

The IME is able to control a computer because it runs an OS of its own, namely MINIX: a small and simple microkernel system designed to teach computer-science students how hardware and operating systems work. And it turns out that while Intel talked to MINIX’s creator about using it, the tech giant never got around to saying it had put it into recent CPU chipsets it makes.

Which has the permissively licensed software’s granddaddy, Professor Andrew S. Tanenbaum, just a bit miffed. As Tanenbaum wrote this week in an open letter to Intel CEO Brian Krzanich:

The only thing that would have been nice is that after the project had been finished and the chip deployed, that someone from Intel would have told me, just as a courtesy, that MINIX was now probably the most widely used operating system in the world on x86 computers. That certainly wasn’t required in any way, but I think it would have been polite to give me a heads up, that’s all.

 

Reference:

https://www.theregister.co.uk/2017/11/09/chipzilla_come_closer_closer_listen_dump_ime/

Buffer Overflows – Video

A good intro to Buffer Overflows in memory.

TOR – Hidden Services – Dark Web

Great introduction to the Dark Web, and how it works, based on  “hidden services”.

End to End Encryption – Computerphile

Theresa May has suggest a plan to ban End to End Encryption.  Here is a discussion of what that means.  In plain terms the suggestion is misguided.  Alas, stupidity seems to the norm for politicians and technology, and we all sigh in frustration when we hear the latest policies.

SHA Hash Function – Computerphile

Hashing functions are like a signature of a file, in the form of a fixed length string to prove data integrity.

MD5 and SHA1 have weaknesses, therefore SHA2 is preferred.

 

Problems with SHA1

Weak against nation states with vast computing power

Nothing to Hide – The Documentary about Surveillance

 

%d bloggers like this: