 Hello, hello everyone. I am Francesco Giudici. I'm a software developer at Redec and I'm also a team member of the network manager project. Have you ever stopped at a while thinking what kind of information people might leak when they connect to a free Wi-Fi network? They come to Teobran. I did. I did and in order to really understand what this information could be, I got a trip to the mall. I Usually go with my wife and that time since I knew that there would have been a free Wi-Fi network I brought there my laptop. The first thing I did there was to turn my Wi-Fi device into monitor mode. This means that it will be able to capture all the frames that will be there without any need to be associated to any network. All the frames that will flow in the air and also it will be able to show me management frames, which basically are used to discover where it's networked nearby and perform the association to the Wi-Fi network. When I was there, basically after putting anything in monitor mode, I started Wireshark to do a capture of all the frames. I left my laptop running for 10 minutes. Then I shut it off and went with my wife in shopping because I care about Wi-Fi privacy, but I'm more concerned to not make her upset. So here the capture. Roughly, I captured 45,000 frames. They're not that much. And I started looking what was there that could help to identify me as a person or help to track people. I don't really need it to see the capture to understand that the very first thing that I have to take care of is the MAC address. We know that each Wi-Fi device is assigned a MAC address in the factory. This is called the Burnin MAC address and this is unique in the world. So this could be a really sensitive if we leak this or try to connect to a Wi-Fi network. But where we find, where we leak or where we expose our MAC address? Well, as we said, in every frame that is transmitted. So you will always see it in the air. But what could be not trivial to understand is that it could be also leaked when you are not connected to a Wi-Fi network. As we briefly introduced, there are some management frames which are called probe requests that the Wi-Fi needs to send out to discover if there is some access point nearby. And this will contain the MAC address too. So what can you do to deal with this? You can switch off Wi-Fi, that's trivial. But of course, this could not be the best solution. You could just randomize it. And so how could you do that in network manager? First of all, you will be very happy to know that network manager already does randomization of your MAC address for the probe request frame. So when scanning for other for nearby networks. So one last problem to deal with. But from association and inward, you can control which kind of MAC address will be disclosed with the Clonel MAC address property. And you have a bunch of values that you can put there. Of course, you can put there a custom MAC address or you have some preset value that will determine the behavior of network manager for you. Namely, you can see preserve means don't touch a MAC address. Maybe you're ready to care of it with another external program or you already change it. And network manager will not do anything with that when enable the connection. You can ask instead to use the Bernadine MAC address. Of course, this is not for privacy, but maybe you have a good reason to have a MAC address to disclose your real MAC address maybe in a corporate Wi-Fi network. You can pick up a stable MAC address, which is basically this stable value that you will find in network manager configuration means to pick up a random value. But that will be kept stable each time you activate that specific connection. This is good because you can randomize it while keeping a stable behavior. Of course, random. This means that each time you activate a connection, the MAC address will be changed. Are you the changes? Well, the easiest way to change it is to use the RMCLI tool. It's as easy as writing RMCLI, connection modify. Your connection name, cloning MAC, is the property you want to change and a value that you choose. If one prefers installed graphical user interface, you can do that also with the name connection editor. You can fire it up. You will have just a graphical user interface and you have to pick up the Wi-Fi tab there. It will be a cloning MAC address field to field. You have a drop-down menu where you can pick up the presets or just click in and put your own MAC address. So, MAC address, it's not that big deal. We have just to randomize it. Let's see what else it's in our wireshark capture. Probrequest. Again, we said these are used to discover nearby Wi-Fi networks. Here, it's our capture filter by Probrequest. It's around 10% of the packet-side collector. And you can see that among all the Probrequest, there are a few that contain a specific SSID. Well, guess what? If you kept broadcasting your Wi-Fi SSD, it would be easier to track you. Let's take one in particular to see what happens. I took this, I started by this SSID all year. I don't recognize it because I don't want to be legally sure. I don't know if it would be the case. SSID lose something family. There is a station that is broadcasting this for all the 10 minutes. And we can see that MAC address is changing. It's randomized. It's trying to not be tracked. But if we are able to see this broadcast of the SSID, on a specific SSID, we are able anyway to understand that that is the same user. What about 10M? Well, network manager but it will not put any SSID in Probrequest. That's great. If you don't trust me, ask me this. What happens then after association? Once you are associated to the Wi-Fi network, you will have to get a new address in order to communicate. So you will start the SSP request and with the SSP request come the SSP options. And some could leak some sensitive information. The first one of course is the SSP client identifier. This is a mandatory option. And as the ACP before specification states, the client identifier must be unique among the client identifier used on the subnet to which the client is attached. So the perfect value to use for tracking. Maybe it's even worse for the ACP v6 where the option which has the same name but it's a different option because it's for IPv6 carries ACP unique identifier. Which basically it's meant to identify the host, not the particular SSP request that is sending out. And this is required to be permanent. So it means that an host that will use the SSP v6 for every connection, every interface it will use, it will send out always the same do it. And in order to differentiate the SSP request coming from the same host, maybe on different interfaces, on different connections. Another option is using the ACP v6 specification where you put an identity association ID. And basically binding the DUID and the identity association ID, it allows you to identify basically a single DSP request. In order to make things more coherent, there is another specification that is our C4361. Let's try to convey to a more coherent description of the client's identifier. This suggests to use for the client's identifier N2P before a combination of the DUID and of the identity association ID. So we said the DUID is unique per host, so what can we do with that? Also people dealing with the specification came up with this question and the solution was another specification. FCC 7844, they told me it's called anonymity profiles for the HP clients. They basically told you if you need privacy, maybe the common standard doesn't work for you. So if you want really to be anonymous, use a profile where you use a random MAC address as we have already seen. And you base your DSP client identifiers on that random MAC address. So you will not leak any particular sensitive information. Let's go to our capture. Let's see if we look just an example. Here the client just puts this MAC address in the client identifier. There is nothing new than what he already is leaking with exposing it through MAC address. But what about network manager? You can take care of the property DSP client ID to out whatever you want to. Of course you can put the custom value or you can put MAC. The MAC label basically it will allow you to use your current MAC address and this is what mandates the anonymity profile specification. Or you can have the permanent MAC address there if you want to somehow learn a corporate network and you want that your client could be identified by that. Stable as usual that's stable identify which is randomized but it's kept stable for the connection in time it is activated. Or you are also the option to pick up the recommendation for LC4361 where you have a combination of DUID over the identity association ID. Either you change it with ACLi. Easy as the way an MSCI connection modify your connection the property to change this time is IPv4, DSP client ID. It could also be changed as a default by applying a network manager configuration file and so your default will be based on what you really want. If you know that you have a laptop and you always are around you want maybe to have as a default to use the ACLi MAC address as the client identifier and you can change it. A bit similar for IPv6 the option in network manager is called DSP-DUID. You have multiple options here. Let's say that the one that you want to achieve privacy is LL, LL stands for link layer. Once again it means base your DUID on the ACLi MAC address. This is compliant to the anonymity profile standard. The default instead will be to pick up the DUID from at least five if the connection has been already started any time in the past. Otherwise the default for network manager is to use as for the main standard a DUID that is permanent per host. So basically you will reveal your identity. You can change it as usual with an MCI. The property is IPv6, DSP-DUID. And also for this one you can change the default configuration in network manager. Let's go back to our capture. What other DSP options are there that could allow easily tracking? The host name option. Basically here we see that the client discloses its brand and its type. It's Huawei P9 Lite. But what does network manager there? By default it will send out the host name, DSP option, and other DSP requests. And the fully qualified domain name option for DSP v6 which is basically the same. It discloses basically the same thing which is your system host name. So you have to be really aware of this that if you want to shift privacy maybe you want to change this. And what can you do with that? Two options. You can drop those options from the DSP request. They're not mandatory. And you can just change the IPv4 and IPv6, DHCP, send host name. To know it's just a boolean. By default it's yes. Of course you can just put there whichever host name you want. That will be used just for that connection. And the option are called IPv4 or IPv6, DHCP, host name. So if you see me around and you spot me at the moment, what are you going to do? Don't do this please. There is a less brutal option. And would be to enforce privacy with network manager. Let's look up a bit. First of all be sure that your mic address is randomized. Then you have to be sure that both the client ID for DCPv4 and DCPv6 will be Mac based. And remember, don't send any host name out. If you wanted the default configuration that is targeted for anonymization, you could find it in the network manager upstream repository under the directory examples and then configuration.d. There is this 30anon.conf configuration snippet that you can change a bit and just drop in your network manager configuration directory. And you will almost all set. It will cover 0.12 and 3, but it will not be able to cover 0.4. So you will have any way to remember to disable sending out your host name. That's it. Questions? Yes please. So the question is, does network manager have any notion about trusted or untrusted network? The answer is no. It's something we are working on. We want to make all this process much more easier. Ideally we want to apply a security profile with one liner. Say I want this configuration, this network secure and all this stuff will be applied. But we are working with it not yet. Yes please. So the question is, what are the implications with protecting management frames? Like some of the new features of Wi-Fi. Yeah, a new feature from Wi-Fi. Well, the Mac address will be anyway disclosed. So that will happen. Yes, it will be. It will allow a bit maybe to be protected by people like me just sniffing in the rear. But if a people is able to associate to the network, it will anyway receive the broadcast. So it will be able anyway to see all the DSP option that you will have in the request. Another question? The question is, did you have any problem with association? Do you want to randomize your Mac address with Wi-Fi chipset that may have some filters about the Mac address? The question is, yes, legacy driver will have these problems. And for this kind of drivers, you may want to disable the network randomization during the scan. You could do that, I can show you. I guess, do you have connection here? Anyway, I'll adjust. I just want to take the main page. I don't remember the name of the option. Anyway, it's easier. I don't want to disclose. Anyway, it will be easy. There is an option that you can configure the network manager.com main configuration file. And you can set Wi-Fi scanning during randomization off just for a bunch of chipsets. That file, the directory where I pointed you about the configuration file that you can drop to change the behavior of anonymization and so on. It will contain also, as an example, showing you how to disable the scanning for this kind of Wi-Fi drivers. Randomization during the scan for this Wi-Fi driver. It could be also just for particular drivers. Yeah, another question? The question is, is it possible to randomize just a part of the Mac address? Maybe to leave the first byte of the Mac address to a fixed set in order that we can just appear as a particular device? The answer is yes. There are other properties that I have not shown you that allow to configure in detail how Mac address or domingization should happen. There is a subnet mask. Not a subnet, sorry. A mask that you can apply to pick up just the bytes that you want to randomize and have some other fixed one. Yeah, another question? Sorry, can you repeat that? Oh, what do they do? Yeah, sure. Yeah, the question is, do you have any insight of what other operating system do which does not use a network manager? The answer is, yeah, I know that there is. The scanning randomization is something that is applied by many devices. Also mobile phones, Android and Apple, I guess. And also not putting your SSD in proper request is something that everyone is starting to do. Because you need that just when you have an hidden wireless network. Why is it important to, why do you would need to put your SSD when doing a proper request? If the network has a hidden SSD, it will not disclose it. You should come with a proper request to say, I'm looking for this network, so the access point will reply. And in order to achieve this, there should be an SSD there. And they have an option I saw in latest Android release, for instance, that in the advanced properties of the Wi-Fi configuration you can put, this is a hidden Wi-Fi network. We have the same also in network manager, you can tweak it on a connection base. So yes, I think every OS is dealing with this, especially mobile phones are picking this up. But as you see, I did the capture just a couple of week ago. There are a lot really of devices that doesn't do that. Another question to Francesca, if you will ask.