Recently, I am considering purchasing a portable OpenWRT router to better protect the traffic of all my devices while traveling. However, I have some privacy concerns:
I am worried that when connecting to different hotel networks, the unique MAC address of my router obtained by the ISP could lead to my identity being uniquely identified and tracked. Currently, iOS has the feature to randomize MAC addresses for different networks and rotate them after a period of time. I would like to know if the OpenWRT router has the capability to “randomize” and “rotate” the MAC address that the ISP obtains.
Additionally, I have seen claims that routers broadcast their MAC addresses, which may pose some privacy issues. Could anyone explain how this works? Can the aforementioned “rotating MAC addresses” and “randomly generating MAC addresses for each network” help avoid this issue?
TLDR; If and only if you keep the router online and are physically moving around with the router at the same time, then maybe the MAC randomization may benefit you. Otherwise, I’d argue it has negligible benefits if you turn the router online at a fixed location and turn it off when physically moving the router. Even then, I don’t believe this would easily tie to your identity at all without quite intensive forensics.
———
Are you saying that randomizing the router’s MAC address enhances the privacy of the devices inside the local network? If so, there’s a serious misunderstanding of the purpose of MAC addresses and the threat model that MAC randomization operates under.
First of all, MAC addresses are valid only within a local network. When I connect to openwrt.orgon my computer, the (highly simplified) packet flow goes like this:
My computer creates an IP packet. Its source address is my computer’s IP address. Its destination address is openwrt.org’s IP address.
My computer wraps the packet into an Ethernet frame. Its source address is the computer’s MAC address. Its destination address is my router’s LAN MAC address.
My computer sends this frame which gets picked up by my router’s LAN port.
My router strips the Ethernet frame and inspects the IP packet header. It determines it should be forwarded to the ISP’s router which is reachable via my router’s WAN port.
My router wraps the packet into a newEthernet frame. Its source address is my router’s WAN MAC address. Its destination address is the ISP router’s MAC address.
Repeat steps 3 through 5 for each router hop until the packet gets to the final router connected to the LAN containing openwrt.org’s servers.
That final router wraps the IP packet into the final Ethernet frame. Its source address is the final router’s MAC address. Its destination address is the openwrt.orgserver’s MAC address.
Notice that the MAC addresses of the Ethernet frames change at each hop. The ISP router never sees the MAC addresses of the internal devices. And neither does the openwrt.org servers, or the servers of any other website. (Well, except for LuCI running on the OpenWrt router, of course.)
Second of all, MAC randomization came about because of smartphones constantly transmitting probes in order to find WiFi networks to connect to. A bunch of WiFi APs collectively can use this to track the physical movement of smartphone owners. This scenario doesn’t apply to your router, because it’s almost always in a fixed location. MAC randomization is mainly useful for WiFi devices that are highly mobile or portable like phones and laptops.
But let’s say for the sake of argument that router MAC randomization on reboot is somehow useful. OpenWrt users have uptimes measured in weeks to months, rebooting their device only to install updates or to test snapshots. So are you expecting users to constantly reboot their routers every 24 hours or so, disrupting all current connections?