Whonix ®

Download

Windows Linux Mac VirtualBox KVM Qubes USB ISO (coming soon) More options Source Code

About

Overview Features Whonix vs VPNs Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Contribute

Support

Self Support First Policy Search Engines, Docs and AI Support (Limited) Reporting Bugs Contact (Restricted)

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

MAC Address Spoofing and Tracking Threats

MAC Address Documentation[edit]

Redirection to Kicksecure Documentation

Incomplete: This wiki page is incomplete. This it by design. It only contains specific information for Whonix. Below is a link to a wiki page in the Kicksecure wiki with more general information. Reading it is mandatory for full information.

• Introduction: Whonix Documentation Introduction, User Expectations, Footnotes and References, User Expectations - What Documentation Is and What It Is Not
• Whonix is based on Kicksecure^™: Whonix inherits many features and principles from Kicksecure.
• Kicksecure is based on Debian: Kicksecure builds upon the stability of Debian.
• Inheritance: Therefore, Whonix is also based on Debian.
• Debian is GNU/Linux-based: Debian primarily uses the GNU/Linux as its foundation.
• Shared documentation benefits: Because one distribution is based on another:
• Inherited documentation: Little specific documentation is required for each layer.
• Shared principles: Features and principles often remain consistent across forks. Users can often follow the same instructions for both Whonix and Kicksecure.
• Keep using Whonix: This does not mean the user should switch to Kicksecure.
• Where to apply the instructions: The instructions should be applied inside Whonix.
• Wiki editors notice: This box is wiki template upstream_wiki. (Pages that link to it.)
• Comparison: Whonix versus Kicksecure
• Documentation compatibility: Since Whonix is based on Kicksecure, the user should follow these instructions for:

MAC Address

• Note: Re-interpretation...

Apply the instructions inside Whonix, not Kicksecure.

Kicksecure: Perform these steps inside Kicksecure.

Instead the user should apply the instructions inside Whonix-Workstation.

Kicksecure for Qubes: Perform these steps inside Qubes kicksecure-17 Template.

Instead the user should apply the instructions inside whonix-workstation-17 Template.

Auto-connect Risk[edit]

Beyond the challenge of generating an appropriate spoofed MAC address, there are technical hurdles related to preventing automatic network connections.

A spoofed MAC address is ineffective if the computer automatically connects to a public network after booting, thereby exposing the real MAC address:

• Physical Isolation: Whonix-Gateway^™ automatically connects to Tor upon startup.
• USB Wi-Fi Device: Automatic connections may occur depending on the configuration.
• VM Users: The host operating system is likely to automatically connect to the internet for updates, time synchronization, or other background services.

Other Location Tracking Risks[edit]

Tor Entry Guard Fingerprinting[edit]

Addressing MAC address concerns is only one part of a broader location tracking problem. Users must also consider how Tor entry guards are used across different locations to avoid guard fingerprinting. To mitigate this risk, follow one of the recommended configurations:

1. Clone Whonix-Gateway (sys-whonix) with New Entry Guards.
2. Regenerate the Tor State File after Saving the Current Tor State.
3. Configure Tor to use Alternating Bridges.
4. If relocating permanently, create Fresh Tor Entry Guards by Regenerating the Tor State File.

To fully mitigate this threat, entry guard changes must be applied to every Tor instance on both the host (e.g., apt-transport-tor) and guest systems.

Using Personal Computers in a Public Network[edit]

In this scenario, the MAC address must be changed, and a new set of Tor entry guards should be configured. ^[1] Additionally, efforts should be made to obscure Tor usage from the network administrator. Depending on the user's setup, this may involve using an obfsproxy bridge or tunneling traffic through SSH or a VPN before connecting to the Tor network.

Depending on the threat model, changing the MAC address and using Tor may prevent revisiting the public network. If reuse is needed, the user must choose between keeping the same MAC address and Tor entry guards or generating new ones.

If the network administrator is suspected of logging MAC addresses, changing the MAC may arouse suspicion. Conversely, if the network is sufficiently public and individual observation is unlikely, it may be safe to use a new MAC address each time -- one that features a popular vendor ID and a random second part.

For further discussion on this complex topic, see Dev/MAC.

Changing MAC Addresses[edit]

Whonix[edit]

TODO: Please help test and improve these instructions.

References[edit]

License[edit]

Whonix MAC Address wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix MAC Address wiki page Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos(at)whonix.org (Replace (at) with @.)Please DO NOT use e-mail for one of the following reasons: Private Contact: Please avoid e-mail whenever possible. (Private Communications Policy) User Support Questions: No. (See Support.) Leaks Submissions: No. (No Leaks Policy) Sponsored posts: No. Paid links: No. SEO reviews: No. >

This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it under certain conditions; see the wiki source code for details.

Whonix The most watertight privacy operating system in the world.

Dark mode

Follow us on social media

Supported by Power Up Privacy

Whonix is proudly supported until 2025 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Whonix we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012- 2025 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!