Hardware ID Spoofing


#1

With a Librem, wouldn’t you be able to spoof your HWIDs since they use free software firmware? Obviously reverse engineering would be required if you’re using proprietary hardware, but not with a Librem right? My purpose in doing this would be anonymity, why should service providers be able to identity me in that way? I can imagine getting blacklisted by Spamhaus for god knows what, by my HWIDs and not just my IP address. Has anyone attempted this?


#2

What model of Librem are you talking about? What HWIDs are you talking about?

If you are talking about, say, Librem 5 and IMEI then
a) you won’t necessarily be able to do that because the modem is still blackbox and may prevent or not be able to change the IMEI
b) it is illegal to change the IMEI in some countries

If you are talking about any model of Librem and a MAC address (only WiFi, not ethernet, at the current time) then
a) yes, no drama to change and happens automatically in some cases
b) why would this be needed given that the MAC address would not be exposed outside the LAN by normal networking protocols? e.g. Spamhaus or your ISP would not see the MAC address via normal networking protocols
c) however you definitely need WiFi MAC address randomisation for portable devices when not associated with a WAP
d) and for the Librem 5 you need BT address randomisation


#3

The Librem 13 or 15, and I’d be interested in spoofing all of the HWIDs. I do use macchanger to spoof my MAC address, but what about your HDD/SSD or your CPU and GPU? Anything anybody could identify by a HWID.


#4

I think your main goal is to ensure that those IDs don’t escape outside of your computer - and open source software is a good start.

There are a mass of serial numbers and other IDs on hardware components - and there isn’t a lot that can necessarily be done
a) not to have those IDs at all, or
b) to change the IDs.

As to specific low level interfaces that might be offered to spoof disk or CPU unique identifiers, I don’t know.

There’s no discrete GPU, so maybe not a concern in this case. Perhaps the display itself has a unique identifier.

A fun way of spoofing some IDs may be to use a VM - so that some or all of the hardware components are virtual anyway.


#5

Yeah exactly, I believe so as well. And yes, I don’t want those IDs exposing themselves to anyone over the Internet, especially advertisers. I’m just wondering since Librem does use free software firmware for it’s components, how would I go about modifying those IDs. About VMs, it’s true that I could use QEMU to spoof those IDs virtually, do you have any idea how to begin masking the VM so it doesn’t reveal itself as a VM?


#6

Taking the disk as an example, a disk does not typically have loadable firmware because otherwise you have a chicken-and-egg problem. So, the disk presumably has embedded firmware, and the firmware is blackbox and noone has ever seen it and you can’t necessarily change it or know what it does. So if the disk has a serial number, it is up to the disk whether your computer can read the serial number (you typically can) and up to the disk whether you can write it. You have no control over either.

By the way, I notice that even the memory cards on my computer have a serial number.

In an open source system, the main point of exposure is the web browser. If the web browser allows e.g. JavaScript to read an “id” then you are in trouble. The good news is that that gives you two places to keep the id a secret. You can have the operating system lie to the browser and you can have the browser lie to JavaScript. The bad news is that JavaScript / the web browser already expose more than enough information to fingerprint you - without access to HWIDs.


#7

Yeah exactly, JavaScript has always been a major concern to me, mostly because you really can’t go without it. Yeah pretty much everything has a serial number, I wish there was a free software program that I could install and use to spoof them all. Do you know of any resources to obfuscate any of that on a VM?


#8

No, sorry.