0

On a PC, you can change the MAC address of a network adapter - Ethernet, 802.11 Wireless - and thus assume a different "identity" than previously.

Now, I'm stuck in a train station for a few hours, and am using my RedMi 3S (Android 6.0.1) to connect to the Internet. But - curse be upon their heads - they only offer "30 minutes of free WiFi". Of course, that has to be tied to some sort of physical identification, for them to throw you out after 30 minutes, right?

Question:

  1. Can I change my MAC, literally, or do something else which will make the access point(s) think of my phone as another device than the one it know?
  2. Could I need to perform any other, complementary, actions, such as delete the cached DHCP lease before reconnecting, or clear the browser cache? Or - is such caching not used when reconnecting?
einpoklum
  • 533
  • 2
  • 7
  • 30
  • Changing MAC address is possible with root access but I don't think that would be helpful in your situation. – Irfan Latif Dec 01 '19 at 19:10
  • @IrfanLatif: Well, my situation has come and gone, but in principle - why would that not be helpful? – einpoklum Dec 02 '19 at 11:49
  • Public WiFi APs usually work as gateways, DHCP server, DNS server and captive portals at the same time. They maintain a list of whitelisted MACs which (have authenticated and) are allowed to access internet for a given time period. However MAC can be combined with other information like IP address, DHCP lease time and user agent to identify the connected client. So MAC spoofing might not work, and the very next HTTP request might be redirected to captive portal treating you as new client. – Irfan Latif Dec 09 '19 at 07:20
  • There are numerous other things which may expose that you are trying to bypass authentication. This relates: https://android.stackexchange.com/q/47819/218526 – Irfan Latif Dec 09 '19 at 07:22
  • @IrfanLatif: So, MAC change + clearing the DHCP lease should do it then? Also, if I'm a new client, that's a good thing... – einpoklum Dec 09 '19 at 07:27
  • 1
    I'm not an expert, but it depends on captive portal implementation, how complex it is to hide identity. Being new client is a good thing if you are able to get new login credentials and you don't mind logging in every thirtieth minute. Spoofing MAC and clearing DHCP cache isn't enough if they are tracking you with web cookies or some other fingerprints or identification numbers. – Irfan Latif Dec 09 '19 at 08:02
  • 1
    In simple cases where no authentication is involved, spoofing MAC should suffice. Or additionally setting IP manually may also do the trick. – Irfan Latif Dec 09 '19 at 08:10

0 Answers0