
Milan Airport WiFi sends your MAC address to advertisers and trackers - vjvj
https://mobile.twitter.com/pimterry/status/1192028773526441985
======
helper
Based on the screenshots it looks like the mac address is leaking out because
its in the referer. I would guess this isn't intentional and shouldn't be hard
to fix.

I've worked with a number of captive portal systems and they all basically
work the same way. The AP/controller intercepts http requests and redirects to
the captive portal page with identifying information about the device
(ip,mac,ssid,ap_mac,etc.). The captive portal http server shows the user a
splash page to accept terms or enter a username/password or a credit card.
Once the captive portal server decides the user should be allowed onto the
network it needs to communicate that back to the wireless hardware which is
done with the user's mac address.

Based on the requests it looks like they have some ads/trackers on the splash
page that are getting requests with a referer set to the original splash page
url (which includes the client mac address). A no-referrer meta tag or an
intermediate redirect would prevent this from happening.

~~~
pimterry
While the mac address is a particularly egregious note, really they shouldn't
be sending any data to ad firms whatsoever without consent, and fixing the
referrer alone won't help much.

Aside from the data they're explicitly sending in those requests, they're
running the response as JS, thereby exposing a bunch of data about your
machine & browser, and the response itself is setting a long-term 3rd party
cookie too, so that ads on every other site you ever visit can tie all this
(and the fact you've used the wifi in this airport) to a long-term profile.

In Milan airport you can make a reasonable bet that most people are EU
citizens, so sharing any of their identifiable user data at all for marketing
purposes without consent is a huge and expensive no no.

It's not a good look. Referrer aside, I suspect there's no legal option other
than dropping this ad script from their wifi login page entirely.

~~~
james_in_the_uk
Consent is not needed for quite a bit of electronic marketing. It is for
setting cookies, which is probably going on here to facilitate the marketing,
so your point stands, but it's a breach of the ePrivacy Directive not GDPR so
fines are lower. No excuse though.

~~~
pimterry
For the marketing itself consent isn't needed, but for collecting/processing
personal data for marketing I'm pretty confident it is. Why wouldn't that fall
under GDPR?

~~~
droithomme
Perhaps they are not storing the personally identifiable data (unclear whether
the MAC addresses are logged on-site), but are merely passing it on to
advertisers for their own use. Neat loophole if that is the case.

------
pow_ext
Milan Airports answered that they have submitted the issue to the "Information
technology staff"

source:
[https://twitter.com/pimterry/status/1192038174408753152?s=20](https://twitter.com/pimterry/status/1192038174408753152?s=20)

~~~
pimterry
Update - apparently they've now fixed this:
[https://twitter.com/MiAirports/status/1192433053743927296](https://twitter.com/MiAirports/status/1192433053743927296)

------
o_____________o
On my Mac, I leave this running all the time:

[https://github.com/halo/LinkLiar](https://github.com/halo/LinkLiar)

~~~
mrgreenfur
Thanks for sharing this! I know it's included in Win10 and in iOS, surprised
it's not in OSX yet!

------
tomcooks
In the title I suggest substituting Milan Airport with Milan Malpensa MXP
Airport (for there are multiple Milan airports)

------
ComputerGuru
iPhones randomize the MAC address when connecting to hotspots (on a per-ssid
basis, I think?). Other platforms do too (Windows 10 now has an option to do
that automatically as well, but I can’t recall if it is enabled by default).

~~~
stefan_
The MAC randomization only applies to probes it sends for known networks when
not connected. Once you are connected, it uses the real MAC.

iPhone also still sends the device name to the DHCP server when requesting an
IP, so if you haven't changed it, it is broadcasting "<Your first name>'s
iPhone" to the network.

~~~
tzs
> iPhone also still sends the device name to the DHCP server when requesting
> an IP, so if you haven't changed it, it is broadcasting "<Your first name>'s
> iPhone" to the network.

Awareness of this is probably going up. Comcast is actually running TV ads
that point it out [1].

[https://www.youtube.com/watch?v=H45-5Rga1B8](https://www.youtube.com/watch?v=H45-5Rga1B8)

------
hoistbypetard
Does anyone have a theory on what the "advertisers and trackers" want a MAC
address for? If they're using it for anything load bearing, it seems like
there is an interesting CCC talk lurking here for anyone who wants to visit
that airport with a few hundred dollars worth of devices and stuff a few tens
of million spoofed MAC addresses into the system.

~~~
s5ma6n
Since MAC address ranges are allocated to certain manufacturers, it is a
simple way to track your device type. Additionally, all MAC addresses are
unique so it is the easiest way to match/combine your data from different
trackers.

~~~
RKearney
> Additionally, all MAC addresses are unique so it is the easiest way to
> match/combine your data from different trackers.

This is not true. While it's intended for MAC addresses to be unique, there
are plenty of instances where manufacturers re-use MACs when they run out
instead of registering more.

Additionally, there is no issue with multiple devices having the same MAC
address as long as they're never on the same Layer 2 domain.

~~~
s5ma6n
As far as I know, IEEE is quite strict in this matter but I just searched for
it now and have seen a couple of cases where people ran into duplicate MAC
addresses.

I would assume this is a rare occurrence and if not, it should still be okay
to sometimes run into address collisions for advertising purposes.

Thanks for the info.

------
fnord77
[https://github.com/feross/SpoofMAC](https://github.com/feross/SpoofMAC)

~~~
Exuma
Does this work with OSX? Its 5 years since the last update...

~~~
heavyset_go
Had this alias for years and it still works:

    
    
        alias random-mac='openssl rand -hex 6 | sed '\''s/\(..\)/\1:/g; s/.$//'\'' | xargs sudo ifconfig en0 ether'

~~~
Exuma
Awesome, so does that change the permanent mac address that comes with the
laptop, and it is forever gone? Or does it somehow "reset" when you restart,
and you rerun this command multiple times

~~~
heavyset_go
It resets when you turn the NIC on and off, I believe.

------
imglorp
Linux lets you reassign your own MAC. There's no reason to use the same one
twice in public! :)

------
cproctor
The problem with constantly shuffling MAC addresses is that they are used for
device authentication on corporate/school/university networks. Does anyone
know of a utility that generates MAC addresses as a hash of the SSID?

~~~
buzzkillington
A bash script?

You can scan for the networks in the area, select the one you want, run the
name through, say sha256, select the first 8 characters and reset the mac
address to that.

~~~
cproctor
Yeah, not that hard to do manually--I have a nice script for that. But I
haven't looked into the logistics of hooking into the wifi connection process
and doing this automatically :)

~~~
buzzkillington
Back in my misspent youth I had a bash script that would connect me to
whatever access point I needed.

I can't imagine much has changed since then, just add the logic to change the
mac address between entering the SSID and actually connecting.

------
jayalpha
macchanger

Also extends time limites wifi.

Or use my gypsy code

import random

import os

mac=''

os.system('/etc/init.d/networking stop')

os.system('ifconfig wlan1 down')

os.system('ifconfig eth1 down')

os.system('ifconfig wlp8s0 down')

os.system('ifconfig wlp7s0 down')

for i in range(0,3):

__r=random.randint(16, 256)

__mac=mac+":"+str(hex(r))[2:]

mac="00:07:E9"+mac

print mac

os.system('/etc/init.d/networking stop')

os.system('ifconfig wlan1 hw ether '+mac)

os.system('ifconfig wlp8s0 hw ether '+mac)

os.system('ifconfig wlp7s0 hw ether '+mac)

os.system('ifconfig eth1 hw ether '+mac)

os.system('ifconfig wlan1 up')

os.system('ifconfig eth1 up')

os.system('ifconfig wlp8s0 up')

os.system('ifconfig wlp7s0 up')

os.system('/etc/init.d/networking start')

os.system('ifconfig')

print "echo 'MAC changed..."

print "new random MAC "+mac

~~~
jolmg
You need to indent the code by at least 2 spaces so it doesn't collapse into a
paragraph like that. Also, that script isn't really portable. Not everyone has
those interface names nor /etc/init.d/networking.

~~~
jayalpha
It is gypsy code and works for me. Use macchanger instead of adopt the script
for your purposes.

~~~
jolmg
What is "gypsy code"? I first thought you were referring to a library or some
kind of platform, but that doesn't seem to be it. The only definition I find
of gypsy is that of the people. Maybe you're saying that it was written by a
Gypsy, but I don't know why that'd be of interest.

~~~
jayalpha
It meant a quick and dirty fix.

------
dreamcompiler
Great. Guess they have the MAC address of my laptop from when I was there last
week then. Fortunately it was a burner Chromebook running Gallium Linux so
that makes me care a little less.

------
rnhmjoj
What I'm more worried about are probe requests, because sometimes I forget to
turn off the wifi. Do you know whether the MAC address, or other identifying
data, is sent in this case?

~~~
oil25
MAC address of your radio, plus the BSSID of every wireless network you've
ever connected to and saved.

------
anontechworker
Oof! Does anyone recommend any tools for protecting against this sort of
stuff? I feel like a VPN wouldn’t even be enough here since the MAC address is
coming through the headers.

Edit: typo

~~~
mrgreenfur
I think the full answer is to never trust anything on a page that isn't from
the host domain: achievable via the uMatrix plugin. I dont understand why
anyone would trust random scripts from a random company (and sometimes just an
unnamed cloudfront endpoint).

A less intense version is to use a PiHole or otherwise block bad domains at
the DNS level via a regular ad blocker.

------
oil25
Can someone post a TLDR? Twitter blocks Tor exit nodes, so the content is
unavailable:

> 403 Forbidden: The server understood the request, but is refusing to fulfill
> it.

------
pow_ext
We can't be sure about this, maybe the airport mask the data to a relay

------
steve_gh
This looks like a fairly significant GDPR breach

