Hacker News new | past | comments | ask | show | jobs | submit login
German police ask for help in identifying a bomber's MAC address (zdnet.com)
61 points by mariuolo 3 months ago | hide | past | web | favorite | 60 comments



To everyone who is very smart in here saying "MAC addresses are not unique, MAC addresses can be spoofed". The article is about German police trying to find a criminal using one public identifier. It's not about German prosecutors trying to prove guilt in court with a MAC address. Kind of like "have you seen this person who is [non-unique changable identifier]?"


You mean this police force will do nothing wrong and treat suspects fairly ? No they won't. ESPECIALLY if the suspect is an immigrant, but it's not like they haven't gone WAY overboard with German suspects as well.

http://www.spiegel.de/international/germany/hanover-police-o...

https://www.nytimes.com/2003/04/10/world/kidnapping-has-germ...

https://abcnews.go.com/International/video-showing-german-po...

https://www.dw.com/en/child-murderer-wins-damages-over-polic...

https://www.zeit.de/gesellschaft/zeitgeschehen/2018-10/jva-k...

Think LONG and HARD before you ever either ask these people for help or point these people to someone. There are many incidents with unprovoked violence and even some incidents involving police torture and lethal force used against immigrants with little or even no provocation at all.

I would say it is very much NOT moral to help here. I know, this won't be a popular statement, but it just isn't.


> You mean this police force will do nothing wrong and treat suspects fairly ?

I'm failing to see what provoked such a response, given the comment you're replying to.


It is implicitly assuming good faith on the part of the German police, and that just doesn't exist. I wanted to point out the error. At their best they follow procedures, with regular disasters. At their worst, sometimes, they're raging racists.


I wonder if there are any unintended consequences for this.

For example, if you were able to identify the MAC address, and you were unethical, you could just blackmail the "bomber" - whether they are innocent or not.

Also, some devices allow you to reprogram the MAC address so you could in theory use this to blackmail someone as well, or at least get them harassed by the police.


I'm no expert, but "blackmailing a bomber" does not sound like a particularly solid business plan...


The former possibility is problematic, but using it to get the police to harass someone is a real possibility. Just look at "swating" in the US.


Sounds like the "brilliant" idea that a Coen Brothers character would have...


It has to be up there with some of the all-time bad notions. Personally my mind immediately went to that scene in The Dark Knight...

https://m.youtube.com/watch?v=AUfv32dmVFw


>For example, if you were able to identify the MAC address, and you were unethical, you could just blackmail the "bomber" - whether they are innocent or not.

Didn't something along the lines of this happen with this with the Boston bombing and /r/, where they named the wrong - and innocent - person?

>Also, some devices allow you to reprogram the MAC address so you could in theory use this to blackmail someone as well, or at least get them harassed by the police.

According to IEEE[1], that MAC belongs to a Morotola Mobility, LLC. (a Lenovo Company) device. If anyone had a device in the F8E079 family, they would be - rightfully - shitting bricks, right now, for being correlated with it.

So, to summarise: No, I don't think anything good (initially) will come of this.

Also, it's a family included in macchanger, so that makes it ever-more probable that the mac address has - at some point - been used by someone else.

macchanger -l | grep "f8:e0:79"

18898 - f8:e0:79 - Motorola Mobility LLC

[1] - https://regauth.standards.ieee.org/standards-ra-web/pub/view...


If anyone had a device in the F8E079 family, they would be - rightfully - shitting bricks, right now, for being correlated with it.

Only if one normally shits bricks about something that's a 1 in 16 million chance of happening. But if someone does know that their MAC OUI is F8E079, they almost certainly know the rest of the MAC so they can rest easily unless it happens to match the published one.

Also, it's a family included in macchanger, so that makes it ever-more probable that the mac address has - at some point - been used by someone else.

macchanger -l just dumps the list of ~18,000 OUI's known to macchanger, so it doesn't really mean that it's more likely to have been set by someone using macchanger.


Yes, I think the fact that MAC addresses are often changeable, sometimes quite easily, is going to be an issue if this evidence is ever used in court.


Probably not. By the time it gets to a courtroom they'll almost certainly have a lot more than just MAC addresses, so while the bomber might plead "some jackass spoofed my MAC address to frame me", that wouldn't explain his purchase history, the explosives residue around his home and clothing, etc.

A MAC address doesn't prove anything, but courtrooms aren't about proof. They're evidence, not proof, and enough evidence is all the German prosecution should need to have a relatively easy time in court.


I'm certainly no legal expert, but wouldn't the whole "fruit of the poisonous tree" argument apply to any evidence found after and/or as a result of the MAC address connection?


First, it doesn't exist in Germany.

Second, that applies to illegally obtained evidence. For example, if (in the US) the police tortured someone/broke in somewhere without a search warrant to obtain the MAC, then the fruit of the poisonous tree doctrine would likely apply to the evidence found as a result of the MAC address connection.

Finding additional evidence starting from a vague lead ("the robber was wearing black clothes") is not something illegal, it's good police work.


If the cops get a search warrant for an address and it turns out that the bad guy lived next door, but the real occupants are running a meth lab, there's no doctrine anywhere that would suppress the evidence they find. As long as it's an honest mistake there's no problem.


There is no such thing outside common law. ie most of Europe.


In addition, the concept only pertains to information acquired through unconstitutional means, such as not having a warrant to search. Getting incorrect information is not unconstitutional and investigators rely on much more than a single piece of information when building a case.

Edit: by unconstitutional I’m speaking of the US. I am not sure what constitutional protections apply to other country’s citizens, but assume they may be similar.


There definitely is, just not using that name. In Germany, it’s an explicit law.

It just doesn’t apply in this case, because it hinges on bad faith. Incidental evidence found while following some other legitimate trails is admissible.


>but wouldn't the whole "fruit of the poisonous tree" argument apply [in this case]

It would first have to apply in the jurisdiction we're talking about, which in all probability does not...


This argument largely does not exist outside English law. Though I very much doubt it would apply, if it did.


IIRC, it's barely a concept in English law, primarily US law.

It has however seen some use in the ECHR , notably against Germany (citing various US court cases):

> the applicant sought a declaration that [...] all items of evidence[...], which had become known to the investigation authorities because of the confession extracted – the so-called “fruit of the poisonous tree” – was prohibited [...] The Chamber considered that there was a strong presumption that the use of items of evidence obtained as the fruit of a confession extracted by means contrary to Article 3 rendered a trial as a whole unfair in the same way as the use of the extracted confession itself.

Gäfgen v. Germany, at 25 and 147 https://hudoc.echr.coe.int/eng#{%22dmdocnumber%22:[%22868977...}

It almost certainly wouldn't apply here though (as there is no illegal act).


Gäfgen is a rather unique case and arguably not comparable to e.g. an illegal search.


> Also, some devices allow you to reprogram the MAC address

I might be mistaken, but don’t changed MAC addresses (at least using macchanger) persist only until the next reboot?


Any operating system worth its salt will save the changed address and reload it before/while bringing up the network drivers. It's often necessary to do this in order to connect to certain networks, so it'd be super annoying if you'd have to remember the address and type it in every time.


> Any operating system worth its salt will save the changed address and reload it before/while bringing up the network drivers.

Yes, but in the event that someone were reported to the police, any reasonably competent police force is going to check the device MAC independent of whatever operating system boots on the system, and so being able to falsely accuse another does not seem like a big danger here.


If you're going through the trouble of changing your MAC address, why would you want it to persist across reboots? If anything you'd want to change it with every reboot, and if you're really trying to hide something, you'd want to change it more often.


I doubt it would stand up as good evidence in court, though it would help in finding at least some suspects.


Any volatile setting that can be changed can be made to be persistent.


So what? They'd investigate the victim, find nothing, and leave him be.


There have been far too many cases where they " investigate the [suspect], find nothing", and still charge them or harass them, even making stuff up or withholding evidence from the courts, because they "know for sure" that they did it.

Especially if the suspect is black, muslim, immigrant, etc.


I wonder about how a bunch of WAN interfaces being mac spoofed to replicate the evil MAC would be delt with?


If police announced that they were looking for a guy in an orange jacket, you could put on an orange jacket and run around town generating lots of false reports. But why would you do that? That would be incredibly antisocial.

As usual, the tech angle to this story doesn't make the story particularly novel, but some tech-oriented people seem to have trouble perceiving that. E.g. people commenting that MAC addresses aren't unique, as if other forms of police descriptions of suspects (like height, hair color, or clothing) are unique...


If the prosecutor is annoyed enough and it's clear enough you did it because of this, not some weird accident, "interference with a criminal investigation"?


very likely, but the guy that "owns" the mac is up for more than interfering. so its a win for him, not that its even remotly cool but this could take some time to resolve and get worse in the meantime.


For one, it gives you a nice mac address you can use with "ifconfig wlan0 hw ether..." next time you go to a cybercafé in Europe


Wow, that website starts playing the most annoying music in like 100 db. Thanks for wakeing my kid up.


They probably can ask a lot of free WiFi providers for this info, and these providers may have his phone number as well (I'll explain below). And to get a SIM card they would've needed to register with their ID, so the authorities could identify the bomber that way (assuming it wasn't a SIM that someone bought with their ID and sold to someone else, etc).

Some cafe chains or even national train networks offer free WiFi, but they ask you to register with your phone number and SMS verification, I've done this too but only now do I realize this means they can track my phone as it travels between train stations/cafe locations and automatically connect to their WiFi...


Needing an ID to buy a SIM card is a rather recent requirement though (1st July 2017). So it is unlikely that the perpetrator used his/her ID to buy one.


Fun fact: MAC addresses are not unique.


Neither are blue eyes, nor height, etc


I remember one occasion ~2002 where a new NIC with a duplicate MAC addresses took down our DC - the whole IT team was floundering for hours before the cause was discovered after I noticed it in Snort logs. I have a strong interest in infosec, and I'd fought hard to get that Snort tap installed only a couple of weeks previously :)


Fun fact 2: you can change the MAC addresses on most systems.

My old university had a badly managed WLAN network that everyone could use. The physical network used a MAC whitelist, so getting a good connection meant replacing the MAC adress of your notebook with that of a whitelisted PC.


Sure, they can be spoofed, but do nic vendors try to keep them unique, or do they reuse them from a pool, like after the card is 10+ years old?


"It depends."

Sometimes vendors would burn duplicates by accident. Sometimes they would simply run out and production would loop (there's "only" 16.7mil addrs per manufacturer prefix). Sometimes they print the same run in different geographical areas, because the MAC only matters in a broadcast domain. Often they just wouldn't keep track of what they assigned.

I just think it's funny to realize that people read "unique (to a broadcast domain)" and assumed that could mean "unique (everywhere)" because it's a really big number.


iOS spoofs them, right?


IIRC, it spoofs the MAC address when searching for available networks, but does not spoof the MAC address when connecting/connected.


Even windows has an OOTB setting to randomize it (default off though). (Quite likely he did't activate it though, so it makes sense to publish the mac)


Nice, living in germany right now i was just wondering which mac adress i might spoof next, to satisfy my attention seeking..


Can wifi APs capture/log a MAC address just because a device polled and then listed it as a possible connection option?


Can? Certainly, which is why most modern phones randomize MAC addresses use for probing.

Do they? I'm sure there are some that do, especially if you enable verbose logging, but I haven't seen any that persistently log them by default yet.


Yes. In fact, completely passive devices can log the MAC address of any device "searching" for a wireless network whether or not any AP is even in the area.


Fascinating. Oh gee. I could set up a device in my home that over time can probably give me enough data to figure out schedules of my neighbours.


Found this in my bookmarks just yesterday, haven't experimented with it yet: https://github.com/calebmadrigal/trackerjacker


... but wouldn't that be a violation of the GDPR? :)


Probably not, in the same way a "wanted" poster with a photo isn't, assuming proper protocol is followed. (Now if someone reports a find in logs, you can of course ask why they had and looked at those)


> (Now if someone reports a find in logs, you can of course ask why they had and looked at those)

The police is not around to enforce GDPR.


Not sure why you feel the need to point that out, I didn't claim that.


I don't get the impression that GDPR will be well enforced against government agencies.


Sorry, we quit collecting that kind of info a year ago so we don't violate GDPR, so we can't help you.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: