Hacker News new | past | comments | ask | show | jobs | submit login
Milan Airport WiFi sends your MAC address to advertisers and trackers (mobile.twitter.com)
185 points by vjvj 29 days ago | hide | past | web | favorite | 61 comments

Based on the screenshots it looks like the mac address is leaking out because its in the referer. I would guess this isn't intentional and shouldn't be hard to fix.

I've worked with a number of captive portal systems and they all basically work the same way. The AP/controller intercepts http requests and redirects to the captive portal page with identifying information about the device (ip,mac,ssid,ap_mac,etc.). The captive portal http server shows the user a splash page to accept terms or enter a username/password or a credit card. Once the captive portal server decides the user should be allowed onto the network it needs to communicate that back to the wireless hardware which is done with the user's mac address.

Based on the requests it looks like they have some ads/trackers on the splash page that are getting requests with a referer set to the original splash page url (which includes the client mac address). A no-referrer meta tag or an intermediate redirect would prevent this from happening.

While the mac address is a particularly egregious note, really they shouldn't be sending any data to ad firms whatsoever without consent, and fixing the referrer alone won't help much.

Aside from the data they're explicitly sending in those requests, they're running the response as JS, thereby exposing a bunch of data about your machine & browser, and the response itself is setting a long-term 3rd party cookie too, so that ads on every other site you ever visit can tie all this (and the fact you've used the wifi in this airport) to a long-term profile.

In Milan airport you can make a reasonable bet that most people are EU citizens, so sharing any of their identifiable user data at all for marketing purposes without consent is a huge and expensive no no.

It's not a good look. Referrer aside, I suspect there's no legal option other than dropping this ad script from their wifi login page entirely.

Consent is not needed for quite a bit of electronic marketing. It is for setting cookies, which is probably going on here to facilitate the marketing, so your point stands, but it's a breach of the ePrivacy Directive not GDPR so fines are lower. No excuse though.

For the marketing itself consent isn't needed, but for collecting/processing personal data for marketing I'm pretty confident it is. Why wouldn't that fall under GDPR?

Perhaps they are not storing the personally identifiable data (unclear whether the MAC addresses are logged on-site), but are merely passing it on to advertisers for their own use. Neat loophole if that is the case.

Not a loophole, clearly in violation. The collection itself is already problematic, passing it on makes it a lot worse. They will have to paint this as an oversight and fix it pdq or they might get themselves in real trouble.

Milan Airports answered that they have submitted the issue to the "Information technology staff"

source: https://twitter.com/pimterry/status/1192038174408753152?s=20

Update - apparently they've now fixed this: https://twitter.com/MiAirports/status/1192433053743927296

On my Mac, I leave this running all the time:


Thanks for sharing this! I know it's included in Win10 and in iOS, surprised it's not in OSX yet!


In the title I suggest substituting Milan Airport with Milan Malpensa MXP Airport (for there are multiple Milan airports)

iPhones randomize the MAC address when connecting to hotspots (on a per-ssid basis, I think?). Other platforms do too (Windows 10 now has an option to do that automatically as well, but I can’t recall if it is enabled by default).

The MAC randomization only applies to probes it sends for known networks when not connected. Once you are connected, it uses the real MAC.

iPhone also still sends the device name to the DHCP server when requesting an IP, so if you haven't changed it, it is broadcasting "<Your first name>'s iPhone" to the network.

> iPhone also still sends the device name to the DHCP server when requesting an IP, so if you haven't changed it, it is broadcasting "<Your first name>'s iPhone" to the network.

Awareness of this is probably going up. Comcast is actually running TV ads that point it out [1].


"iPhone also still sends the device name to the DHCP server when requesting an IP, so if you haven't changed it, it is broadcasting "<Your first name>'s iPhone" to the network."

My iphone has no idea what my first (or last) name is, but I still find it irksome that I cannot change my SSID nor can I hide it.

There is no reason I should be advertising the existence of my phone to everyone in (radio) earshot ...

IIRC (this is old and might have been wrong in the first place) iOS randomizes when it’s searching for networks but not when it’s connected to one.

It’s not a bad idea. A randomized IP address at each connection would break many things on quite a few networks (IP-MAC static assignments, for instance).

There are other options, like generating a Mac based off the real Mac and the ssid or bssid.

could your just push it down a layer, maybe 802.1x or something?

Recent NetworkManager versions on Linux do the same (I don't remember if it's on by default or not, though).

Yeah it's by default. Learned this the hard way when setting up port forwarding by MAC address on home network. Was wondering why the forward would only last a couple hours

Android 10 also randomizes MAC addresses when probing, as a client, and as a AP/Hotspot: https://source.android.com/devices/tech/connect/wifi-mac-ran...

Does anyone have a theory on what the "advertisers and trackers" want a MAC address for? If they're using it for anything load bearing, it seems like there is an interesting CCC talk lurking here for anyone who wants to visit that airport with a few hundred dollars worth of devices and stuff a few tens of million spoofed MAC addresses into the system.

Since MAC address ranges are allocated to certain manufacturers, it is a simple way to track your device type. Additionally, all MAC addresses are unique so it is the easiest way to match/combine your data from different trackers.

> Additionally, all MAC addresses are unique so it is the easiest way to match/combine your data from different trackers.

This is not true. While it's intended for MAC addresses to be unique, there are plenty of instances where manufacturers re-use MACs when they run out instead of registering more.

Additionally, there is no issue with multiple devices having the same MAC address as long as they're never on the same Layer 2 domain.

As far as I know, IEEE is quite strict in this matter but I just searched for it now and have seen a couple of cases where people ran into duplicate MAC addresses.

I would assume this is a rare occurrence and if not, it should still be okay to sometimes run into address collisions for advertising purposes.

Thanks for the info.

You are arguing that mac addresses are not unique, however that doesn't mean it doesn't match/combine your data extremely well.

Right. I understand what MAC addresses are. In addition to the characteristics you named, they are also entirely at the discretion of the client and therefore are trivially spoofable so long as no one else on the same media currently has the address you're spoofing. And because the advertisers and the trackers are a step removed from the LAN, they have no way to detect an attack where someone just shits tens of millions of nonsense addresses at them.

So I'm suggesting that if we know what they are using those for, there could be something fun (like a CCC talk) to be gained from tainting their data in a creative, easy way. Like a few hundred dollars worth of junk devices in a suitcase sending a bunch of carefully crafted MACs :-)

The amount of people who routinely spoof their own MAC when on public wifi is so minuscule to be objectively irrelevant to any mass-data-gatherer out there. Unless this becomes something that the OS can automatically randomize for you (are you listening, Apple...?), even a creative attack won’t move the needle.

Of course. (And I think Apple does/might do that?)

I'm suggesting that if we discover/think that these advertisers/trackers are using it for anything interesting, there could be some fun to be had at their expense by picking up a suitcase full of junk wifi devices, configuring them to deliberately spoof their own MAC, and visiting that airport. I think you'd only need to spend hundreds on junk devices to taint their system with tens of millions of addresses.

If there's any observable result, I think it'd be fun to do and write it up/present it at a Chaos Computing Congress (or similar) event.

Knowing whether someone has a Qualcomm, Broadcomm, Intel, or Foxconn WiFi card doesn't seem that useful for profiling.

Of course, the location tracking based on your device's network discovery packets is a whole bigger issue.

That's how it works for something like a network card, but on smartphones, MAC addresses from the device vendor (Apple, Huawei, Xiamo, Motorola, ..) are used, even if the WiFi chip on all those devices is from the same manufacturer.

On the contrary, it adds a good handful of bits of information.

On OpenBSD:

    # echo "lladdr random" >> /etc/hostname.athn0

Does this work with OSX? Its 5 years since the last update...

Had this alias for years and it still works:

    alias random-mac='openssl rand -hex 6 | sed '\''s/\(..\)/\1:/g; s/.$//'\'' | xargs sudo ifconfig en0 ether'

Awesome, so does that change the permanent mac address that comes with the laptop, and it is forever gone? Or does it somehow "reset" when you restart, and you rerun this command multiple times

It resets when you turn the NIC on and off, I believe.

Yes it still works.

Linux lets you reassign your own MAC. There's no reason to use the same one twice in public! :)

The problem with constantly shuffling MAC addresses is that they are used for device authentication on corporate/school/university networks. Does anyone know of a utility that generates MAC addresses as a hash of the SSID?

A bash script?

You can scan for the networks in the area, select the one you want, run the name through, say sha256, select the first 8 characters and reset the mac address to that.

Yeah, not that hard to do manually--I have a nice script for that. But I haven't looked into the logistics of hooking into the wifi connection process and doing this automatically :)

Back in my misspent youth I had a bash script that would connect me to whatever access point I needed.

I can't imagine much has changed since then, just add the logic to change the mac address between entering the SSID and actually connecting.

Won’t that cause problems if 2 people do this in the same session (and generate duplicate MAC addresses)?

I guess you could get around it by hashing the ssid + a personal salt.


Also extends time limites wifi.

Or use my gypsy code

import random

import os


os.system('/etc/init.d/networking stop')

os.system('ifconfig wlan1 down')

os.system('ifconfig eth1 down')

os.system('ifconfig wlp8s0 down')

os.system('ifconfig wlp7s0 down')

for i in range(0,3):

__r=random.randint(16, 256)



print mac

os.system('/etc/init.d/networking stop')

os.system('ifconfig wlan1 hw ether '+mac)

os.system('ifconfig wlp8s0 hw ether '+mac)

os.system('ifconfig wlp7s0 hw ether '+mac)

os.system('ifconfig eth1 hw ether '+mac)

os.system('ifconfig wlan1 up')

os.system('ifconfig eth1 up')

os.system('ifconfig wlp8s0 up')

os.system('ifconfig wlp7s0 up')

os.system('/etc/init.d/networking start')


print "echo 'MAC changed..."

print "new random MAC "+mac

You need to indent the code by at least 2 spaces so it doesn't collapse into a paragraph like that. Also, that script isn't really portable. Not everyone has those interface names nor /etc/init.d/networking.

It is gypsy code and works for me. Use macchanger instead of adopt the script for your purposes.

What is "gypsy code"? I first thought you were referring to a library or some kind of platform, but that doesn't seem to be it. The only definition I find of gypsy is that of the people. Maybe you're saying that it was written by a Gypsy, but I don't know why that'd be of interest.

It meant a quick and dirty fix.

ifconfig is a part of net-tools package, last release of which was in 2001 hence it's deprecated in any major distro since 2013. Unless you're running RHEL6 or something that old, you shouldn't use it.

Great. Guess they have the MAC address of my laptop from when I was there last week then. Fortunately it was a burner Chromebook running Gallium Linux so that makes me care a little less.

What I'm more worried about are probe requests, because sometimes I forget to turn off the wifi. Do you know whether the MAC address, or other identifying data, is sent in this case?

MAC address of your radio, plus the BSSID of every wireless network you've ever connected to and saved.

Oof! Does anyone recommend any tools for protecting against this sort of stuff? I feel like a VPN wouldn’t even be enough here since the MAC address is coming through the headers.

Edit: typo

I think the full answer is to never trust anything on a page that isn't from the host domain: achievable via the uMatrix plugin. I dont understand why anyone would trust random scripts from a random company (and sometimes just an unnamed cloudfront endpoint).

A less intense version is to use a PiHole or otherwise block bad domains at the DNS level via a regular ad blocker.

Can someone post a TLDR? Twitter blocks Tor exit nodes, so the content is unavailable:

> 403 Forbidden: The server understood the request, but is refusing to fulfill it.

We can't be sure about this, maybe the airport mask the data to a relay

This looks like a fairly significant GDPR breach

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact