{"id":1131,"date":"2010-06-17T10:19:06","date_gmt":"2010-06-17T18:19:06","guid":{"rendered":"\/?p=1131"},"modified":"2010-06-19T23:16:15","modified_gmt":"2010-06-20T07:16:15","slug":"what-does-a-mac-address-tell-you","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=1131","title":{"rendered":"What does a MAC address tell you?"},"content":{"rendered":"<p><a href=\"http:\/\/helvick.blogspot.com\/2010\/06\/so-how-much-does-mac-address-tell-you.html\">Joe Mansfield at Peccavi<\/a> has published a\u00a0nice, clear and abridged\u00a0explanation of the issues I&#39;ve been discussing over the last few weeks.\u00a0\u00a0<\/p>\n<p>But before doing that he makes an\u00a0important and novel point about why\u00a0regulation may be\u00a0useful\u00a0even if it can&#39;t &#8220;prevent all abuses&#8221;:<\/p>\n<p style=\"padding-left: 30px;\">I\u2019d discounted the payload snooping issue as a distraction because I\u2019d believed (and still do) that it was almost certainly an unfortunate error. I\u2019d then made the point that a legal barrier to a technical problem was insufficient to prevent the bad guys doing bad things but I used that as an excuse to ignore the problem \u2013 small scale abuses of this sort of thing are not good but systematic large scale abuses \u201cbenefit\u201d from network scaling effects. You might not be able to prevent small scale\\illegal abuse through legal means but just because you can\u2019t does not mean that you can\u2019t control large scale abuses this way. The benefits and dangers inherent in this data become exponentially worse as the scale of the database that contains it increases. Large scale means companies and companies react to regulation by being much more careful about what they do. If a technology that is already out there has major privacy issues the regulatory approach is the only way to keep a lid on the problem while the technologists argue about how to fix the bits. Even if we assume that the law was OK about companies creating Geo-location databases using WiFi SSID\\MAC mapping, effective regulation would have made the additional mistake made by Google (assuming it was a mistake) much less likely.<\/p>\n<p>Next he explains how WiFi works as a layered protocol in which MAC addresses are exposed despite encryption and SSID suppression:<\/p>\n<p style=\"padding-left: 30px;\">Now the obvious question is should scanning for identifiers that are broadcast openly by all WiFi radio signals be acceptable and legal?<\/p>\n<p style=\"padding-left: 30px;\">802.11 WiFi signals are pretty complex things &#8211; Wikipedia has a <a href=\"http:\/\/en.wikipedia.org\/wiki\/IEEE_802.11\">brief overview here <\/a>for those who want to see the alphabet soup of standards involved. Despite the range of encoding\\modulation schemes and the number of frequency bands and channels almost all 802.11 devices revert to a couple of basic communication modes. This makes it easy for devices to connect to each other, and it\u2019s what makes public WiFi hotspots practical. However it also makes configuring a device to monitor WiFi traffic trivially easy \u2013 the hardware does all the heavy lifting and the standards don\u2019t really do anything to stop it happening. An important feature of WiFi is that, even though the payload encryption standards can now be pretty robust, the data link layer is not protected from snooping. This means that the content (my Google searches, the video clip I\u2019m streaming down from Youtube etc) can be pretty well kept away from prying eyes but, at what the Ethernet folks call layer 2, the logical structures called frames that carry your encrypted data transmit some control data in the open.<\/p>\n<p style=\"padding-left: 30px;\">So even with WPA2\u2019s thorough key management and AES encryption your WiFi traffic still contains quite a bit of chatter that isn\u2019t hidden away. The really critical thing for me is that the layer 2 addresses, the Media Access Control (MAC) addresses, of the sender and receiver (generally your PC\\Phone\u2019s WiFi adaptor and your Access Point) for each frame are always visible. And remember that MAC addresses are globally unique identifiers by design. Individual WiFi networks are defined by another identifier, the Service Set Identifier or SSID \u2013 when you set up your home WiFi AP and call the network \u201cMyWLAN\u201d you are choosing an SSID. SSID\u2019s are very important, you can\u2019t connect to a wireless LAN without knowing the relevant SSID, but they are not secure even though they can be sort of hidden they are never protected and can always be seen by someone just watching your wireless traffic. Interestingly SSID\u2019s are not globally unique \u2013 there\u2019s generally no real issue so long as my chosen SSID doesn\u2019t match that of another network that\u2019s relatively close by.<\/p>\n<p style=\"padding-left: 30px;\">So SSID\u2019s are possibly visible but MAC addresses are definitely visible, and MAC addresses are unique. While driving along a street or sitting in a coffee shop, hotel lobby or conference room your WiFi adaptor will see dozens if not hundreds of WiFi packets all of which will contain globally unique MAC addresses. It is possible to hack some WiFi hardware to change the MAC address but that practice is rare. Your PC has a couple (one for the wired Ethernet adaptor which isn\u2019t important here, and usually one for WiFi these days), your Wii\\PS3\\XBox-360 has one, so does your Nintendo DS, iPhone, PSP \u2026 you get the picture. Another feature of MAC addresses is that it is very easy to differentiate between the MAC address of a Linksys Access Point, an iPhone and a Nintendo DS \u2013 Network protocol analyzers have been doing that trick for decades.<\/p>\n<p style=\"padding-left: 30px;\">So the systematic scanners out there (Google, Navizon, Skyhook and the rest) can drive around or recruit volunteers and gather location data and build databases of unique identifiers, device types, timestamps, signal strengths and possibly other data. The simplest (and most) benign use of that would be to pull out the ID\u2019s of devices that are known to be fixed to one place (Access Points say) and use that for enabling Geo-location.<\/p>\n<p>Joe then looks at what it means to start collecting and analyzing the MAC addresses of mobile devices.<\/p>\n<p style=\"padding-left: 30px;\">It\u2019s not a big leap to also track the MAC addresses that are more mobile. Get enough data points over a couple of months or years and the database will certainly contain many repeat detections of mobile MAC addresses at many different locations, with a decent chance of being able to identify a home or work address to go with it. Kim Cameron describes the start of this cascade effect in <a href=\"\/?p=1116\">his most recent post<\/a>, mapping the attendees at a conference to home addresses even when they\u2019ve never consented to any such tracking is not going to be hard if you\u2019ve gone to the trouble of scanning every street in every city in the country. With a minor bit of further analysis the same techniques could be used to get a good idea of the travel or shopping habits of almost everyone sitting in an airport departure lounge or the home addresses of everyone participating in a Stop The War protest.<\/p>\n<p style=\"padding-left: 30px;\">And remember that even though you can only effectively use WiFi to send and receive data over a range of a few 10\u2019s to maybe a 100m you can detect and read WiFi signals easily from 100\u2019s to 1000\u2019s of metres away without any special equipment.<\/p>\n<p style=\"padding-left: 30px;\">The plans to blanket London with \u201cFree WiFi\u201d start to sound quite disturbing when you think about those possibilities.<\/p>\n<p style=\"padding-left: 30px;\">To answer my own title question \u2013 MAC addresses can tell far more about you than you think and keeping databases of where and when they\u2019ve been seen can be extremely dangerous in terms of privacy.<\/p>\n<p>Finally, he compares WiFi to Bluetooth:<\/p>\n<p style=\"padding-left: 30px;\">Bluetooth is a slightly different animal. It\u2019s also a short range radio standard for data communications but it was developed from the ground up to replace wires and the folks building the standard got a lot of stuff right. It doesn\u2019t appear to be all that bad from a privacy leakage perspective \u2013 when implemented correctly nothing is sent in clear text (the entire frame is encoded, not just the payload) and the frequency hopping RF behaviour makes it much harder to casually snoop on specific conversations. Bluetooth devices have a Bluetooth Device ID that is very like a MAC address (48 bits), with a manufacturer ID that enables broad classification of devices if the ID can be discovered but most Bluetooth devices keep that hidden most of the time by defaulting to a \u201cnot visible\u201d mode even when Bluetooth is enabled. When actively communicating (paired) all data is encrypted so the device ID\u2019s are not visible to a third party. Almost all modern Bluetooth devices only allow themselves to remain openly visible in this way for a short period of time before they revert to a safer non broadcasting mode. The main weakness is that when devices are set to \u201cvisible\u201d the unique identifiers and other data can be scanned remotely and used in just the same way as scanned WiFi MAC addresses. That\u2019s not to say that Bluetooth doesn\u2019t have <a href=\"http:\/\/trifinite.org\/Downloads\/21c3_Bluetooth_Hacking.pdf\">its share of security problems<\/a> but they made an attempt to get some of the fundamentals right. It does also show that there is a practical way to approach the wireless privacy challenge which is good to see.<\/p>\n<p>All in all a very nice explanation of the issues involved here.\u00a0\u00a0 The only thing I would add is that the early versions of Bluetooth had few of the privacy-respecting behaviors present in the recent specifications.\u00a0 The\u00a0consortium has really worked to clean up its act and we should all congratulate it.\u00a0 This\u00a0came about because privacy concerns came to be perceived as an adoption blocker.\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Mapping the attendees at a conference to home addresses even when they\u2019ve never consented to any such tracking is not going to be hard if you\u2019ve gone to the trouble of scanning every street in every city in the country.<\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[17,3,47,11,77],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/1131"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1131"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/1131\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1131"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1131"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1131"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}