• Jonathan

Why the MAC Address May be the Most Important Address You Know

Just as police mastered the use of cell phone technology in investigations; the introduction of 4G and LTE has created new challenges when dealing with mobile devices. The increased use of apps that anonymize and/or encrypt data are allowing users to make phone calls and send texts with the comfort that police will have a very difficult time tracking them. This is typically the case, as many of these app companies are unfamiliar with retention laws. In addition, most of the information will tie back to cell phone companies, which may prove difficult to identify the user based on IP addresses. So is law enforcement left hanging out to dry until a fix can be achieved? Not if they consider using MAC addresses as part of their investigations.

Before you say it aloud, your suspect doesn’t need to have a Macbook or an iPhone in order to have a MAC address. All devices that connect to the internet have this unique identifying number. Desktop computers, laptops, cell phones, tablets, wireless security cameras, FitBits, and even your connected refrigerator have a MAC address. Any device that connects to a network needs this address in order to connect to the internet properly.

To put the MAC address in layman’s terms, think of the MAC address as your home address. You keep your home address for a fixed period of time until you move. The MAC address works the same way. Every device is given an address by the manufacturer and it is embedded in the chip that allows you to connect to a network. This differs from the IP address which can change frequently and easily be spoofed. Thus MAC addresses may be the future to your investigation when dealing with mobile devices.

For example, if an individual sent a threatening message involving a picture of a witness’s house via Instagram, through a fake account, how would you track the individual? Hopefully your first step would be to send legal authority to Facebook, who would provide you with IP logs. As Instagram is typically a mobile only app, the IP addresses in the logs belong to Sprint. You contact Sprint and they tell you they can’t identify the phone number to the IP address, but they can provide the MAC address.

To continue the investigation, it would require knowledge in tracking MAC devices. Many stores track individuals by their MAC addresses in order to determine shopping patterns. In 2011, devices located in London trash cans came under scrutiny as these devices were tracking MAC addresses for people counting and advertising purposes. Google even used the public through Android phones and MAC addresses to map free wifi hot spots across the country.

With certain apps, such as Fing, you can see the MAC addresses connected to the same network you are connected to. A recent visit to the Starbucks in Downtown Disney resulted in 78 Mac addresses connected to the free wifi hotspot. With some know how and software, one could determine the trusted networks the MAC device connects to which may identify workplace, favorite gym or coffee shop, or even the individuals name. For example, there’s a George in my neighborhood; which I only know through the name of his wifi; George’s Home Network Stay Out!!!!!!!!!!.

As you walk around downtown San Diego, your cell phone may be broadcasting your MAC address to the public. With wifi turned on, your phone is sending out signals looking for known wireless networks, such as your house wifi. The signal will scan the multiple wireless routers in downtown San Diego and get “turned down” by the unknown router when the credentials do not match. However, that unknown router now has your MAC address stored as probe request.

Back to the investigation, you know the possible location of the suspect when he or she posted the threatening message with the victim’s house in the background. A block east of the house is a Starbucks. Four blocks south is the civic center with free wifi offered by Time Warner and two blocks west is a McDonalds that offers free wifi. The most simplistic approach would be to check if the suspects MAC address connected to one of those networks. If not, then checking if the device probed those networks is a must. You now have the ability to start mapping the route the suspect took based off MAC address probes. Google does offer a map of known public wifi hotspots.

In December 2013, Eldo Kim wasn’t prepared to take his final. So he logged into Tor, which masked his IP address, and sent a bomb threat email to the Chief of Harvard PD using guerilla mail, a semi anonymous email site. In most cases this would have been enough to cover his tracks. However, Kim connected to the Tor network through Harvard’s wifi internet connection. Harvard’s IT department analyzed network logs and Kim’s laptop MAC address was identified as one a few users connecting to Tor that morning. The MAC address to his laptop matched the one used when he signed a network user agreement to connect to the Harvard network. Thus connecting Kim to the device was simple and led to his quick arrest and confession.

What about MAC address spoofing? Spoofing became a popular concern when Apple announced it would randomize MAC addresses on devices running iOS 8 or higher. The idea was that Apple devices would send out random addresses during Wifi probes, blocking the ability to track an individual. However, the concept requires specific criteria to work properly, such as the phone must be asleep (which is almost never, even when you’re not using the phone). MAC address spoofing on the other hand is real. Computer users with some technical know how, or a Google search, could change the MAC address of their computer. Android users can download an app, such as BusyBox, which requires some technical knowledge to permanently change the device’s address.

If Cisco is correct, smart phones and tablets will make up over 50% of all global internet traffic by 2020. MAC addresses may become one of the few ways to identify cell phones in the coming future.

This post was a very simplistic description of how MAC addresses work and how to track them. Juliet Bravo Solutions has the training you need to become knowledgeable about MAC addresses, the Dark Web, social media, and more. Contact us today to schedule a class.

Show More