German Police Ask Router Owners For Help In Identifying a Bomber's MAC Address (zdnet.com)

← Back to Stories (view on slashdot.org)

German Police Ask Router Owners For Help In Identifying a Bomber's MAC Address (zdnet.com)

Posted by EditorDavid on Saturday January 12, 2019 @06:34AM from the got-your-number dept.

An anonymous reader quotes ZDNet: German authorities have asked the public for help in surfacing more details and potentially identifying the owner of a MAC address known to have been used by a bomber in late 2017... The MAC address is f8:e0:79:af:57:eb. Brandenburg police say it belongs to a suspect who tried to blackmail German courier service DHL between November 2017 and April 2018. The suspect demanded large sums of money from DHL and threatened to detonate bombs across Germany, at DHL courier stations, private companies, and in public spaces. [The bomb threats were real, but one caught fire instead of exploding, while the second failed to explode, albeit containing real explosives.]

Investigators called in to negotiate with the bomber managed to exchange emails with the attacker on three occasions, on April 6, 2018, April 13, 2018, and April 14, 2018. One of the details obtained during these conversations was the bomber's MAC address, which based on the hardware industry's MAC address allocation tables, should theoretically belong to a Motorola phone... Now, they're asking router owners to check router access logs for this address, and report any sightings to authorities. Investigators want to know to what routers/networks the bomber has connected before and after the attacks, in order to track his movements and maybe gain an insight into his identity.

141 comments

Min score:

Reason:

Sort:

Spoofed mac? by Anonymous Coward · 2019-01-12 06:39 · Score: 0

So how do they know the address is not spoofed?
1. Re:Spoofed mac? by o_ferguson · 2019-01-12 06:55 · Score: 1
  
  How does that have any effect on a Motorola device?
  
  --
  - In Soviet Korea, only old people loose all their bases to Natalie Portman's petrified hot grits overlords.
2. Re:Spoofed mac? by Anonymous Coward · 2019-01-12 06:57 · Score: 1
  
  Don't be ridiculous. It's illegal to spoof a MAC address in Germany. No German terrorist bomber would break the law like that.
3. Re:Spoofed mac? by alvinrod · 2019-01-12 07:08 · Score: 1
  
  I wonder how many false reports the police will see over the next several weeks because someone thinks it will be a good laugh to modify the MAC address on one of their friend's devices when they aren't looking.
4. Re: Spoofed mac? by Anonymous Coward · 2019-01-12 07:14 · Score: 0
  
  It's obviously just apk and the others.
  They should just infiltrate /. And find them
5. Re:Spoofed mac? by meerling · 2019-01-12 07:40 · Score: 1
  
  You can spoof anything on the net...
  ANYTHING
  
  Heck, I've used a program that lets my network card pretend it's a half dozen other cards each with their own mac.
  I used to use it to get around those super slow access places that only let you download one file at a time at the snails pace of less than 2k.
  If the site supported segment downloads, then I'd have it split the file between the addresses, and if not, I'd have each one downloading a different file.
  
  Of course, finding spoofing software for your phone might be more difficult, but they do exist.
  And since you don't seem to understand how encryption works, it prevents 3rd parties from reading the contents, but there is no such restriction on the sender or the intended receiver of said data. After all, wtf do you think does the encryption in the first place?
6. Re:Spoofed mac? by Anonymous Coward · 2019-01-12 08:08 · Score: 0
  
  Most people don't know what a Mac address is let alone how to spoof it, not that it's very hard.
7. Re: Spoofed mac? by Anonymous Coward · 2019-01-12 08:17 · Score: 0
  
  What does a MAC address have to do with encryption? Itâ(TM)s the [generally] unique layer 2 address assigned to each network interface.
8. Re:Spoofed mac? by Anonymous Coward · 2019-01-12 08:28 · Score: 0
  
  Didn't you RTFA? It said he had a "Mac address" and motorola used to provide Apple with chips... So, yeah.
9. Re:Spoofed mac? by Hognoxious · 2019-01-12 10:53 · Score: 1
  
  someone thinks it will be a good laugh
  Not many. It is Germany, after all.
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
10. Re:Spoofed mac? by Anonymous Coward · 2019-01-12 11:03 · Score: 0
  
  MAC address have nothing to do with Apple
11. Re:Spoofed mac? by nonicknameavailable · 2019-01-12 11:04 · Score: 1
  
  You can change the MAC Address in your router settings
  
  --
  Mendacem Memorem Esse Oportet
12. Re:Spoofed mac? by Anonymous Coward · 2019-01-12 12:11 · Score: 0
  
  You're a fucking idiot and have no clue what you're talking about.
13. Re:Spoofed mac? by thewolfkin · 2019-01-12 12:13 · Score: 2
  
  So how do they know the address is not spoofed?
  to an extent it wouldn't matter right. if he's been using the spoofed address all over his villain base then seeing that spoofed address in your logs could indicate that he was nearby.
  
  But another point is that if he stole someone else's mac address (not "stole" but ya know) then he could basically hide in their wake. But i mean that's the sort of math I'd like to see on basic cable cop procedural. They have a mac address but they have to figure out which locations were the innocent person and which were him. that's an episode of CSI:Cyber or Numb3rs what I would enjoy watching. (I'm pretty sure both of those are cancelled now)
  
  --
  Just another second banana
14. Re: Spoofed mac? by Anonymous Coward · 2019-01-12 12:18 · Score: 1
  
  Lol. He had to be joking. That's too stupid.
15. Re:Spoofed mac? by Opportunist · 2019-01-12 13:10 · Score: 2
  
  I guess their train of thought is that if he's too stupid to build bombs that actually work, he's probably also too stupid to even know what a MAC address is.
  Not all "cyber" criminals are computer wizards and strategic masterminds. Just like very few bank robbers are Ocean's Eleven.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
16. Re:Spoofed mac? by dj245 · 2019-01-12 15:58 · Score: 2
  
  Most criminals aren't geniuses. Especially the ones that get caught. Someone with bomb-making skills may or may not have advanced computer skills. A large majority of people don't know that MAC addresses even exist, let alone know what they are, or that they can be changed.
  
  --
  Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
17. Re: Spoofed mac? by Anonymous Coward · 2019-01-12 23:39 · Score: 0
  
  What's an Apple Mac then, genius?
18. Re:Spoofed mac? by scdeimos · 2019-01-13 10:06 · Score: 1
  
  That's stupid. That would make virtualisation illegal because platforms like VirtualBox create a fake MAC address for every guest you spin up.
19. Re:Spoofed mac? by Askmum · 2019-01-13 20:26 · Score: 1
  
  Well, he hasn't gotten caught yet, has he? Maybe he has spoofed is MAC address and they're now on the tail of some totally innocent sod who just happens to have this MAC address.
20. Re:Spoofed mac? by IgorKadnikov · 2019-01-15 03:41 · Score: 1
  
  What eh? It`s so suspicious. If you don`t want to have problems with IPs and MACs you can use TPlink routers and to connect arris modem ip address. And it`s all, no problems.
How can I help? by Anonymous Coward · 2019-01-12 06:39 · Score: 0

Where in the web interface are my router access logs? I clicked advanced and it's asking for a username and password.
American experts have found some results by Anonymous Coward · 2019-01-12 06:40 · Score: 0

they say it's not a Motorola phone, but that he is obviously a Mac user, so it should narrow it down quite a bit.
If that keeps happening by phantomfive · 2019-01-12 06:40 · Score: 1

If that keeps happening, we'll need to take packages to the post office unsealed, so we can show the contents to the post office employee, and then seal it in front of them. To prevent bombs from getting delivered. Annoying.

--
"First they came for the slanderers and i said nothing."
1. Re:If that keeps happening by Anonymous Coward · 2019-01-12 06:46 · Score: 0
  
  Uh huh, as if you can't put a bomb inside something, like a teddy bear.
  More like all packages will have to go through sniff tests and scanners.
2. Re:If that keeps happening by Iamthecheese · 2019-01-12 07:13 · Score: 0
  
  To prevent bombs from getting delivered. Annoying.
  This should read: To demonstrate and improve mindless compliance with the arbitrary demands of authority. Sad and creepy.
  
  --
  If video games influenced behavior the Pac Man generation would be eating pills and running away from their problems.
3. Re:If that keeps happening by Anonymous Coward · 2019-01-12 09:23 · Score: 0
  
  Doesn't help if someone tries to mail a package containing a seemingly-innocent item that is actually a bomb or whatever.
  What would help is adopting checked luggage procedures: x-ray machine, explosives trace detector, and manual, intrusive inspection if these two aren't enough. That means unsealing the package, just like the TSA can open and inspect your checked luggage.
4. Re:If that keeps happening by Anonymous Coward · 2019-01-12 09:51 · Score: 0
  
  Huh? You should be doing that already for anything sent with in$urance.
  At least that's what I have been asked to do. No record is kept, and it's
  just a visual inspection. I don't believe it's overreaching at all (remember,
  you're voluntarily using the service).
  CAP === 'medicine'
5. Re:If that keeps happening by Opportunist · 2019-01-12 13:12 · Score: 2
  
  This is Germany we're talking about. The solution is probably that all parcels containing bombs have to clearly be labeled as such so no future incidents can happen anymore.
  Next week the opposition parties will probably lament why the ruling parties didn't have that idea earlier.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
6. Re:If that keeps happening by phantomfive · 2019-01-12 13:19 · Score: 2
  
  It seems reasonable. Then they can sort them into bomb and nonbomb categories without too much effort.
  
  --
  "First they came for the slanderers and i said nothing."
7. Re:If that keeps happening by grep+-v+'.*'+* · 2019-01-13 02:40 · Score: 1
  
  It's been done virtually before. RfC 3514 - IETF aka the "Packet Evil Bit."
  
  ... often have difficulty distinguishing between packets that have malicious intent and those that are merely unusual. We define a security flag in the IPv4 header as a means of distinguishing the two cases.
  
  --
  If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
8. Re:If that keeps happening by Opportunist · 2019-01-15 03:21 · Score: 1
  
  And knowing their love for bureaucracy, I'm fairly sure that the bomb deliveries will be carried out, although with a "attention, might explode" sticker attached. As long as there's a sticker attached, it's allright.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
That's a long time ago by Anonymous Coward · 2019-01-12 06:41 · Score: 0

They would have brought this up 9 months ago.
Wait a damn sec by Squiddie · 2019-01-12 06:44 · Score: 2, Insightful

So the police haven't even considered that he might have spoofed his MAC address? Or that he used a burner device? Nice police work.
1. Re:Wait a damn sec by Anonymous Coward · 2019-01-12 06:54 · Score: 1
  
  I imagine they did since they aren't tracking the device down by who the mac was sold to but rather where that mac address that they keep seeing might have consistently been seen by other devices. From there a search of the area for cameras. Looking at the logs they should also be able to possibly eliminate a false positive.
2. Re:Wait a damn sec by Anonymous Coward · 2019-01-12 06:56 · Score: 0
  
  Since this investigation has come to the attention of people who know what a MAC address is, I assume they have considered that possibility. They've probably also assigned a rough probability to it.
3. Re:Wait a damn sec by Anonymous Coward · 2019-01-12 07:17 · Score: 1
  
  In the minds of idiots they view anything with the word "address" as an inviolable identifier.
  They probably have black vans prowling neighborhoods looking for a WLAN card beaconing it ready to jump and arrest anyone who's device just so happened to randomly set it MAC address to it automatically as part of a security policy.
  When it's revealed that the head rolled because of a security practice, they'll demand a ban on devices being able to change their MAC address during the next wave of "Think of the Terrorists" legislation.
4. Re: Wait a damn sec by rHBa · 2019-01-12 07:23 · Score: 1
  
  The MAC address could potentially be used to SWAT someone.
5. Re:Wait a damn sec by godrik · 2019-01-12 07:32 · Score: 1
  
  So the police haven't even considered that he might have spoofed his MAC address? Or that he used a burner device? Nice police work.
  Well, maybe they have considered it. But maybe the bomber isn't very tech savvy and doe not know how to do that or got sloppy. The MAC address seems like a reasonable lead to follow.
  Or do you prefer the following scenario:
  Inspector, we found fingerprints on the murder weapon.
  They can be lifted from a glass and reproduced, we can trust it.
  Inspector, we also found DNA.
  Forget it, someones DNA can be easily found anywhere and planted.
  Inspector, the murder victim wrote a name on the wall in her own blood.
  There is no way to know the victim really wrote that.
  Inspector, they all belong to the husband of the victim who made reported to beat her before, should we talk to him or arrest him?
  No need, it could be an expert frame job. We will never know who committed this murder!
6. Re:Wait a damn sec by bill_mcgonigle · 2019-01-12 07:43 · Score: 4, Insightful
  
  Why would you assume they have assumed that? Those are just two of roughly eight scenarios I can think of without much effort - why would police not follow and extinguish all possible leads?
  Methinks they're doing OK without needing to hire you as a police consultant.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
7. Re:Wait a damn sec by arth1 · 2019-01-12 08:11 · Score: 1
  
  Well, maybe they have considered it. But maybe the bomber isn't very tech savvy and doe not know how to do that or got sloppy. The MAC address seems like a reasonable lead to follow.
  In that case, the reasonable cause of action would be to ask Motorola which device model had this particular MAC address, and where it was sold, and then follow it through the serial number to the buyer.
  I can only presume that they have tried and failed this, and that's why they're asking.
8. Re:Wait a damn sec by Anonymous Coward · 2019-01-12 08:50 · Score: 0
  
  What makes you think that they "haven't even considered" this? When you do police work on such a capital crime, you'd naturally follow every possible trail, not just the ones you've filtered out by your preconceptions on how smart or dumb the criminal is.
9. Re:Wait a damn sec by Spamalope · 2019-01-12 09:06 · Score: 1
  
  They've already tracked him via the MAC address using pervasive spying techniques they don't want to reveal. This is cover so they can say a member of the public gave them a tip instead.
10. Re:Wait a damn sec by Anonymous Coward · 2019-01-12 09:18 · Score: 0
  
  So the police haven't even considered that he might have spoofed his MAC address? Or that he used a burner device? Nice police work.
  How would they consider either of those before they investigate it? MAC spoofing is not done commonly enough to ignore every MAC address that pops up.
11. Re:Wait a damn sec by squiggleslash · 2019-01-12 09:27 · Score: 1
  
  You're saying the police should ignore a potential lead because it might lead nowhere?
  
  --
  You are not alone. This is not normal. None of this is normal.
12. Re:Wait a damn sec by complete+loony · 2019-01-12 09:30 · Score: 1
  
  In this case they have obviously decided that it's worth going public with what they know, even though they risk alerting the suspect.
  
  --
  09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
13. Re:Wait a damn sec by squiggleslash · 2019-01-12 09:30 · Score: 1
  
  Found the scriptwriter for NCIS. Did you also write this bit too? ;-)
  (At best Motorola might be able to identify the distributor of the hardware in question, after that it's unlikely anyone was tracking MAC addresses to their ultimate buyer.)
  
  --
  You are not alone. This is not normal. None of this is normal.
14. Re: Wait a damn sec by Anonymous Coward · 2019-01-12 09:35 · Score: 0
  
  Enhance....enhance....enhance....
  God damn it Abby, why can't you enhance your boobs like you enhance pics on the fly you goth looking fuck.
15. Re:Wait a damn sec by Anonymous Coward · 2019-01-12 09:50 · Score: 0
  
  That was hilarious. Probably the future systemd boot screen.
16. Re:Wait a damn sec by kriston · 2019-01-12 10:41 · Score: 1
  
  Yeah, email headers don't contain MAC addresses.
  
  --
  Kriston
17. Re: Wait a damn sec by Anonymous Coward · 2019-01-12 13:08 · Score: 0
  
  And as usual, the outrage will be directed at the one who did the swatting instead of the actual murderer who guns down another innocent white guy in their mid 50s because he happened to open the door.
  Things went to a whole new level of scary when police started murdering people who weren't even black in this fashion.
18. Re:Wait a damn sec by Anonymous Coward · 2019-01-12 13:11 · Score: 0
  
  So the police haven't even considered that he might have spoofed his MAC address? Or that he used a burner device? Nice police work.
  They don't give a fuck. Make an arrest and make the evidence fit later, even if you need to manufacture it.
  All that matters to them is they have someone to pin this on.
19. Re:Wait a damn sec by Anonymous Coward · 2019-01-12 13:15 · Score: 0
  
  Is this inspector a random black lady on the street in East St. Loius?
20. Re:Wait a damn sec by Opportunist · 2019-01-12 13:15 · Score: 1
  
  Well... it's Germany ... so probably they actually DO have forms and paperwork that identifies that MAC address...
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
21. Re:Wait a damn sec by whoever57 · 2019-01-12 15:19 · Score: 1
  
  (At best Motorola might be able to identify the distributor of the hardware in question, after that it's unlikely anyone was tracking MAC addresses to their ultimate buyer.)
  It appears to be a MAC address used on a mobile device. If it is a cellphone, the manufacturer almost certainly can tie it to an IMEI number and probably track exactly where it was sold. I assume that it was used as a burner so there may not be further records of the owner, but the IMEI should be logged by the ISP when it connected to the network.
  More likely, though it was used on a tablet that only used WiFI, so no network connection logs except for WiFI logs.
  All of that assumes that the bomber didn't unlock the device and spoof the MAC.
  
  --
  The real "Libtards" are the Libertarians!
22. Re: Wait a damn sec by Anonymous Coward · 2019-01-12 20:19 · Score: 0
  
  The police have a lot of resources so it makes sense to check every possibility. There's a chance she was using the default Mac from a phone purchased on a plan right from her credit card. There's also a chance it was a stolen laptop using a high power wifi adapter from miles away with a spoofed Mac address.
23. Re: Wait a damn sec by Anonymous Coward · 2019-01-13 02:04 · Score: 0
  
  Asking router owners? Really.
  Are they really asking the public to look through their router logs? I assume it's because maybe this person was on someones privately owned wifi?
  If that's the case, prob no password on their ssid. In that case, these people would probably head for their gardening equipment looking for something to dig a hole, or go order a big mac at McDonalds and look inside it before thinking to look in their broadband modem.
  Or am I being too cynical/missing what they are really asking here?
24. Re: Wait a damn sec by fisted · 2019-01-14 01:37 · Score: 1
  
  Last time I checked, the device has to talk to the AP in order to authenticate.
  
  --
  CLI paste? paste.pr0.tips!
25. Re:Wait a damn sec by craighansen · 2019-01-14 11:47 · Score: 1
  
  Because "everyone" knows that an OUI can be trivially looked up, so the fact that they needed outside consultants to tell them shows their pathetic level of understanding.
router reset by Anonymous Coward · 2019-01-12 06:51 · Score: 0

logs from that time period are likely lost; most home routers were probably reset since then due to power outages or ISP first level support scripts
1. Re:router reset by DeBaas · 2019-01-12 07:09 · Score: 1
  
  Just to see if my router actually logs this I just checked, my >200 Euro router keeps the logs for just about 24 hours. If that is any indication it seems that their best chance is public WiFi spots that hopefully have a bit more in place to retain logs.
  
  --
  ---
2. Re: router reset by Anonymous Coward · 2019-01-12 08:15 · Score: 0
  
  You don't live in Germany, do you? Power outages almost never happen. A router running since 2017 is nothing unusual.
3. Re:router reset by arth1 · 2019-01-12 08:26 · Score: 1
  
  While my router forwards logs to a lan server, and also saves daily logs to a USB key, the remote mac address is not normally logged.
  I would think that would be fairly uncommon.
4. Re:router reset by DeBaas · 2019-01-12 09:21 · Score: 2
  
  true, I've only got entries from the DHCP server wit MAC addresses in it
  
  --
  ---
5. Re:router reset by cdsparrow · 2019-01-12 11:18 · Score: 1
  
  Does Google not do street view around there? Their cars log absolutely everything any of their sensors can grab anytime. So maybe start there or other similar mapping services?
6. Re:router reset by Anonymous Coward · 2019-01-12 23:25 · Score: 0
  
  This was in late 2017. There are about two power outages per ten years on average in Germany, so odds are most home routers have not been reset.
7. Re:router reset by fisted · 2019-01-14 01:40 · Score: 1
  
  So what do those log look like?
  Like "Mon Jan 14 14:39:37 CET 2019: A station associated!"?
  
  --
  CLI paste? paste.pr0.tips!
8. Re:router reset by arth1 · 2019-01-14 03:45 · Score: 1
  
  Router logs differ depending on the router, and what it's configured to do. There's no set format for what a router logs or how; it depends on the router OS, model and configuration.
  Changes in routing information would normally go in router logs, along with information on packets that cannot or would not be routed, and interfaces that go up or down.
  "A station associated" seems to me to be an access point log, not a router log. (Granted, these days some call everything a "router", much like they called every computer a "cpu" or "hard drive" in the past.)
This is going to go well by Anonymous Coward · 2019-01-12 06:51 · Score: 0

Have they seen what happens when you ask the internet for help before? this address is going to start popping up in all sorts of random places.
1. Re:This is going to go well by crow · 2019-01-12 06:58 · Score: 1
  
  What, like hundreds of people are now going to set their phones to use this MAC address? That would never happen.
2. Re:This is going to go well by Anonymous Coward · 2019-01-12 23:13 · Score: 0
  
  This is verboten. Deal with it.
Irresponsible idiots, holy hell! by Anonymous Coward · 2019-01-12 06:52 · Score: 0

This is very nearly like publishing someone's home address and saying "We're looking for this terrorist and this is the address they gave us".
Can you imagine the fallout? They're just a suspect, not a criminal. Plus the address is likely fake and pointing to a completely unrelated person!
Morons...
1. Re:Irresponsible idiots, holy hell! by ledow · 2019-01-12 06:59 · Score: 1
  
  The guy planted actual, viable bombs that would kill people.
  The MAC address is believed to be genuine.
  It's no different to saying "We are trying to trace the vehicle the bomber drove off in, with the registration X374 HFU" (or whatever). It's not like they are giving out a personal detail (e.g. a phone number, or an address), but they have given out names and hometowns since forever.
  Happens EVERY DAY if you follow any police Twitter account, watch anything like Crimewatch (UK TV programme which is used for reconstructing crimes and appeal for help), etc.
  It's a very different piece of information. And it's ABSOLUTELY linked to someone proven to have already endangered life, not just "we'd like to speak to the guy in the red hat who went by the name of Steve in connection with a fight outside the club last night" (which is, in fact, more information).
2. Re:Irresponsible idiots, holy hell! by Anonymous Coward · 2019-01-12 07:21 · Score: 0
  
  Lol some lil script kiddie doesnt know that you can change your MAC address to be whatever you want. Course who would ever do that? Certainly not someone making bomb threats and actually following through!
3. Re:Irresponsible idiots, holy hell! by ledow · 2019-01-12 08:47 · Score: 2
  
  Of course you can. I do it all the time (HyperV tools to emulate an existing MAC from another server for failover etc.). I've been able to - and have done - it since kernel 2.0 at least... I actually use MAC address as part of things like RADIUS authentication, though. Because 99.999% of people would never be able to work out how to do it.
  They've even already eliminated the modern feature of "disposable" MAC addresses given to each Wifi network you probe to prevent such tracking... they know his MAC stayed the same all those days as they correlated several things together.
  The chances that he did this are absolutely minimal.
  I can change a car number plate in about 5 minutes, tops, to any other valid one that I see on the road. But police still call out those for incidents where a suspect car was spotted too.
  It's not about "this is convictable in a court of law". It's a correlative piece of evidence that may well lead to chance correlations which can lead to REAL evidence (i.e. seeing the same guy walking around town, on his phone at a certain location and time (which will give them his number and calls) and so on.
  But they can't link the MAC address directly to IMEI or SIM or phone number, most likely, or they'd have already done it.
  Stop thinking "A jury would never convict on that basis" and think "That's a clue that may well lead to a suspect".
4. Re:Irresponsible idiots, holy hell! by dunkelfalke · 2019-01-12 09:10 · Score: 2
  
  A jury wouldn't be involved anyway, Germany generally uses professional judges.
  
  --
  "It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
5. Re:Irresponsible idiots, holy hell! by SuiteSisterMary · 2019-01-12 09:47 · Score: 1
  
  But they can't link the MAC address directly to IMEI or SIM or phone number, most likely, or they'd have already done it.
  Or the have, but knowing that the device in question was sold at a given corner store or whatever is one piece of the puzzle; knowing that the person who owned the phone at the time frequented certain locations is another piece of the puzzle.
  
  --
  Vintage computer games and RPG books available. Email me if you're interested.
6. Re:Irresponsible idiots, holy hell! by Anonymous Coward · 2019-01-12 10:37 · Score: 0
  
  And it's ABSOLUTELY linked to someone proven to have already endangered life
  Except the MAC address can be randomized or even specifically set by the user at the time of connection to the network. Some systems like various Linux distros using NetworkManager even have automatic MAC address randomization as a security policy setting for a wireless card. So no, it very much may not be linked to anyone or anything. Nor is there a guarantee you'll find it in use again, and that's before you consider that any decent criminal would trash the detonator device between attacks to help mask their identity regardless of the ability to change the device's ID.
  What you have done is created yet another illegal number that if it were to be reused by accident anytime soon, could very well get someone killed. While also creating the chance for an innocent person to take the fall for a dangerous criminal, and giving said criminal the chance to take a then content under false security society by surprise all over again.
  In short by not knowing the basics of how this crap works, which in this day and age is inexcusable for a government, the German government has placed itself and it's people at greater risk. Way to go ignorance.
7. Re:Irresponsible idiots, holy hell! by Anonymous Coward · 2019-01-12 12:14 · Score: 0
  
  It's not even close to being like publishing someones home address. You're a fucking clueless idiot. A complete and utter moron.
Re:Probably spoofed by wolfheart111 · 2019-01-12 06:56 · Score: 4, Informative

The router will show the spoofed mac, so they will know his location of the router, search street cams of the surrounding area.

--
[($)]
Only insecure ones. by wolfheart111 · 2019-01-12 07:06 · Score: 2

Go to Shodan, filter insecure routers in Germany... there's apis for shodan as well... WTF nevermind they should know this shit already.

--
[($)]
1. Re:Only insecure ones. by Anonymous Coward · 2019-01-12 07:32 · Score: 0
  
  If the mac adres isn't spoofed, the phone is real with that wifi-mac, then the authorities already know a lot more about the phone than most slashdotters know.
  and if they don't know it, then someone hasn't been doing their job.
2. Re:Only insecure ones. by Anonymous Coward · 2019-01-12 07:43 · Score: 0
  
  Why "should" an investigative police force responsible for a physical crime know about an offensive cybercrime tool and how to use it?
  Are you upset that your local butcher is not also an orthopedic surgeon?
tinfoil hattery by Iamthecheese · 2019-01-12 07:10 · Score: 0

Have you seen Running Man? How the authorities lied constantly? That's the world we live in. I know the German authorities want me to help with that MAC. Hell the attempted bombings probably even happened. But that's all I know. There have been too many lies from too many governments for me to take this at face value. Maybe the mac belongs to a spy they're trying to uproot. Maybe this is just a social experiment, or an attempt to get people to "help" so they feel good about helping (like England' calls for people to turn in unused kitchen appliances for melt even though they didn't actually have a shortage of steel) Maybe they're looking for people willing to unethically root through mac logs in violation of customers privacy.so they can ask for other favors later. Whatever this really is, and even if it's real, I want no part of it.

--
If video games influenced behavior the Pac Man generation would be eating pills and running away from their problems.
A near impossible task by Artem+S.+Tashkinov · 2019-01-12 07:13 · Score: 4, Insightful

There are several huge issues with this call:
First of all, mostly likely the suspect has long gotten rid of the device and I'm not sure how finding his device in logs might help anyone (aside from narrowing down his whereabouts but then we have to presume that the CCTV footage at that location still remains which is highly unlikely).
Second of all, assuming he's not a total idiot, he could have modified his device MAC address which is possible for most Android smartphones.
Thirdly, this device was probably produced by Motorola/Lenovo, because F8E079 is their unique MAC prefix.
Fourthly, most people keep their routers password-protected which makes the task even harder.
Lastly, most Wi-Fi routers can barely keep more than a week worth of logs and they are not stored permanently, so reboot wipes them clean.
1. Re:A near impossible task by Anonymous Coward · 2019-01-12 08:16 · Score: 0
  
  The hits just keep on hitting
2. Re:A near impossible task by Anonymous Coward · 2019-01-12 08:29 · Score: 0
  
  At least in Spain, the Livebox routers that France Telecom Orange installs to their clients upload to an ftp server on each reconnection IPs and MACs of ALL lan devices ever connected to it. Even the WiFi password. And it has been this way for YEARS.
  Worse, the ftp server ospliveboxsrv.orange.es where all the data is uploaded has public read access and a static user ftpliveboxinfo and a well known plain text password that is stored in every configuration backup.
3. Re:A near impossible task by dissy · 2019-01-12 09:41 · Score: 0
  
  There are several huge issues with this call:
  First of all, mostly likely the suspect has long gotten rid of the device and I'm not sure how finding his device in logs might help anyone (aside from narrowing down his whereabouts but then we have to presume that the CCTV footage at that location still remains which is highly unlikely).
  It may possibly lay out a point or two on a map that may possibly show the accused was near the same spot more than once, or may possibly lower other suspects on the priority list who were known to be elsewhere.
  It's quite the long shot for certain, but worst that can happen is "nothing" and they are no worse off than they are now.
  
  Second of all, assuming he's not a total idiot, he could have modified his device MAC address which is possible for most Android smartphones.
  Thirdly, this device was probably produced by Motorola/Lenovo, because F8E079 is their unique MAC prefix.
  Don't assume they aren't an idiot, there are plenty of idiots that do bad things and shouldn't be crossed off the list just for being an idiot :P
  
  Fourthly, most people keep their routers password-protected which makes the task even harder.
  Lastly, most Wi-Fi routers can barely keep more than a week worth of logs and they are not stored permanently, so reboot wipes them clean.
  Yea I don't see anything coming out of residential router owners for something like this.
  If anything it would be business owners and other wifi offering services.
  Many businesses here offer wifi for free to their customers. Many just open free wifi.
  Others utilize a guest portal type thing, where you put in a code from your receipt or something like that. The AP runs open though and allows any device to connect. It just filters by MAC until a valid code is entered.
  Both cases have the potential to log a connecting devices MAC.
  Now granted, most places doing such things try to keep their signal from extending much outside of the building, but you never know.
  Our university used to use the guest portal on open wifi method long ago too, and that had campus wide coverage and roaming logs.
  They have since switched to wpa2-enterprise for student login but I'd be surprised if there wasn't some form of guest network operating.
  It's certainly worse odds than "one in a million", but on the other hand it can't hurt to ask!
4. Re:A near impossible task by Anonymous Coward · 2019-01-12 11:24 · Score: 0
  
  There is the potential of the mac showing up at coffee shops who have cctv security footage and decent logging based on the fact that people may do illegal things from their network. Some may have a commercial captive portal service which may keep logs indefinately and/or for billing. In addition HD cameras (2mp and above) have become a lot more common. There is a reasonably good chance they will get some visual indication of who this was by cross referencing time even if the mac is spoofed. If this visually looks like a suspect or a person of interest or someone the victims can identify they have a new lead to investigate.
5. Re:A near impossible task by AHuxley · 2019-01-12 12:46 · Score: 1
  
  German police both East and West and now Germany are great at searching for Germans for any reason.
  Powerful laws help with any search they want to do too :)
  
  --
  Domestic spying is now "Benign Information Gathering"
6. Re:A near impossible task by Mal-2 · 2019-01-12 15:14 · Score: 1
  
  Any time I've used a modified MAC address, I've set it to appear to be an iPhone, because it's just easier to hide in the sea than in a water hazard. If I get booted off (for being there too long or whatever), I'll spin up another, but with the same device manufacturer range.
  
  --
  How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
Re:Probably spoofed by Anonymous Coward · 2019-01-12 07:15 · Score: 0

Assuming he didn't spoof _someone else's_ MAC address.
Right by Anonymous Coward · 2019-01-12 07:15 · Score: 0

No one could ever mask a Mac...
Not so subtle request to the NSA by Anonymous Coward · 2019-01-12 07:16 · Score: 4, Funny

The German government has barred the BKA from directly working with the NSA, so now they are posting their dead-ends publicly.
Remind me if I'm ever planting bombs in Germany... by Anonymous Coward · 2019-01-12 07:18 · Score: 1

... to clone a politician's phone's MAC address for the one time I contact the police or or press with my burner-device.
Re:How old is yours.. by wolfheart111 · 2019-01-12 07:27 · Score: 1

Older routers may not do that, back in the WEP days. I doubt he would go to a Mcdonalds for somthing like this. His bombers were mostly defective... does not have the time or patience to crack wpa.... just thoughts.

--
[($)]
Back for White hat by seoras · 2019-01-12 07:28 · Score: 2

Given the monumental technical task being asked here of Joe Public I wonder if the German cops are really asking hackers, who want to show off their skills, for help?
1. Re:Back for White hat by ausgamer · 2019-01-12 11:03 · Score: 2
  
  Given the monumental technical task being asked here of Joe Public I wonder if the German cops are really asking hackers, who want to show off their skills, for help?
  Hackers do not help the police ever. They are not faggots like you.
2. Re:Back for White hat by Anonymous Coward · 2019-01-12 22:44 · Score: 0
  
  Whereas you, sir, display in two short sentences a wit not seen since the death of Oscar Wilde.
3. Re: Back for White hat by Anonymous Coward · 2019-01-12 23:51 · Score: 0
  
  I dunno i could have mistaken that comment for a Trump tweet..
4. Re:Back for White hat by Anonymous Coward · 2019-01-13 13:59 · Score: 0
  
  Given the monumental technical task being asked here of Joe Public I wonder if the German cops are really asking hackers, who want to show off their skills, for help?
  Hackers do not help the police ever. They are not faggots like you.
  uh. this is blatent untrue, inflamatory, and probably just a troll.. but maybe it isnt, so i'll reply.
  hackers are people too(tm).
  the majority of people in this world have at least a mostly ok set of ethics and reasonable moral standards.
  they'll look at the actions taken and decide if it warrants their time - just like everyone else.
5. Re:Back for White hat by ausgamer · 2019-01-14 23:27 · Score: 1
  
  Hackers do not help the police.
Good lord by Anonymous Coward · 2019-01-12 07:29 · Score: 1

Forget it. You can't help.
Re:Id go wardriving. by wolfheart111 · 2019-01-12 07:31 · Score: 1

If I worked for them... get a list of open home routers or barely secured... not many. Check the CCT around those areas.... :)... done.

--
[($)]
Dumb to give the full MAC address. by Anonymous Coward · 2019-01-12 08:08 · Score: 0

Now anyone can spoof to that address complicating the investigation.
Better to leave off the last digit pair in order to filter for false positives.
Anyway, can't they just backdoor all the routers and investigate themselves? Or are we to believe they actually respect privacy?
What? by YuppieScum · 2019-01-12 08:13 · Score: 5, Interesting

Router logs? Really?
You have the MAC address, so you can identify the manufacturer. You call them, ask them for the IMEI, and the supply chain details.
From the supply chain details, you can track it to a retailer. You then ask the retailer for the details of whomever bought it.
From the IMEI, you ask the cellular telcos for details of the SIM associated with it in the period in question, and all the other data they hold - call history, SMS, whatever.
You ask the SIM vendor for any details on the subscriber - even if it's a PAYG and they paid cash, the location of the transaction will be available.
From the other telco data, you can track down the suspect's associates, always presuming they might be entirely uninvolved beyond being an acquaintance
Unless this suspect bought the phone from a second-hand store (or stole it), never put a SIM in it, and used public WiFi for their scheme, you stand a moderate chance of getting close.
Hoping that random people will (a) see you request, (b) understand what it means, (c) own a router with open access, (d) know how to look at their logs, (e) be bothered to do so, and (f) have logs that go back at least nine months, seems to be a long shot.
I get the impression that some policeman has equated a MAC address to a car's registration number, so decided to ask if anyone has seen it...

--
This sig left unintentionally blank.
1. Re:What? by Anonymous Coward · 2019-01-12 08:51 · Score: 0
  
  Most companies don't track which device gets which MAC address. Very often it is not even guaranteed to be unique, there are a lot of devices that generate a random MAC in the companies range on first power-up. I think the Raspberry PI also works like this. Especially now with the GDPR it seems to make little sense to keep this info.
2. Re:What? by SuiteSisterMary · 2019-01-12 09:44 · Score: 2
  
  Hoping that random people will (a) see you request, (b) understand what it means, (c) own a router with open access, (d) know how to look at their logs, (e) be bothered to do so, and (f) have logs that go back at least nine months, seems to be a long shot.
  It's absolutely a long shot. But it costs them, what, five minutes to type up a press release and hand it to the department media liaison. They'd be stupid not to put out the request.
  
  --
  Vintage computer games and RPG books available. Email me if you're interested.
3. Re:What? by Anonymous Coward · 2019-01-12 10:09 · Score: 0
  
  You have the MAC address, so you can identify the manufacturer. You call them, ask them for the IMEI, and the supply chain details.
  If it hasn't been faked.
  
  From the supply chain details, you can track it to a retailer. You then ask the retailer for the details of whomever bought it.
  If it hasn't been resold.
  
  From the IMEI, you ask the cellular telcos for details of the SIM associated with it in the period in question, and all the other data they hold - call history, SMS, whatever.
  If those countries' cell phone providers feel like giving that information to you
  
  You ask the SIM vendor for any details on the subscriber - even if it's a PAYG and they paid cash, the location of the transaction will be available.
  See above, and if it's even legal for them to do so (not that spy agencies care about law)
  
  From the other telco data, you can track down the suspect's associates, always presuming they might be entirely uninvolved beyond being an acquaintance
  Unless this suspect bought the phone from a second-hand store (or stole it), never put a SIM in it, and used public WiFi for their scheme, you stand a moderate chance of getting close.
  Yah, guilt by association? Works in the press, not so much in the courts.
  Have a nice day.
  AC
4. Re:What? by guruevi · 2019-01-12 10:25 · Score: 1
  
  Sure, if the vendor keeps track of it. Most likely not. It also seems Motorola has only cheap devices in that range, so this was almost definitely a burner.
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
5. Re:What? by Anonymous Coward · 2019-01-12 11:13 · Score: 0
  
  lolwut dude - you have seen too many TV shows where people are tracked by the serial numbers on their hip implants.
6. Re: What? by Anonymous Coward · 2019-01-12 15:55 · Score: 0
  
  Itâ(TM)s a lead. Matching it up with a person should not, by itself, be enough for a conviction. Possibly a warrant though. With a warrant, they may find more evidence which will lead to a conviction.
7. Re: What? by Anonymous Coward · 2019-01-12 17:45 · Score: 0
  
  The RPi does this because it's unlikely to end up with duplicates on the same network since the user makes sure of this when setting up the device.
  It's not used on mobile phones and tablets that tend to move around and use public networks.
8. Re:What? by YuppieScum · 2019-01-13 21:56 · Score: 1
  
  My ex works for a coroner, and they've used that exact method to formally identify what they call a "decomp" - a body that has been dead for several weeks, and decomposed so much that it's effectively melted into its surroundings.
  
  --
  This sig left unintentionally blank.
Why should we believe the German police? by Anonymous Coward · 2019-01-12 08:50 · Score: 0

They claim that it's to catch a bomber. How do we know this is true? They have lied and told half-truths before, and CondÃ© Nast (Slashdot's owners) are known to be in bed with them.
The only thing we do know for sure is that they want to know to whom a certain MAC address belongs to. We can't know why.
1. Re:Why should we believe the German police? by RuiFRibeiro · 2019-01-12 20:52 · Score: 1
  
  Finally someone using the head for what is intended to.
  This seems either an interesting social experiment or just laying a precedent to ask for mandatory access to router logs.
What a coincidence by certsoft · 2019-01-12 09:28 · Score: 3, Funny

I have the same combination on my luggage.
Re:Cats not in bag by wolfheart111 · 2019-01-12 09:37 · Score: 1

ANYMORE lol

--
[($)]
Re:Fuckn Owww by wolfheart111 · 2019-01-12 09:38 · Score: 1

That would suck so bad... ohhhh

--
[($)]
Re: Id go wardriving. by Anonymous Coward · 2019-01-12 09:40 · Score: 0

EZ PZ right? Only a couple hundred thousand suspects.
Re:He's still active by wolfheart111 · 2019-01-12 09:43 · Score: 1

If he plants another bomb they may have a better idea where to go.

--
[($)]
Re:Search Airports by wolfheart111 · 2019-01-12 09:47 · Score: 1

For TSA searched luggage combinations... ect. ROFL

--
[($)]
When I spoof by fearm0nger · 2019-01-12 10:01 · Score: 1

I go with dead beef dead when I spoof mac addresses
1. Re:When I spoof by Anonymous Coward · 2019-01-12 10:08 · Score: 0
  
  ca:fe:ba:be:b0:0b
Re:They are on Google by wolfheart111 · 2019-01-12 10:02 · Score: 1

Just G em... :P

--
[($)]
Re:Beef aint dead. by wolfheart111 · 2019-01-12 10:24 · Score: 1

Whats better than Beef?

--
[($)]
Re:German IP's DL MetaSpl by wolfheart111 · 2019-01-12 10:27 · Score: 1

Get a list of them for the last couple months... u have ur perp... now if only rap7 will agree. lol

--
[($)]
Well done, cops by nospam007 · 2019-01-12 10:30 · Score: 1

So the guy either changes the MAC address or if he's a newbie he throws away the hardware.
Re: No Isp's set up routers now by wolfheart111 · 2019-01-12 10:37 · Score: 1

There wont be many... handful maybe.

--
[($)]
Re:Dont need the MAC by wolfheart111 · 2019-01-12 10:53 · Score: 1

Just look for insecure routers... thats all. Do what he did... follow his path as such.... go on assumptions. he wasnt at a public wifi... to many cams.... must have been at a grannys house... somewhere next door... hackable router... u got em.... Use assumptions.

--
[($)]
Re:Hackable router by wolfheart111 · 2019-01-12 10:55 · Score: 1

Dark surrounding, perhaps basement suites... maybe somewhere with warmer surroundings to spend some time in.

--
[($)]
Re:Fuck I shoulda by wolfheart111 · 2019-01-12 11:00 · Score: 1

`Been a cop... lol

--
[($)]
Address space collisions... by sweet+'n+sour · 2019-01-12 13:00 · Score: 2

I've had two Intel nics with the same MAC address.

A MAC address is made up of 6 bytes. The first three are the manufacturer so that only leaves three bytes for unique addresses. FFFFFF = 16,777,215 unique addresses.
Some manufacturers have more than one three-byte identifier, but many just re-use. Using a MAC address as a unique identifier is going to give you a lot of false positives.
1. Re:Address space collisions... by hcs_$reboot · 2019-01-12 14:16 · Score: 1
  
  Doubt that, how would that work on the same LAN?
  
  --
  Slashdot, fix the reply notifications... You won't get away with it...
2. Re:Address space collisions... by Mal-2 · 2019-01-12 15:19 · Score: 1
  
  Not very well.
  Short answer: you can either hide them behind different switches, or the network is going to keep alternately connecting one (which disconnects the other), then the other, since it can't tell them apart.
  
  --
  How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
3. Re: Address space collisions... by Anonymous Coward · 2019-01-13 00:02 · Score: 0
  
  You mean put them on different networks (ie clans)
  Hiding them behind two different switches (on the same L2 domain) isn't going to help at all.. you will have Mac flapping and the two hosts will miss out on most of the traffic...
  You could also put both devices on the same hub... But that's not exactly recommend lol..
4. Re:Address space collisions... by hcs_$reboot · 2019-01-13 00:37 · Score: 1
  
  you can either hide them behind different switches
  As long as it's on the same LAN, that won't work (as the IP layer is not reached, only the data-link layer) unless you separate the LAN via VLANs, this is done thanks to L3 switches (that use the IP address, like a router without really routing, just pass the packets to the right ports).
  
  --
  Slashdot, fix the reply notifications... You won't get away with it...
Doubt he has this same phone now either. by Anonymous Coward · 2019-01-12 16:51 · Score: 0

It's most likely destroyed. And also he would most likely not be in the same vicinity he was in when doing his terrorism. Someone smart would have moved out asap, let the heat die down for a while. If the terrorist has too much impatience and ADD then he'll surface again somewhere else.
Also, you can get free Wi-Fi from an awful lot of places without even being in the venue/facility corresponding with anyone face to face. I do it all the time from a Walmart in the parking lot. Fast food shops are notorious for offering free Wi-Fi too. Anyhow, I doubt most non-techy types would know what the hell to do in the first place to help you find his MAC address let alone know what exactly what you're talking about.
Good luck, sounds like you'll need it.
MAC's aren't even unique by Anonymous Coward · 2019-01-12 23:49 · Score: 1

1. Not unique.
2. Can be spoofed.
3. Presumption of innocence before pinning blame on anyone with this MAC.
4. Routers don't typically log access, and even if they did most would be aged out by now (buffer overflow or reboot).
This is terrible police work on all accounts...
Can't they just ask the NSA for help?
incompetence - or as usual "fake news" by Anonymous Coward · 2019-01-13 03:10 · Score: 0

My router can "simulate" a MAC address, this is by design and most of them can.
WHY ?
Because somethime you have to replace one and is much difficult to update the security, so quickest way is to copy the old one in tne new.
Also some ISP link your PC's MAC, so when you expand with a LAN you can't except if the router do copy your PC's MAC.
Q.E.D.