Slashdot Mirror
German Police Ask Router Owners For Help In Identifying a Bomber's MAC Address (zdnet.com)
An anonymous reader quotes ZDNet: German authorities have asked the public for help in surfacing more details and potentially identifying the owner of a MAC address known to have been used by a bomber in late 2017... The MAC address is f8:e0:79:af:57:eb. Brandenburg police say it belongs to a suspect who tried to blackmail German courier service DHL between November 2017 and April 2018. The suspect demanded large sums of money from DHL and threatened to detonate bombs across Germany, at DHL courier stations, private companies, and in public spaces. [The bomb threats were real, but one caught fire instead of exploding, while the second failed to explode, albeit containing real explosives.]
Investigators called in to negotiate with the bomber managed to exchange emails with the attacker on three occasions, on April 6, 2018, April 13, 2018, and April 14, 2018. One of the details obtained during these conversations was the bomber's MAC address, which based on the hardware industry's MAC address allocation tables, should theoretically belong to a Motorola phone... Now, they're asking router owners to check router access logs for this address, and report any sightings to authorities. Investigators want to know to what routers/networks the bomber has connected before and after the attacks, in order to track his movements and maybe gain an insight into his identity.
Investigators called in to negotiate with the bomber managed to exchange emails with the attacker on three occasions, on April 6, 2018, April 13, 2018, and April 14, 2018. One of the details obtained during these conversations was the bomber's MAC address, which based on the hardware industry's MAC address allocation tables, should theoretically belong to a Motorola phone... Now, they're asking router owners to check router access logs for this address, and report any sightings to authorities. Investigators want to know to what routers/networks the bomber has connected before and after the attacks, in order to track his movements and maybe gain an insight into his identity.
If that keeps happening, we'll need to take packages to the post office unsealed, so we can show the contents to the post office employee, and then seal it in front of them. To prevent bombs from getting delivered. Annoying.
"First they came for the slanderers and i said nothing."
So the police haven't even considered that he might have spoofed his MAC address? Or that he used a burner device? Nice police work.
How does that have any effect on a Motorola device?
- In Soviet Korea, only old people loose all their bases to Natalie Portman's petrified hot grits overlords.
The router will show the spoofed mac, so they will know his location of the router, search street cams of the surrounding area.
[($)]
Don't be ridiculous. It's illegal to spoof a MAC address in Germany. No German terrorist bomber would break the law like that.
What, like hundreds of people are now going to set their phones to use this MAC address? That would never happen.
The guy planted actual, viable bombs that would kill people.
The MAC address is believed to be genuine.
It's no different to saying "We are trying to trace the vehicle the bomber drove off in, with the registration X374 HFU" (or whatever). It's not like they are giving out a personal detail (e.g. a phone number, or an address), but they have given out names and hometowns since forever.
Happens EVERY DAY if you follow any police Twitter account, watch anything like Crimewatch (UK TV programme which is used for reconstructing crimes and appeal for help), etc.
It's a very different piece of information. And it's ABSOLUTELY linked to someone proven to have already endangered life, not just "we'd like to speak to the guy in the red hat who went by the name of Steve in connection with a fight outside the club last night" (which is, in fact, more information).
Go to Shodan, filter insecure routers in Germany... there's apis for shodan as well... WTF nevermind they should know this shit already.
[($)]
I wonder how many false reports the police will see over the next several weeks because someone thinks it will be a good laugh to modify the MAC address on one of their friend's devices when they aren't looking.
Just to see if my router actually logs this I just checked, my >200 Euro router keeps the logs for just about 24 hours. If that is any indication it seems that their best chance is public WiFi spots that hopefully have a bit more in place to retain logs.
---
There are several huge issues with this call:
First of all, mostly likely the suspect has long gotten rid of the device and I'm not sure how finding his device in logs might help anyone (aside from narrowing down his whereabouts but then we have to presume that the CCTV footage at that location still remains which is highly unlikely).
Second of all, assuming he's not a total idiot, he could have modified his device MAC address which is possible for most Android smartphones.
Thirdly, this device was probably produced by Motorola/Lenovo, because F8E079 is their unique MAC prefix.
Fourthly, most people keep their routers password-protected which makes the task even harder.
Lastly, most Wi-Fi routers can barely keep more than a week worth of logs and they are not stored permanently, so reboot wipes them clean.
The German government has barred the BKA from directly working with the NSA, so now they are posting their dead-ends publicly.
... to clone a politician's phone's MAC address for the one time I contact the police or or press with my burner-device.
Older routers may not do that, back in the WEP days. I doubt he would go to a Mcdonalds for somthing like this. His bombers were mostly defective... does not have the time or patience to crack wpa.... just thoughts.
[($)]
Given the monumental technical task being asked here of Joe Public I wonder if the German cops are really asking hackers, who want to show off their skills, for help?
Forget it. You can't help.
If I worked for them... get a list of open home routers or barely secured... not many. Check the CCT around those areas.... :)... done.
[($)]
You can spoof anything on the net...
ANYTHING
Heck, I've used a program that lets my network card pretend it's a half dozen other cards each with their own mac.
I used to use it to get around those super slow access places that only let you download one file at a time at the snails pace of less than 2k.
If the site supported segment downloads, then I'd have it split the file between the addresses, and if not, I'd have each one downloading a different file.
Of course, finding spoofing software for your phone might be more difficult, but they do exist.
And since you don't seem to understand how encryption works, it prevents 3rd parties from reading the contents, but there is no such restriction on the sender or the intended receiver of said data. After all, wtf do you think does the encryption in the first place?
Router logs? Really?
You have the MAC address, so you can identify the manufacturer. You call them, ask them for the IMEI, and the supply chain details.
From the supply chain details, you can track it to a retailer. You then ask the retailer for the details of whomever bought it.
From the IMEI, you ask the cellular telcos for details of the SIM associated with it in the period in question, and all the other data they hold - call history, SMS, whatever.
You ask the SIM vendor for any details on the subscriber - even if it's a PAYG and they paid cash, the location of the transaction will be available.
From the other telco data, you can track down the suspect's associates, always presuming they might be entirely uninvolved beyond being an acquaintance
Unless this suspect bought the phone from a second-hand store (or stole it), never put a SIM in it, and used public WiFi for their scheme, you stand a moderate chance of getting close.
Hoping that random people will (a) see you request, (b) understand what it means, (c) own a router with open access, (d) know how to look at their logs, (e) be bothered to do so, and (f) have logs that go back at least nine months, seems to be a long shot.
I get the impression that some policeman has equated a MAC address to a car's registration number, so decided to ask if anyone has seen it...
This sig left unintentionally blank.
While my router forwards logs to a lan server, and also saves daily logs to a USB key, the remote mac address is not normally logged.
I would think that would be fairly uncommon.
Of course you can. I do it all the time (HyperV tools to emulate an existing MAC from another server for failover etc.). I've been able to - and have done - it since kernel 2.0 at least... I actually use MAC address as part of things like RADIUS authentication, though. Because 99.999% of people would never be able to work out how to do it.
They've even already eliminated the modern feature of "disposable" MAC addresses given to each Wifi network you probe to prevent such tracking... they know his MAC stayed the same all those days as they correlated several things together.
The chances that he did this are absolutely minimal.
I can change a car number plate in about 5 minutes, tops, to any other valid one that I see on the road. But police still call out those for incidents where a suspect car was spotted too.
It's not about "this is convictable in a court of law". It's a correlative piece of evidence that may well lead to chance correlations which can lead to REAL evidence (i.e. seeing the same guy walking around town, on his phone at a certain location and time (which will give them his number and calls) and so on.
But they can't link the MAC address directly to IMEI or SIM or phone number, most likely, or they'd have already done it.
Stop thinking "A jury would never convict on that basis" and think "That's a clue that may well lead to a suspect".
A jury wouldn't be involved anyway, Germany generally uses professional judges.
"It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
true, I've only got entries from the DHCP server wit MAC addresses in it
---
I have the same combination on my luggage.
ANYMORE lol
[($)]
That would suck so bad... ohhhh
[($)]
If he plants another bomb they may have a better idea where to go.
[($)]
For TSA searched luggage combinations... ect. ROFL
[($)]
Or the have, but knowing that the device in question was sold at a given corner store or whatever is one piece of the puzzle; knowing that the person who owned the phone at the time frequented certain locations is another piece of the puzzle.
Vintage computer games and RPG books available. Email me if you're interested.
I go with dead beef dead when I spoof mac addresses
Just G em... :P
[($)]
Whats better than Beef?
[($)]
Get a list of them for the last couple months... u have ur perp... now if only rap7 will agree. lol
[($)]
So the guy either changes the MAC address or if he's a newbie he throws away the hardware.
There wont be many... handful maybe.
[($)]
Just look for insecure routers... thats all. Do what he did... follow his path as such.... go on assumptions. he wasnt at a public wifi... to many cams.... must have been at a grannys house... somewhere next door... hackable router... u got em.... Use assumptions.
[($)]
Not many. It is Germany, after all.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Dark surrounding, perhaps basement suites... maybe somewhere with warmer surroundings to spend some time in.
[($)]
`Been a cop... lol
[($)]
You can change the MAC Address in your router settings
Mendacem Memorem Esse Oportet
Does Google not do street view around there? Their cars log absolutely everything any of their sensors can grab anytime. So maybe start there or other similar mapping services?
So how do they know the address is not spoofed?
to an extent it wouldn't matter right. if he's been using the spoofed address all over his villain base then seeing that spoofed address in your logs could indicate that he was nearby.
But another point is that if he stole someone else's mac address (not "stole" but ya know) then he could basically hide in their wake. But i mean that's the sort of math I'd like to see on basic cable cop procedural. They have a mac address but they have to figure out which locations were the innocent person and which were him. that's an episode of CSI:Cyber or Numb3rs what I would enjoy watching. (I'm pretty sure both of those are cancelled now)
Just another second banana
Lol. He had to be joking. That's too stupid.
I've had two Intel nics with the same MAC address.
A MAC address is made up of 6 bytes. The first three are the manufacturer so that only leaves three bytes for unique addresses. FFFFFF = 16,777,215 unique addresses.
Some manufacturers have more than one three-byte identifier, but many just re-use. Using a MAC address as a unique identifier is going to give you a lot of false positives.
I guess their train of thought is that if he's too stupid to build bombs that actually work, he's probably also too stupid to even know what a MAC address is.
Not all "cyber" criminals are computer wizards and strategic masterminds. Just like very few bank robbers are Ocean's Eleven.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Most criminals aren't geniuses. Especially the ones that get caught. Someone with bomb-making skills may or may not have advanced computer skills. A large majority of people don't know that MAC addresses even exist, let alone know what they are, or that they can be changed.
Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
Finally someone using the head for what is intended to.
This seems either an interesting social experiment or just laying a precedent to ask for mandatory access to router logs.
1. Not unique.
2. Can be spoofed.
3. Presumption of innocence before pinning blame on anyone with this MAC.
4. Routers don't typically log access, and even if they did most would be aged out by now (buffer overflow or reboot).
This is terrible police work on all accounts...
Can't they just ask the NSA for help?
That's stupid. That would make virtualisation illegal because platforms like VirtualBox create a fake MAC address for every guest you spin up.
Well, he hasn't gotten caught yet, has he? Maybe he has spoofed is MAC address and they're now on the tail of some totally innocent sod who just happens to have this MAC address.
So what do those log look like?
Like "Mon Jan 14 14:39:37 CET 2019: A station associated!"?
CLI paste? paste.pr0.tips!
Router logs differ depending on the router, and what it's configured to do. There's no set format for what a router logs or how; it depends on the router OS, model and configuration.
Changes in routing information would normally go in router logs, along with information on packets that cannot or would not be routed, and interfaces that go up or down.
"A station associated" seems to me to be an access point log, not a router log. (Granted, these days some call everything a "router", much like they called every computer a "cpu" or "hard drive" in the past.)
What eh? It`s so suspicious. If you don`t want to have problems with IPs and MACs you can use TPlink routers and to connect arris modem ip address. And it`s all, no problems.