German Police Ask Router Owners For Help In Identifying a Bomber's MAC Address

An anonymous reader quotes ZDNet: German authorities have asked the public for help in surfacing more details and potentially identifying the owner of a MAC address known to have been used by a bomber in late 2017... The MAC address is f8:e0:79:af:57:eb. Brandenburg police say it belongs to a suspect who tried to blackmail German courier service DHL between November 2017 and April 2018. The suspect demanded large sums of money from DHL and threatened to detonate bombs across Germany, at DHL courier stations, private companies, and in public spaces. [The bomb threats were real, but one caught fire instead of exploding, while the second failed to explode, albeit containing real explosives.]

Investigators called in to negotiate with the bomber managed to exchange emails with the attacker on three occasions, on April 6, 2018, April 13, 2018, and April 14, 2018. One of the details obtained during these conversations was the bomber's MAC address, which based on the hardware industry's MAC address allocation tables, should theoretically belong to a Motorola phone... Now, they're asking router owners to check router access logs for this address, and report any sightings to authorities. Investigators want to know to what routers/networks the bomber has connected before and after the attacks, in order to track his movements and maybe gain an insight into his identity.

Wait a damn sec

[Squiddie]

So the police haven't even considered that he might have spoofed his MAC address? Or that he used a burner device? Nice police work.

Re:Wait a damn sec

[bill_mcgonigle]

Why would you assume they have assumed that? Those are just two of roughly eight scenarios I can think of without much effort - why would police not follow and extinguish all possible leads?

Methinks they're doing OK without needing to hire you as a police consultant.

Re:Probably spoofed

[wolfheart111]

The router will show the spoofed mac, so they will know his location of the router, search street cams of the surrounding area.

Only insecure ones.

[wolfheart111]

Go to Shodan, filter insecure routers in Germany... there's apis for shodan as well... WTF nevermind they should know this shit already.

A near impossible task

[Artem+S.+Tashkinov]

There are several huge issues with this call:

First of all, mostly likely the suspect has long gotten rid of the device and I'm not sure how finding his device in logs might help anyone (aside from narrowing down his whereabouts but then we have to presume that the CCTV footage at that location still remains which is highly unlikely).

Second of all, assuming he's not a total idiot, he could have modified his device MAC address which is possible for most Android smartphones.

Thirdly, this device was probably produced by Motorola/Lenovo, because F8E079 is their unique MAC prefix.

Fourthly, most people keep their routers password-protected which makes the task even harder.

Lastly, most Wi-Fi routers can barely keep more than a week worth of logs and they are not stored permanently, so reboot wipes them clean.

Not so subtle request to the NSA

The German government has barred the BKA from directly working with the NSA, so now they are posting their dead-ends publicly.

Back for White hat

[seoras]

Given the monumental technical task being asked here of Joe Public I wonder if the German cops are really asking hackers, who want to show off their skills, for help?

Re:Back for White hat

[ausgamer]

Given the monumental technical task being asked here of Joe Public I wonder if the German cops are really asking hackers, who want to show off their skills, for help?

Hackers do not help the police ever. They are not faggots like you.

What?

[YuppieScum]

Router logs? Really?

You have the MAC address, so you can identify the manufacturer. You call them, ask them for the IMEI, and the supply chain details.

From the supply chain details, you can track it to a retailer. You then ask the retailer for the details of whomever bought it.

From the IMEI, you ask the cellular telcos for details of the SIM associated with it in the period in question, and all the other data they hold - call history, SMS, whatever.

You ask the SIM vendor for any details on the subscriber - even if it's a PAYG and they paid cash, the location of the transaction will be available.

From the other telco data, you can track down the suspect's associates, always presuming they might be entirely uninvolved beyond being an acquaintance

Unless this suspect bought the phone from a second-hand store (or stole it), never put a SIM in it, and used public WiFi for their scheme, you stand a moderate chance of getting close.

Hoping that random people will (a) see you request, (b) understand what it means, (c) own a router with open access, (d) know how to look at their logs, (e) be bothered to do so, and (f) have logs that go back at least nine months, seems to be a long shot.

I get the impression that some policeman has equated a MAC address to a car's registration number, so decided to ask if anyone has seen it...

Re:What?

[SuiteSisterMary]

Hoping that random people will (a) see you request, (b) understand what it means, (c) own a router with open access, (d) know how to look at their logs, (e) be bothered to do so, and (f) have logs that go back at least nine months, seems to be a long shot.

It's absolutely a long shot. But it costs them, what, five minutes to type up a press release and hand it to the department media liaison. They'd be stupid not to put out the request.

Re:Irresponsible idiots, holy hell!

[ledow]

Of course you can. I do it all the time (HyperV tools to emulate an existing MAC from another server for failover etc.). I've been able to - and have done - it since kernel 2.0 at least... I actually use MAC address as part of things like RADIUS authentication, though. Because 99.999% of people would never be able to work out how to do it.

They've even already eliminated the modern feature of "disposable" MAC addresses given to each Wifi network you probe to prevent such tracking... they know his MAC stayed the same all those days as they correlated several things together.

The chances that he did this are absolutely minimal.

I can change a car number plate in about 5 minutes, tops, to any other valid one that I see on the road. But police still call out those for incidents where a suspect car was spotted too.

It's not about "this is convictable in a court of law". It's a correlative piece of evidence that may well lead to chance correlations which can lead to REAL evidence (i.e. seeing the same guy walking around town, on his phone at a certain location and time (which will give them his number and calls) and so on.

But they can't link the MAC address directly to IMEI or SIM or phone number, most likely, or they'd have already done it.

Stop thinking "A jury would never convict on that basis" and think "That's a clue that may well lead to a suspect".

Re:Irresponsible idiots, holy hell!

[dunkelfalke]

A jury wouldn't be involved anyway, Germany generally uses professional judges.

Re:router reset

[DeBaas]

true, I've only got entries from the DHCP server wit MAC addresses in it

What a coincidence

[certsoft]

I have the same combination on my luggage.

Re:Spoofed mac?

[thewolfkin]

So how do they know the address is not spoofed?

to an extent it wouldn't matter right. if he's been using the spoofed address all over his villain base then seeing that spoofed address in your logs could indicate that he was nearby.

But another point is that if he stole someone else's mac address (not "stole" but ya know) then he could basically hide in their wake. But i mean that's the sort of math I'd like to see on basic cable cop procedural. They have a mac address but they have to figure out which locations were the innocent person and which were him. that's an episode of CSI:Cyber or Numb3rs what I would enjoy watching. (I'm pretty sure both of those are cancelled now)

Address space collisions...

[sweet+'n+sour]

I've had two Intel nics with the same MAC address.

A MAC address is made up of 6 bytes. The first three are the manufacturer so that only leaves three bytes for unique addresses. FFFFFF = 16,777,215 unique addresses.
Some manufacturers have more than one three-byte identifier, but many just re-use. Using a MAC address as a unique identifier is going to give you a lot of false positives.

Re:Spoofed mac?

[Opportunist]

I guess their train of thought is that if he's too stupid to build bombs that actually work, he's probably also too stupid to even know what a MAC address is.

Not all "cyber" criminals are computer wizards and strategic masterminds. Just like very few bank robbers are Ocean's Eleven.

Re:If that keeps happening

[Opportunist]

This is Germany we're talking about. The solution is probably that all parcels containing bombs have to clearly be labeled as such so no future incidents can happen anymore.

Next week the opposition parties will probably lament why the ruling parties didn't have that idea earlier.

Re:If that keeps happening

[phantomfive]

It seems reasonable. Then they can sort them into bomb and nonbomb categories without too much effort.

Re:Spoofed mac?

[dj245]

Most criminals aren't geniuses. Especially the ones that get caught. Someone with bomb-making skills may or may not have advanced computer skills. A large majority of people don't know that MAC addresses even exist, let alone know what they are, or that they can be changed.