Slashdot Mirror
German Police Ask Router Owners For Help In Identifying a Bomber's MAC Address (zdnet.com)
An anonymous reader quotes ZDNet: German authorities have asked the public for help in surfacing more details and potentially identifying the owner of a MAC address known to have been used by a bomber in late 2017... The MAC address is f8:e0:79:af:57:eb. Brandenburg police say it belongs to a suspect who tried to blackmail German courier service DHL between November 2017 and April 2018. The suspect demanded large sums of money from DHL and threatened to detonate bombs across Germany, at DHL courier stations, private companies, and in public spaces. [The bomb threats were real, but one caught fire instead of exploding, while the second failed to explode, albeit containing real explosives.]
Investigators called in to negotiate with the bomber managed to exchange emails with the attacker on three occasions, on April 6, 2018, April 13, 2018, and April 14, 2018. One of the details obtained during these conversations was the bomber's MAC address, which based on the hardware industry's MAC address allocation tables, should theoretically belong to a Motorola phone... Now, they're asking router owners to check router access logs for this address, and report any sightings to authorities. Investigators want to know to what routers/networks the bomber has connected before and after the attacks, in order to track his movements and maybe gain an insight into his identity.
Investigators called in to negotiate with the bomber managed to exchange emails with the attacker on three occasions, on April 6, 2018, April 13, 2018, and April 14, 2018. One of the details obtained during these conversations was the bomber's MAC address, which based on the hardware industry's MAC address allocation tables, should theoretically belong to a Motorola phone... Now, they're asking router owners to check router access logs for this address, and report any sightings to authorities. Investigators want to know to what routers/networks the bomber has connected before and after the attacks, in order to track his movements and maybe gain an insight into his identity.
The router will show the spoofed mac, so they will know his location of the router, search street cams of the surrounding area.
[($)]
There are several huge issues with this call:
First of all, mostly likely the suspect has long gotten rid of the device and I'm not sure how finding his device in logs might help anyone (aside from narrowing down his whereabouts but then we have to presume that the CCTV footage at that location still remains which is highly unlikely).
Second of all, assuming he's not a total idiot, he could have modified his device MAC address which is possible for most Android smartphones.
Thirdly, this device was probably produced by Motorola/Lenovo, because F8E079 is their unique MAC prefix.
Fourthly, most people keep their routers password-protected which makes the task even harder.
Lastly, most Wi-Fi routers can barely keep more than a week worth of logs and they are not stored permanently, so reboot wipes them clean.
The German government has barred the BKA from directly working with the NSA, so now they are posting their dead-ends publicly.
Why would you assume they have assumed that? Those are just two of roughly eight scenarios I can think of without much effort - why would police not follow and extinguish all possible leads?
Methinks they're doing OK without needing to hire you as a police consultant.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Router logs? Really?
You have the MAC address, so you can identify the manufacturer. You call them, ask them for the IMEI, and the supply chain details.
From the supply chain details, you can track it to a retailer. You then ask the retailer for the details of whomever bought it.
From the IMEI, you ask the cellular telcos for details of the SIM associated with it in the period in question, and all the other data they hold - call history, SMS, whatever.
You ask the SIM vendor for any details on the subscriber - even if it's a PAYG and they paid cash, the location of the transaction will be available.
From the other telco data, you can track down the suspect's associates, always presuming they might be entirely uninvolved beyond being an acquaintance
Unless this suspect bought the phone from a second-hand store (or stole it), never put a SIM in it, and used public WiFi for their scheme, you stand a moderate chance of getting close.
Hoping that random people will (a) see you request, (b) understand what it means, (c) own a router with open access, (d) know how to look at their logs, (e) be bothered to do so, and (f) have logs that go back at least nine months, seems to be a long shot.
I get the impression that some policeman has equated a MAC address to a car's registration number, so decided to ask if anyone has seen it...
This sig left unintentionally blank.
I have the same combination on my luggage.