Wanted – have you seen this MAC address: f8:e0:79:af:57:eb? German cops appeal for logs in bomb probe German police investigating a blackmailer's parcel bombing campaign reckon they know the MAC address of a device used by the scumbag, and hope network logs can help unmask the perp. Between November 2017 and April 2018, improvised explosive devices were sent to addresses in and around Berlin and Frankfurt an der Oder via DHL, …
It quotes the MAC address and even looks up the vendor. It even tells us where the MAC address is from. That's so completely unlike what I'm used from TheReg.
Who are you and what have you done to TheRegister?
" it's possible the extortionist may be unaware of MAC addresses."
I doubt it. If the dude was able to come up with a QR-code for an extortion letter, he/she is most likely IT literate, and probably knows full well what a MAC address is. BTW, if this is the case and they read this article, they now know full well they need to dispose from that Lenovo device ... now.
I'm now imagining Robert Culp watching the news and furtively trying to feed a Motorola RAZR into a shredder...
(Becuase the RAZR somehow suits the 1970s aesthetic, and Robert Culp because he was in "Death Lands A Hand", which I regard as THE classic Columbo - especially when it comes to incriminating yourself by disposing of the evidence...)
If the dude was able to come up with a QR-code for an extortion letter, he/she is most likely IT literate
Not necessarily. QR codes are pretty well known. I mean the things are everywhere and a quick google search will tell an interested party how to make one without them even having to understand the underlying concept. But someone with no knowledge of networking technologies would be unlikely to have come across the term "MAC address".
Mind you, if they didn't know what a MAC address was before then they do now and are no doubt either spoofing a new one - an easy task to figure out once you know that it's possible - or shopping for a new phone.
If the dude was able to come up with a QR-code for an extortion letter, he/she is most likely IT literate
Umm - not so much. I used to know a guy who started a company creating QR codes for peoples' adverts, business cards, whatever. I think my shoes are more IT-literate.
Note - that does not make him a bad person. It just means he wouldn't know a MAC address from a serial number.
It depends on if you are dealing with an advanced script-kiddy or someone who is actually IT literate. QR codes are a bit more advanced than normal script-kiddy stuff but would say one has to be IT literate to use one. MAC addresses are less well known as generally they are not that important to the average user. They have probably seen them when pairing a Bluetooth device but would not have much need to be really aware of what they are or do.
It depends on if you are dealing with an advanced script-kiddy or someone who is actually IT literate. QR codes are a bit more advanced than normal script-kiddy stuff but would say one has to be IT literate to use one.
Nonsense. Anybody who can run a browser and knows how to "google" can create a QR code.
Just googlling "create a qr code" and clicking on the first link takes you to a web site where you enter whatever text you want. One more click, and there's your QR code.
This post has been deleted by its author
Yes but these routers are "open", what home user that knows what a mac address is and understands the logs leaves their router open? They would have had a better chance deploying stingrays in locations the device has already been. I would have thought they could get more information from the ISP.
Separation is good, but why do you need your guest network to be open? I run two networks as well, but I just give the password to the guest network to any guests and don't change it so they can come back. I don't need to carry the traffic of anyone who comes along, either to have free bandwidth or, now that tracking is a thing, get accused of something done by a stranger.
Sure It's possible but then the old bill come back with "alright my son but you set it to open so you could claim anyone was using your connection, your nicked my lad" and the way this country is with it's draconian laws and procedures you could be in some trouble.
Whats the relationship between MAC address and IMEI number?
They are all written in the device flash at the same time at factory. This includes both the wifi Mac and and the Bluetooth Mac.
The manufacturer has all of them in their database and getting the data takes a couple of seconds once you come with a court order.
Das Plod (excuse me for my Pidgin German) are not following the proper Ordnung. There is something fishy here (grey import with re-flashed identity?) because if they have the MAC, they would have had the perp by now. There are countries where modifying the Macs and/or the IMEI permanently is a specific criminal offence on the books. This, will be coming here too. It is only a matter of time.
Probably want to be firing off a request for information (suitably couched in legalese) to MediaTek or Qualcomm
Even if they made it, Motorola has the data. Take the box which your phone arrived in. It should have a sticker with all MACs and IMEI. Older, battery equipped phones also had one printed underneath the battery.
Further to this, even if it was Mediatek or Qualcomm making the chipset, the actual MAC is out of Lenovo/Motorola range - it has been programmed by the factory. Once again - leaving a data trail.
That is done by the manufacturer and it KEEPS the details exactly because of requests like this from law enforcement.
I stay by my original assessment. Das Plod is either fumbling the ball here or there is something else at work like f.e. a grey import with reflashed numbers.
I stay by my original assessment. Das Plod is either fumbling the ball here or there is something else at work like f.e. a grey import with reflashed numbers.
I'd suggest not fumbling, just looking for more evidence .. e.g. to correlate with other potential perps; they may have the device but not the operator; see where else they've been (physically, and on t'Internet), and so on.
The MAC says it's Motorola. Motorola make phones. Not sure if they still make laptops, but they certainly make far less laptops than phones. They make tablets, but they are much less common than phones. So it's probably a phone.
This is Europe, so if it's a phone it's a GSM phone. The GSM standards require an IMEI number.
So it probably has an IMEI number.
This post has been deleted by its author
"Probably the mac originates from inside, because they are spoofing their spoof, and hacking their hack, backtracking their back trace, and then using 4 keyboards!"
You have obviously never seen CSI....
4 Keyboards??
If you had said 4 people using one keyboard, then I would agree with you, but 4 Keyboards? No, their is definitely only one keyboard assigned to the whole show.
The MAC address (Media Access Control) is the hardware address that is in the ethernet frame header at layer 2. ARP (Address Resolution Protocol) binds the MAC address to an IP address that we all know and love. MAC addresses are hardware specific and can be changed. If the perpetrator is reading this, then they have either changed their MAC address or disposed of the device.
In case you are wondering, the first three octets describes the manufacturer.
As per the article the blackmailer doesn't appear to have been using a randomised MAC address.
Also everybody suggesting that they should just destroy/dispose of the device with said MAC address is probably missing a trick also. The police aren't just looking for someone whose device has that MAC address they want logs indicating when and where the device with that MAC address has been.
With both date and location they can then look through existing CCTV footage in those areas and apply a process of elimination to whittle down the list of people who are present in all/most of the CCTV footage. The blackmailer is likely to be in most if not all of them but random people who happened to be in the area at the time are less likely to appear in all the footage.
It doesn't matter if the device has been disposed of, that's not what they are after, neither does it matter if the mac address is forged. As the article states they want to try and recover cctv footage linked to the use of the mac address, for instance pictures of everyone entering a cafe just prior to it connecting to the cafe's wifi, hence publicising it isn't an issue. Slim chance but better than no chance.
Surely all the plods need to do is to contact the mobile phone operator and get the logs of the MAC address over the last say 3-6 months.
They should then have time-based location information and that should pinpoint when and where the phone has been kept (esp overnight) ? That should be enough to narrow down where the perp lives and charges their phone (probably overnight, like most people !).
MAC not used to connect to mobile network...
The article suggested the device was probably a Motorola smartphone, in which case it has both IMEI and MAC. As has been noted, the manufacturer should be able to link the IMEI and MAC, and a bit of poking around phone records should then turn up an IMSI if it is a smartphone .. but the authorities are well aware of that (according to anecdotes the presenter gave us on a UMTS training course back in the day).
*if* the manufacturer retained this mapping (and presumably it would be the chipset manufacturer, and not the phone manufacturer as all this stuff is on a single system-on-a-chip like Snapdragons or MediaTek chips), then you can get an IMEI.
IEMI *is* used to authenticate a device when it attaches to the network, and certainly in the EU it is checked against a list of stolen devices so that in theory these are blocked from making calls, and so makes a stolen phone less valuable. I'm not sure how often this check is performed.
However, while IMEI is used to authenticate, it may not actually be stored anywhere - this may be implementation specific, although functionality should be present to do this in a standard EIR. Operators used to forbid non-locked-in phones on their networks, and so they'd need to use IMEI for that, however that's no longer the case, so it may well be that IMEI is no longer reliably stored at the operator for a subscriber. But you may well be able to set a watch for the IMEI so that when it is next used some lights flash, or whatnot, and that would get you the IMSI, and then, if it's not an anonymous pre-pay SIM, subscriber info follows, and call trace/legal intercept/geolocation can be activated for that device, and SWAT teams can swoop on locations...
This post has been deleted by its author
Anything that can be connected with an individual falls under the remit of GDPR and can not be stored long term. There are exceptions, or correctly, workarounds that allow IP addresses to be stored temporarily for things like criminal investigation but, and this is a big one, only in connection with activity carried out on the network. So, a general appeal for data relating to a MAC address is in breach of GDPR of which the police should be aware. This could invalidate any case by making evidence inadmissible.
This post has been deleted by its author
One thing the police will be aware of is the extent of the exceptions granted to them under GDPR.
It's not about the police, it's about the companies holding and potentially releasing the data. You are allowed to hold this data for a limited time for your own purposes, such as cyberattacks, but not for the general behest of third parties. This is why the various data retention laws were struck down by the German constitutional court.
The police can always apply for, and will usuallly get, a warrant to look at the data but companies are not allowed to do their work for them.
Does GDPR say no? A Mac address (or an IP address or an email name) is 'potentially identifiable' - but there isn't a blanket ban on holding the data. If you have a reason to store it, store it securely, and don't use it to identify an individual without their consent you can store it. So if my reason was 'monitor performance of my wif router' and the log was on a secure drive I'm ok. If my reason is 'identify repeat visitors to my coffee shop' or I leave the list on a train I'm not. So as long as someone with that address logged just calls up Police and says - I saw that MAC address, and leaves it to the police to do the CCTV thing, I don't think GDPR has been violated. And fairly certainly any 'public' wifi will have a 'the right to monitor and collect information while you are connected to the Service. Any information collected may be used at the discretion of the operator, including sharing information with law enforcement agencies e.g. for the prevention and detection of crime, the apprehension of offenders and other applicable legal requirements." clause in the small print.
So, just to get this straight. When the police issue an appeal for "a 5ft 10in tall man wearing jeans and a red puffa jacket" in connection with a crime, that's fine, but a MAC address isn't?
Absolutely, which is why they so rarely use names in such circumstances. So, a Lenovo X13 Thinkpad, or whatever, the manufacturer says the device is, would also be fine.
If the Police were clever about this, they would set up multiple open wi-fi access points or bluetooth readers around the area along with camera's.
If the perp has his phone set to look for open wi-fi/left bluetooth on, then they might get him in passing, or if not then he might just use one of their hotspots and catch him in the act.
Apparently: "During the investigation, the German police successfully communicated with the alleged blackmailer multiple times via an email and succeeded in capturing his/her Motorola brand device's MAC address f8:e0:79:af:57:eb, which was allegedly connected to several public Wi-Fi networks in Berlin at different times"
really... how...
Perhaps the IP used for the email (and visible in the headers) was traceable (via the ISP) to a router/hub/access point that kept a record of sessions - e.g. commercial Cisco wifi APs will keep records for each device containing MAC address, authentication method, #packets/bytes shipped in each direction, start time and duration (pinch of salt on that one as there's no explicit disconnect in wifi), so all they need to do is get a judge to sign off on a legal "search" of the router to get the logs from it, which are available through a standard API with the appropriate credentials (which no doubt the operator holds).
The email server will add your external IP address to the email header, which will give them the public wi-fi from the ISP.
Emails clients will either add the local IP to the email header or send it in the helo to the email server which will then add it the header. (webmail won't include it as you can't get the local IP in a browser)
The MAC address will be in the log of the wi-fi networks DHCP or maybe still in the DHCP server with the IP lease. Which will also includes the host name of the device. Windows 7 and maybe 8 would name PCs after the initial user so you get a lot of first names. Android and Windows 10 gives seemingly random names.
My home router (ISP provided) still lists the MAC address of a device which was connected once over 3 months ago, includes the host name (first name of the owner) so I know what device it was.
step 1 - run an open WiFi hotspot in a popular location
step 2 - harvest all the MAC addresses you can
step 3 - repeat in several locations
step 4 - spoof a random assortment of those MAC addresses when using the net for nefarious purposes
step 5 - wait until they start looking for one of them and move to another
It's only anonymous if there is no CCTV of the person. If they bought a phone there may be CCTV in that surrounding area. Every time they used the phone , if the MAC did not change, there may be CCTV in that area.
This exercise is not about tracing the individual from the device it is about getting a movement pattern to use CCTV or asking people in the area at the time.
I don't think it matters if the mac address is legit, spoofed or changed often, or if the phone has been binned.
If someone contacts them and says "Hey, I just checked my logs, someone connected to our Cafe's WiFi with that MAC address at 10:15am on the 35th of Febtober, and I checked the CCTV and there is a shifty looking guy sipping a coffee in a corner, surrounded by fireworks and empty boxes of nails, scrolling through facebook - want to check it out? I have the credit card number he used to buy his coffee" that'd be pretty damn useful.
"A police probe turned up the MAC address f8:e0:79:af:57:eb, which, if genuine and non-spoofed, belongs to a Motorola/Lenovo device – most likely a Motorola smartphone."
Chances are high that if the user is running a stock ROM without ROOT that Zuckerbergs infamous Graph API is installed either by the Facebook app or any number of third party apps that use Facebook's API.
The Facebook Graph API scans and collects WIFI SSID , MAC address,etc.
private static final String PARAM_MAC_ADDRESS = "mac_address";
private static final String PARAM_LATITUDE = "latitude";
private static final String PARAM_LONGITUDE = "longitude";
"infamous Graph API is installed either by the Facebook app or any number of third party apps that use Facebook's API."
On a related matter: I don't use Facebook on my phone, I use it very little (and reluctantly) on desktop Interweb, etc.
My last three mobiles have been Moto G with stock Android ROM, with no obvious pre-installed Facebook. If I know that an optional app is closely linked with Facebook, I don't install it, which is one reason why I have no Whatsapp,
Is there an easy way for people to check whether their phone(s) or other devices are infested by this Facebook Graph API pestilence?
Historic note: in the dim and distant dark days when GUIDs were a novelty and allegedly considered to be "progress", I was surprised to keep seeing 08-00-2B in the GUID in various places (typically in MS Office documents?). And then I found out why it was there, and what it meant, and decided there was going to be trouble ahead one day. Allegedly these things work differently now. Maybe they do.
"Is there an easy way for people to check whether their phone(s) or other devices are infested by this Facebook Graph API pestilence?"
You can check here:
https://reports.exodus-privacy.eu.org/en/reports/apps/
You might be surprised what is inside some of your apps.
Or you can do it manually using ADB by taking a SHA 256 sum of installed apps using PM and check the SHA sum against Virus Total results or by running dexdump.
(I believe Exodus goes into detail on how they checked for trackers)
You could also extract the APK's from your device and use any number of open source decompilers.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
