76

My school has recently asked us to submit our MAC address to the school along with our designated name to be used to connect to the Wi-Fi. Previously this wasn't needed.

I would like to ask about what kind of information that they can collect from this? Would they be able to track our browsing history or more? What if I use Tor Browser? Would it have any effect?

If they can track me, what measures can I take to prevent them from invading my privacy?

user541686
  • 2,502
  • 2
  • 21
  • 28
cyanide
  • 887
  • 1
  • 6
  • 6
  • 111
    "what measures can I take to prevent them from invading my privacy?" - don't use their WiFi for anything you want kept private. – brhans Aug 04 '16 at 19:29
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/43568/discussion-on-question-by-cyanide-school-asked-to-submit-our-mac-addresses). – Rory Alsop Aug 06 '16 at 18:32
  • This is most likely to be able to track back issues from a device found in the logs to an owner. Also it may be to allow only known devices to connect, to avoid misuse. – Thorbjørn Ravn Andersen Aug 07 '16 at 04:41
  • 1
    @brhans You don't need to go to such extremes however. You could use end-to-end encryption (so for example, Whatsapp should be safe) or a VPN to tunnel all your traffic. – Jon Bentley Aug 07 '16 at 09:23
  • 1
    I use "MAC Filtering" at my home network for preventing unwanted access from outsiders. Imagine it as a white list of MAC addresses, including all those who have access or as a Black list including those who have no access. – mchar Aug 07 '16 at 10:57
  • If you can afford a secure VPN (like IVPN?) you can use that to prevent spying. All they'll be able to tell is that your connected to a VPN. Not what sites you're visiting over it. You'll possibly need to configure it to go over HTTPS. If you have a server outside school (like your home PC) you can also configure SSH to port 443 and SSH tunnel out and again they won't be able to spy on you AFAICT – gman Aug 08 '16 at 02:39
  • 5
    Have you considered telling them your device randomly selects a MAC address from the range 00:50:56:00:00:00 to 00:50:56:3f:ff:ff:ff every time it boots and you will need to reserve all of them? – Eric Towers Aug 08 '16 at 06:28
  • @EricTowers i shall ask them, so how would the IT staff manage the ever changing MAC address? – cyanide Aug 08 '16 at 09:58
  • 3
    @cyanide: They wouldn't. They would say "you may not connect this device to our network" and wouldn't allow it to authenticate with the wireless access point. – Lightness Races in Orbit Aug 08 '16 at 11:37
  • @LightnessRacesinOrbit : Note that the response you describe will cut out every VMWare virtual NIC (that does not have a manual MAC set). (This may only affect ESX, I haven't checked too carefully.) – Eric Towers Aug 08 '16 at 20:43
  • @EricTowers: Indeed. At that point you switch the VMWare NIC into NAT or host-only mode. – Lightness Races in Orbit Aug 09 '16 at 08:54
  • @LightnessRacesinOrbit : ... and break IPv6 connectivity to the VM. (Unless, I suppose, you choose to run an additional 6/4 tunneling VM with it. Whee...) – Eric Towers Aug 09 '16 at 14:37
  • @EricTowers: None of this seems relevant to performing schoolwork though, unless setting up a VM with such traffic is part of your schoolwork, in which case the relevant facilities would be explicitly provided for that schoolwork. – Lightness Races in Orbit Aug 09 '16 at 14:42
  • @LightnessRacesinOrbit : Unless your device is already VMed to partition personal from employer information, to partition trusted from untrusted information, or for other use cases. – Eric Towers Aug 09 '16 at 14:46
  • @EricTowers: Almost certainly the network policy will mandate that the school network be used only for school reasons (because that's the usage for which the network is provided, period). If it doesn't, then perhaps you can talk to your network administrators about putting something in place to support your personal setup. – Lightness Races in Orbit Aug 09 '16 at 14:51
  • Privacy Schmivacy. Convenience, Safety, Security. ATTENDANCE --if all students have a device [each with a unique MAC address for WiFi and Bluetooth], and each classroom has an AP with a transmit power level that doesn't bleed over into nearby classrooms, the teacher doesn't need to waste time taking attendance. Moreover, if a student is “lost” their last known location as a cue for video footage, can help “find” them. However, nothing keeps a student from turning WiFi [don't forget Bluetooth] OFF and using LTE cellular to download/upload data, jumping from one grid onto another. – Jules Bartow Nov 26 '16 at 12:53

9 Answers9

81

I think you should ask why they want to use the MAC address, not necessarily for privacy reasons; "why do you need the MAC Address?" I think it's a reasonable question to ask them.

Firstly, they will have MAC addresses of all the individuals who connect to the WiFi. Any device connecting to the WiFi will reveal their MAC address, based on the ARP protocol.

They may think locking down WiFi to known MAC addresses is a good security measure. It's not really because I can obtain your MAC address if both of us are in the same Starbucks and on the same WiFi. I can then spoof your MAC address quite easily. So from a security measure this is not great.

They may want to track your activity. They can do this already without asking for your MAC, just giving them the MAC address allows them to map it to a individual easier. They can get a history of MAC & IP address from logs and their NAT can keep a history of IP Address & Ports and map back to the MAC address.

If you use Tor, they will be able to say you used Tor, but not the content.

So, I would ask why do you want my MAC address, giving out the MAC address is not going to really affect you. Unless of course on your home WiFi or something else you are using MAC address as a method to identify yourself; as MAC address can be easily spoofed.

techraf
  • 9,141
  • 11
  • 44
  • 62
Darragh
  • 1,102
  • 9
  • 15
  • I assume they are asking for my MAC address to pinpoint each browsing history at school to a certain individual. In this case I am a bit paranoid, thanks for the answer. I will ask them. – cyanide Aug 04 '16 at 12:29
  • 108
    In my personal opinion, students attempting to persuade the school that the schools IT policies are stupid (even if they are) is unlikely to produce a useful outcome for the student. They are likely to seem as frivolously argumentative. Using an organisation's network for private personal activities is not always sensible and rarely an inalienable right. – RedGrittyBrick Aug 04 '16 at 16:31
  • 1
    @cyanide its a tough call on browser history. On one hand the school will want to ensure the infrastructure is not being abused, on the other hand students should have some element of privacy Having said that they can employ proxies to protect the surfing of inappropriate material. – Darragh Aug 04 '16 at 17:27
  • 46
    If they are using MACs to track students then this sounds like a great way to troll the student you don't like. Step 1: spoof their MAC since they are on the same network, Step 2: download a bunch of porn :) – David says Reinstate Monica Aug 04 '16 at 20:23
  • 15
    _"any device connecting to the WIFI will give out there MAC address, based on the ARP protocol."_ - *Every* packet your computer sends, be it over WiFi or Ethernet, contains your MAC address. It's part of the physical layer protocol, and has very little to do with ARP. – marcelm Aug 04 '16 at 21:52
  • 22
    @DavidGrinberg: Maybe you think that "the students are downloading porn" is somehow noteworthy, but to the net admins, it's Tuesday. Somehow, I don't think your proposed trolling technique would be very effective. – Kevin Aug 05 '16 at 06:08
  • 5
    @RedGrittyBrick Do you really think the OP will get an answer if he does not ask? It is a contract between the school and him. He is **fully entitled** to ask what is in the contract and he really should. – SteffX Aug 05 '16 at 11:42
  • 4
    @SteffX: That's **not** what I said. Asking *what* is different from arguing about *why*. – RedGrittyBrick Aug 05 '16 at 13:22
  • 1
    I know of schools who use registered MACs as a way to track upload/download volume. If your usage patterns begin to have an outsized impact on the network traffic, they will ask you to play nice. I don't want to pass judgment one way or the other on this practice, but it is an in-the-wild answer to the "why?" question. – Michael Aug 05 '16 at 15:08
  • 4
    @marcelm the mac address is not part of the phy layer. its part of the link layer (in particular the MAC sublayer). edit: in 802.11 the MAC layer is actually an entirely separate layer – Steve Cox Aug 05 '16 at 17:53
  • What alternative approach would you suggest that ensures students can connect to the WiFi, but a random person from the street can't? – svick Aug 05 '16 at 19:56
  • 9
    @svick: WPA2 enterprise with client certificates. – R.. GitHub STOP HELPING ICE Aug 05 '16 at 20:32
  • 1
    @RedGrittyBrick: While in practice that's what happens, if this is a *residential* network, the school is acting as a landlord and as a residential ISP for students living there, and is at least morally, if not also legally, obligated to follow all regulations that apply to a party acting in such a role, including things like net neutrality, privacy, etc. – R.. GitHub STOP HELPING ICE Aug 05 '16 at 20:34
  • 1
    Rather than porn I suspect it's aimed at people using BitTorrent. – Loren Pechtel Aug 06 '16 at 05:58
  • 1
    Tor can be setup to appear that all traffic is going through Google or Bing. – Celeritas Aug 06 '16 at 11:00
  • @Kevin Me and my class got told off for using the college computer network to play LAN games once, so they probably have a point where they will interrupt something. – Pharap Aug 07 '16 at 10:33
  • 2
    @cyanide Sounds like they don't really understand or are capable of real security policy then. Find that pretty common when IT can't answer technical questions like that. – Shiv Aug 08 '16 at 05:55
  • 2
    @RedGrittyBrick - "Using an organisation's network for private personal activities is not always sensible" - Considering that it's not uncommon for students to live on campus while attending university (at least in the U.S.), I don't think that position is reasonable. To a student living in the dorms, the organization's network is their _only_ real option for high-speed, unmetered network access. – aroth Aug 08 '16 at 06:16
  • 1
    @R.. I disagree. WPA2 Enterprise with a Radius server linked to the College's LDAP makes more sense. It would also help the admins link your connection to a user much more reliably. – Aron Aug 08 '16 at 09:26
  • 3
    @cyanide You should ask them why they haven't set up a WPA2 Enterprise with a Radius Server backed by the College's LDAP. When they answer legacy support for LAN, you should ask why the WiFi isn't on a separate VLAN/Subnet, and do they think that putting everything on the same Subnet is a great plan... – Aron Aug 08 '16 at 09:33
  • @Aron: Because school pupils being cheeky to campus infrastructure providers is a great idea. – Lightness Races in Orbit Aug 08 '16 at 11:39
33

For a school, having all student device MAC addresses (unique hardware identifier) is a way to filter out a lot of unwanted traffic from the LAN. Even if outside devices from non-students spoof a legitimate, student-registered MAC, the packets being sent over the network can still be captured, opened, and the user agents, and other system identifiers can be observed. This lets the network admin know if someone is using a spoofed MAC and then the admin can effectively boot that MAC from the access point easily without filtering the specific MAC, which would block the legit student if done, with packet filtering blocks.

Using MAC address registeries helps to keep a check on who is supposed to be connecting and who is not. But it is only a single security method. There are others such as 3rd party proprietary or open source tools that can determine the user agents and many other things such as system hardware specs, OS being used, browser plugins, etc. Even if these things are themselves spoofed. These will identify TOR daemon/browser users as well as identify Tails users (linux OS that sends all system and web traffic through the TOR network).

If you wish to avoid being tracked, you have a few methods:

  1. Don't use school LAN.
  2. Use a bootable thumb drive and a USB wifi adapter.
  3. Create a virtual wireless interface and a custom interface profile.
  4. Use a virtual machine with a thumb drive.
  5. Tunnel through a legit student device such as a virtual NIC created using an adhoc virtual interface bridged to the real interface. Spoof the VNIC identifiers.

This is just a small number of ways and not the best methods either. You may find more by doing some research.

Chris Cirefice
  • 1,460
  • 2
  • 13
  • 21
Yokai
  • 795
  • 4
  • 7
  • 4
    I'm not sure the IT admins would go as far as implementing deep-packet inspection (for which they'd also need a HTTPS proxy) to detect changes in User-Agents (which could be caused by using a different browser) or anomaly detection of web browsing traffic. I'm also curious to what device information you think could be captured in Ethernet packages. I also wonder how you would kick a specific device of a network, if you can't use it's MAC address for it. If they use MAC address filtering as a security measure, they'll definitely not be using certificate based authentication. – BlueCacti Aug 05 '16 at 09:57
  • 1
    @GroundZero You might be unsure, but I'm not... my school did that. Forced us all to install their root certificate so they could inspect the secure packets as well as the normal packets, then proceeded to lock everything down based on MAC addresses and user agents. – ArtOfCode Aug 05 '16 at 10:29
  • 4
    @ArtOfCode That's quite a heavy monitoring strategy of your school. However, User-Agents and MAC addresses can be spoofed quite easily. The only thing that worries me is that they intercept and inspect all traffic, including HTTPS. That would allow them to see capture your credentials and sensitive data. – BlueCacti Aug 05 '16 at 11:45
  • 1
    @GroundZero Yep, and they did. I deliberately used separate accounts for things at school, because they could see and potentially use the creds. – ArtOfCode Aug 05 '16 at 16:24
  • @GroundZero Wait, are you saying they could read data transmitted over HTTPS/SSL between the user and an https website? Doesn't the encryption/decryption occur at the user's browser and at the web server? Are you implying a man-in-the-middle attack? – mikato Aug 05 '16 at 19:07
  • 4
    @mikato: In ArtOfCode's example, they explicitly required the users to install and trust a root CA certificate that would allow the firewall to spoof everything and MitM the connections. – hmakholm left over Monica Aug 05 '16 at 20:23
  • 4
    @GroundZero: What school was this? They need to be named and shamed (and probably prosecuted). – R.. GitHub STOP HELPING ICE Aug 06 '16 at 02:14
  • 1
    @R.. Every entity has right to control the traffic on his network. If a student rents drug from the school network, they will be prosecuted in the first line. – peterh Aug 07 '16 at 17:12
  • @mikato This didn't happen at my school, but at ArtOfCode's apparently. A company that installs a decrypting proxy and loads the proxy's SSL certificate in the user's systems is indeed performing something MitM-like. The proxy breaks the encryption by acting as the user when setting up the encryption with the web server, and acting as the web server while setting up encryption with the client (using it's own CA that was loaded onto the user's device). It's the same as if you would install a sniffing tool like Burp on your own device to decrypt HTTPS traffic for penetration testing purposes – BlueCacti Aug 08 '16 at 08:57
  • 2
    @R..This did not happen at my school, but at ArtOfCode's. A company or school can do this, if the local (privacy/cyber crime) legislation allows it. In most cases, this has to be included in the school/labor contract and cannot be used to arbitrarily sniff employee's/student's internet behavior. – BlueCacti Aug 08 '16 at 08:58
  • 1
    Students seem to forget that they are _guests_ on these networks and do not have universal rights and privileges. I see no valid reason to complain about traffic monitoring on a school network. If you want privacy, use your own network... but why are you using a school network for personal use? That is not what it has been provided for. – Lightness Races in Orbit Aug 08 '16 at 11:41
  • 1
    A rent-paying (even if rent is included in tuition) resident is not a "guest". They have renters' rights including a right to privacy. Would you also be arguing that the school (or, in general, a landlord) can install hidden cameras and microphones in residences? The principles by which an ISP (which the school is acting as) cannot snoop your traffic is the same principle by which the telco cannot listen to your voice conversations (altho they can facilitate LE doing so with proper authorization/warrant). Net neutrality also applies here. – R.. GitHub STOP HELPING ICE Aug 08 '16 at 16:27
  • @ArtOfCode I would hope that everyone knows they might be handing out their login credentials for banks and whatever else they go to. Do they tell everyone this loudly and clearly? Geez. – mikato Aug 09 '16 at 16:03
  • @mikato Not many school-age students do online banking just yet, at least not where I am. But no, we don't get informed that we're handing out creds - I only knew because I know a little more of the technical side than most students. – ArtOfCode Aug 09 '16 at 18:54
  • 1
    @ArtOfCode Well banks are just one example, but surely other non-student internet users may log into their bank site. The crazy thing is they could collect any logins like this while users may think they are secure. – mikato Aug 09 '16 at 21:51
  • I do realize that my answer would be a very, VERY paranoid school IT admin haha. But I was merely posting some very possible reasons for MAC profiling for school security. As there was recently a bomb threat email to a university from a student that was using Tor. Were it not for a paranoid school IT admin, this student would not have been caught. You can find details about it in the Defcon talk "How Tor users got caught". – Yokai Aug 12 '16 at 08:34
  • Also consider that deep packet inspection is not a necessity for host discovery on a local network. nmap is a wonderful open source port and service scanner that can find OS, OS version, services and their versions, etc. Wireshark can show system information without having to dig too deeply by using specific filters. But truly, any decent IT admin monitoring specific MACs on the AP will keep tabs on what OS those devices are running. So if two of the same MAC is found, a simple host discovery with nmap will show the spoofer and allow easy booting from the AP. – Yokai Aug 12 '16 at 08:40
26

Well, the school already has your MAC address since you've connected to their access points in the past. What they don't (necessarily) know is the association between your MAC addresses and your real name.
If that concerns you, just use a different MAC while you are at school:

ip link set dev wlp1 address XX:XX:XX:XX:XX:XX

Pick a Locally Administered MAC to avoid conflicts with devices that are using their manufacturer-assigned MAC on the same AP.

Note that a malicious user would run airodump-ng to discover another student's MAC address, kick that student off the network with aireplay-ng -0, and then use their MAC to impersonate them. If your school thinks that MAC-filtering is good security, they're in for a big surprise!

Navin
  • 467
  • 5
  • 9
  • 6
    This should be popularised at the school, to ensure that the MAC idea dies quickly - back when I was at school they tried to introduce fingerprint scanners with some strange and rapidly broken promise that they'd improve security. – Mark K Cowan Aug 05 '16 at 12:15
  • What should I do to discover another student's MAC address? Where should I run airodump-ng? Do you have a good source to teach someone to sniff MAC addresses at a network? – cyanide Aug 06 '16 at 15:14
  • 5
    "Do you have a good source to teach" Did you try googling for "airodump-ng", @cyanide? – AnoE Aug 08 '16 at 09:12
  • @Navin Knocking off a legit student using the aircrack-ng suite may work briefly, but if you spoof the same mac to appear as the real student, and are continuously deauthenticating the exact same mac, you wouldn't be able to connect as that student either. Whether legit student or spoofed, if aireplay-ng -0 is used to deauth the HWaddr: 00:11:22:33:44:55 and you spoof your HWaddr to 00:11:22:33:44:55, then you will also be deauthenticated as well. – Yokai Aug 20 '16 at 07:33
3

They might not be thinking of it in terms of tracking measure but as an alternative to giving out WiFi password. MAC address white listing is a pretty common alternative.

If they gave out a WiFi password for logging in nothing is to stop another student from giving those details. Whereas white listing per MAC address prevents this information from being easily passed along.

Of course there is a concern of MAC address spoofing. But to connect to the network with a spoofed MAC address you will need to know a MAC address that already has access. And if the MAC address can be traced back to you then you likely would not want to share this information with a friend. And finally if you spoof once you gave them your MAC address it will only prevent you from connecting.

As far as privacy if they have the technical means to retrieve your MAC address sent from your device to match it to their white list nothing is stopping their firewall from logging additional information and making a match to your mac address. For example, we get an IP returned in our firewall logs. We can just go to our MAC address list and search it for MAC address's that used that IP.

Since they can intercept the traffic they can also get a bird's eye view of known applications you may be using and websites you are browsing. Getting a detailed idea of your activity on the other hand, while possible, is unlikely to happen due to the work involved. So while they might not know the contents of message X they could of known you where on service Y or website Z to send it. Bottom line if privacy is a concern avoid connecting to their network at all. Or at least avoid doing activities on their network that you wish to be private.

Bacon Brad
  • 3,340
  • 19
  • 26
  • 4
    MAC address spoofing is trivial: if you're close enough to the WiFi to connect to it, you're close enough to see the MAC addresses of every computer connected to it. – Mark Aug 04 '16 at 20:17
  • 2
    @Mark I didn't recommend the school use MAC addresses for whitelisting. I simply pointed out that is why they are doing this. Is that the reason for the downvote? – Bacon Brad Aug 04 '16 at 20:24
  • 1
    @baconface, your third paragraph does seem to imply that it is hard to obtain a known MAC address for spoofing. – dan1111 Aug 05 '16 at 09:51
  • @Mark, how do you see the MAC address of every computer connected to it? What tools would someone need? – cyanide Aug 06 '16 at 14:54
  • 1
    @cyanide, you just need a wifi sniffer such as airodump-ng or Kismet -- start it up, select which AP you want to monitor, let it run for a few minutes, and you've got a list of the MAC addresses everyone who's currently connected. – Mark Aug 06 '16 at 18:32
  • @Mark what is AP? I am a total noob in this. So I will just download Kismet or airodump-ng? – cyanide Aug 07 '16 at 02:35
  • 2
    @cyanide an AP is an (wireless) Access Point, the device that sends out a WiFi signal so you can connect to it. It'd suggest not playing around with any of these tools if you don't know the basics of (wireless) networking. It'd be better to first teach yourself some general stuff regarding Ethernet, IP, MAC addresses, WiFi protocols etc. before you delve into wireless sniffing and spoofing – BlueCacti Aug 08 '16 at 08:52
3

I would like to ask about what kind of information that they can collect from this?

Having your MAC address facilitates in analyzing log files.
Network log files often contain an IP address and some information about the connection.
For example, the following fictional log entry would indicate that a device with the IP address 10.10.100.123 connected to a system with the IP address 216.58.210.46 (google.com) on port 443 (HTTPS).

TIMESTAMP        | SOURCE IP:PORT       | DEST IP:PORT
-----------------------------------------------------------
2016-08-05 12:11 | 10.10.100.123:123456 | 216.58.210.46:443

Further research in other log files (e.g. DHCP leases) could indicate that the internal IP address 10.10.100.123 was handed out to the MAC address 01:23:45:67:89:01.

IP ADDRESS    | MAC ADDRESS       | LEASE START      | LEASE END
-----------------------------------------------------------------------
10.10.100.123 | 01:23:45:67:89:01 | 2016-08-03 09:35 | 2016-08-10 09:35

That MAC address can then be matched to the network adapter of the device of a certain student.

This allows the school, or any authority that is able to request the school's log files (e.g. Law Enforcement agencies), to trace back certain online activities.
If some criminal investigation shows that the public IP address of the school is linked to certain illegal activities, the school could be requested to hand over their log files and list of 'MAC address - student' combinations.
It could also be the case that the school wants to track down which student spent 10% of their bandwidth on browsing 18+ websites.

Whether this information can be used for these reasons depends on local legislation in regards to privacy and computer crime.

Would they be able to track our browsing history or more?

They cannot detect your complete browser history using this information. However, as I explained before, the MAC address could be used to link your device to certain activity on the network.

What if I use Tor Browser? Would it have any effect?

Using Tor does not change anything to the fact that your device's network adapter has a certain MAC address and that this MAC address could be linked to your device and to you.

If they can track me, what measures can I take to prevent them from invading my privacy?

It is fairly trivial to change the MAC address of your device's network adapter(s). Changing your MAC address after having handed them your original one (or providing them with a fake one), makes it more difficult for the IT administrators to link an MAC/IP address to you.
However, if the network requires identification through Active Directory (each student having a unique username to authenticate to the network) or some other form of authentication (e.g. certificate based), they'd still be able to check the logs files to try to match an IP to you.
If the school uses a proxy, they could also sniff web traffic in search for Personally Identifiable Information, such as your email address or Facebook username, ... But I suppose this would be a huge breach of privacy regulations in most countries.

Additional info

It could also be the case that your school wants to implement MAC address based access control on the network, allowing only whitelisted (allowed) MAC addresses to connect to the network.

However, as others have pointed out (and as I have touched upon slightly), MAC addresses can be edited. This allows anyone to change their own MAC address to that of a legitimate student, granting them access to the network.
MAC address based access controls will stop some people from being able to access the network using the password they received from a friend at your school (as they don't have the knowledge/skills to bypass this weak line of defense), but it won't stop those who are determined to access the network.

If the school is serious about wanting to track student's network usage and/or want to limit access to students only, there are much better alternatives available.

One example of this is RADIUS authenticated WiFi.
Extract from: FreeRadius.org

IEEE 802.1X and RADIUS Authentication

The IEEE standards for Wi-Fi (IEEE 802.11) foresee an "Enterprise" mode which is fundamentally different from PSK networks because the Wi-Fi encryption keys are provisioned per user and per session. Every user needs to authenticate with their personal credentials; at that moment a key is generated and is communicated to the user's device and the NAS they connect to.

Before users send their authentication credentials, the the user must authenticate the network, proving that it is indeed genuine; only then is the client's credential released. The IEEE standard IEEE 802.1X (using RADIUS and the Extensible Authentication Protocol, EAP) is used for authentication and key management.

Enterprise Wi-Fi authentication also enables advanced features such as putting users dynamically into a specific VLAN (e.g. separate guest and staff logins into different IP networks even though being on the same SSID), and dynamic ACLs

Enterprise Wi-Fi requires:

  1. A RADIUS server which can do EAP authentication.
  2. Wi-Fi equipment which is correctly configured to use RADIUS authentication.
  3. User devices configured to do Enterprise Wi-Fi correctly.
BlueCacti
  • 950
  • 7
  • 10
2

A MAC address just represents the physical address of a device. A device's MAC address is given out the second the device connects to the WIFI, based on the ARP protocol.

Asking for your MAC address could make it easier for them to filter a list of devices that would be allowed to access the specific network.

I personally think they are asking for your MAC address in order to only let the students access the school's internet connection. A random person will not be able to access their network if their MAC address is not added (even if they have the password).

However, it is easy to obtain someone's MAC address and change yours to match theirs (but I bet a minimal amount of people would take this path).

To answer your questions now, they won't really collect any additional information about you that they didn't already have. Once you connected to the WIFI, they were able to get access to your MAC address right away. However now they are capable of finding you faster.

They could be ale to track your history but that will require a lot of work that I doubt a school will do unless they are required to. They usually use proxies (middle men between you and the web page) to stop students from visiting certain websites or to add privacy to their server.

Using Tor will keep your history anonymous but they will be aware that you used such an internet browser.

Measure that you can take to prevent them: - Use a virtual box where you can edit your MAC address - When browsing the web you can always alter your DSN and your proxies (of the virtual box)

There are many other ways but in a way it is also quiet difficult to prevent someone from invading your privacy if you are using their network.

Cedric F.
  • 37
  • 5
  • 4
    MAC address spoofing also gives law enforcement the evidence of intentional wrongdoing they need if they choose to throw the book at an unwanted user. – Ben Voigt Aug 04 '16 at 20:18
  • This doesn't answer the question that was asked. The question is *not* asking "Why did they ask for MAC address filtering?" Instead, the question is asking: "Can the school track me? What can I do to protect my privacy?" This answer hasn't answered any of those questions. – D.W. Aug 05 '16 at 00:59
  • 1
    MAC addresses are not handed out by the ARP protocol. They are defined by the manufacturer to uniquely identify a network device. IP addresses are handed out by DHCP. ARP is used to find the MAC address matching a certain IP address – BlueCacti Aug 05 '16 at 10:08
  • Wouldn’t the WiFi have to use the real machine’s radio? The VM must be able to program it to listen to multiple mac’s for it to use the mac of the VM. – JDługosz Aug 06 '16 at 23:54
2

You are not giving the school any additional information.

When one connects the Wifi network, one is already showing one's MAC address. All the frames between one's computer and the Wifi access point carry the source and destination MAC. Otherwise, it would be imposible to transmit and receive.

So the school asks you this information for security, to make it more difficult for others to connect. It is a reasonable security request.

It is not very strong, though, because MAC address can be easily spoofed. But it can help to correlate in case of trouble. If someone uses your user with a different MAC address, the school can suspect that your account has been hacked.

Ramón García
  • 49
  • 4
  • 2
    He is giving the info that MAC X is linked to user Y. That is "a lot" – niilzon Aug 05 '16 at 13:06
  • Not really, because that link is absurdly weak. MAC addresses are public on the network and anyone can claim any MAC address. – David Schwartz Aug 05 '16 at 16:14
  • 1
    @DavidSchwartz While we all know better than to rely on linking a MAC address to a person for anything, it seems likely that the school implementing such a daft policy wouldn't know better, which has potentially severe implications in being held responsible for the actions of anyone who chooses to spoof "your" MAC address. – HopelessN00b Aug 05 '16 at 17:16
  • 1
    @HopelessN00b I agree. I'd be concerned that the school thinks this information is more useful than it really is. If they think it's hard to spoof or unlikely to be spoofed, ... – David Schwartz Aug 05 '16 at 17:30
-1

I would like to ask about what kind of information that they can collect from this?

Like others have mentioned. The best way is to ask "Why do you want my MAC Address?"

What if I use Tor Browser? Would it have any effect?Would they be able to track our browsing history.

Through some other applications and protocols of course they can. but not with your MAC Address.

The only reason I can think of regarding MAC Address request, is to filter or spoof. And I think your school only taking that as a security measure to filter who can access the internet.

amrx
  • 309
  • 2
  • 7
-6

I don't think that this is a problem. If you browse in the internet your MAC address isn't needed, only the IP-address, so this wouldn't have any effect.

I think the school implemented this, so that nobody outside from the school could access the Wi-Fi. Or that if somebody has the idea to do something illegal, they could know who (or at least which computer) did that.

Concerning to your browsing history: I think that they collect your browsing history somewhere on a school server anyways. But this is of course only for the browsing history that you make at school. If you for example the night before search something in the internet with your "home-internet" they can't get access to that, because it wasn't in the school's network.

Mathias
  • 1
  • 2
  • 6
    Bad information. The MAC is the interface hardware identifier used by DHCP to assign the interface an ip address in the range set on an access point of the default gateway. Without the MAC, the router doesn't get told which interface is being used to send and recieve packets. Because no ip address gets assigned. Thus, traffic does not flow. The MAC is essential for monitoring LANs and who is doing what for security reasons. – Yokai Aug 04 '16 at 09:31
  • 1
    @Yokai While I agree that everything you say is technically true, I think you're giving people a false impression that a MAC address is a way to uniquely identify someone, when it's not. (It's intended to be, but changing your MAC address is trivial) – Patrick M Aug 06 '16 at 16:41