0

Ethernet cards have a unique MAC address that is assigned during manufacture. If you capture a MAC address, and no other information, can you trace this to an individual?

Perhaps the manufacturers keep records of what MAC address goes in each batch? A retailer could connect a MAC address to a transaction, and reveal the identity of the buyer. If this is manufacturer-specific, I'd be interested in any manufacturers known to record this information. Also, any indication of how readily retailers would respond to such a request.

The context is that I'm writing fiction. The hacker is being traced, law enforcement have compromised his browser, but he's using Tails with physical separation. His one mistake is forgetting to change the MAC address on his internal firewall.

paj28
  • 32,736
  • 8
  • 92
  • 130
  • "His one mistake is forgetting to change the MAC address on his internal firewall" That sentence makes no technical sense. If he has a discreet firewall, it will have a different set of physical MAC addresses than the machine where the web browser runs. if it's a simple software firewall, then it will not have a MAC address of it's own – Stephane Jun 12 '17 at 06:21
  • 1
    "Would retailers respond to a request" is pure opinion. Also, are you aware that MACs get recycled? – schroeder Jun 12 '17 at 08:18
  • @Stephane - It makes perfect sense. Perhaps you're not familiar with the threat model for Tails physical separation? – paj28 Jun 12 '17 at 09:45
  • @schroeder - To you and I, it's speculation. I'm holding out for a comment like "I do this in my day job and have about a 1 in 4 success rate" – paj28 Jun 12 '17 at 09:46
  • @paj28 then that's not an answer to how readily vendors respond, but only how one vendor responds right now. – schroeder Jun 12 '17 at 09:48

2 Answers2

3

Technically, it would be next to impossible to trace back a random MAC address to an individual.

Notwithstanding the fact that MAC addresses can easily be spoofed or changed (which means that your defender has bad opsec if they are using the default hardware MAC on the network), they are, at best, linked to a specific network card. This is a single component of the connecting machine which means that to trace it back you'd have to first go to the component's manufacturer before going to the actual device manufacturer. that is, if the part wasn't actually sold independently through a retail channel in which case it would be impossible to trace it.

So, it would be pretty much as hard as tracing back the owner of a car knowing only the serial number of it's tires. It makes little sense in practice but that doesn't stop TV shows and movies from "doing" it.

A more realistic way of identifying the individual behind a specific MAC address would be to take into account the proximity element: MAC address are not carried beyond the local subnet boundary which means the capturing device and the defender's device must share a lot in common. It's not unthinkable to identify the terminal using a specific MAC address on the local subnet based on the network properties itself. For instance, if you're taking about mobile devices, it would be possible to use a directional antenna to locate the device in question (for instance, using something like this).

Stephane
  • 18,557
  • 3
  • 61
  • 70
  • Agreed. As with any manufactured product, serial numbers can assist investigators, and a MAC is a form of serial number, so there is a possibility. But that's not the investigator's problem. The problem is all the things that could break the chain of attribution by the time someone starts using the device. – schroeder Jun 12 '17 at 08:19
  • Thanks! Proximity attacks are out. They have compromised his web browser, but it's in an isolated network. They can see the MAC address of the router in the ARP table, but have no idea where he is physically. Apart from this one thing, the guy has superb opsec. He just made one mistake. I think I'm gonna let him get away with it - law enforcement will start trying to trace the MAC, but not get very far. But maybe the network driver has a zero day vulnerability... – paj28 Jun 12 '17 at 09:55
  • I'd suggest you find another way to exploit the fact that the browser was compromized: there is plenty of other juicy things to do once you can execute JS in a client session that are far more interesting than grabbing a MAC address (which is pretty hard to do, actually). – Stephane Jun 12 '17 at 09:59
  • @Stephane - Suggestions welcome! They've broken out of the sandbox, so getting ARP table is easy. They can monitor what he's doing, but he doesn't enter anything identifiable into that system. How else can they unmask him? – paj28 Jun 12 '17 at 10:39
2

NIC manufacturers do keep records of MAC Addresses they've used up. Do they keep shipping records by MAC address... hard to say. A good number of them use serial numbers instead of MAC addresses for shipping records.

Similarly, PC/Laptop manufacturers do keep records of NICs they used (MAC is the most . It goes into packaging labels. That could be tied to shipping records with some effort (varies by how the records are kept).

If a laptop was purchased direct (as in Dell Direct, for example), it could be traced.

If it went through distributor/dealer channels, then the chances are that they don't keep MAC-specific records.

Similarly, there is also a considerable DIY / unbranded PC / laptop market where you won't find enough records.

All of them usually cooperate with LEAs of the countries they operate in.

Bottomline: You could reasonably create a situation of direct purchase from a branded manufacturer who would keep track and cooperate with LEAs.

Sas3
  • 2,638
  • 9
  • 20