5

Since every vendor has a MAC address range, and Apple has network card models that only they use (Airport), I suppose that it is very easy to identify a network package as coming from an Apple device, even if the traffic is encrypted.

One of the most valuable things an attacker must find out, is which operative system is running the computer they want to hack.

Therefore my theory is: Changing the MAC address of an Apple device to look like the other of a non Apple vendor (and viceversa), can improve my security within local networks.

How foolish is my humble theory?

UPDATE: I know that this alone will not solve many security problems. I just wanted to know if being concerned about my MAC address is a waste of time or one more good point to consider when tuning the security of my devices.

Ali Ahmad
  • 4,784
  • 8
  • 35
  • 61
SystematicFrank
  • 315
  • 2
  • 9
  • Doesn't most browsers give away the OS in their HTTP request headers? This could probably be another way to identify your OS. – Zeta Two Aug 01 '12 at 08:46
  • @ZetaTwo, I think that even a bigger crime are Bonjour related packages, that way you can immediately spot an Apple device. However if I take care of those other details... I still wonder how dangerous it can be having my MAC address screaming the operative system I am running. – SystematicFrank Aug 01 '12 at 08:49

2 Answers2

10

What you're referring to is fingerprinting - the act of identifying a system based on certain properties it has.

Modern fingerprinting techniques involve quite a few tests:

  • MAC address range
  • How the OS responds to certain packet flags (e.g. unexpected TCP RST+FIN)
  • Open ports and available services (e.g. remote X and SSH ports open implies it's not Windows)
  • Service banners - lots of services give away what OS is running, e.g. MySQL protocol header, or the Apache default 404 response.

Changing just one of these is unlikely to throw off a detailed fingerprinting scan.

If you really want to get into the details of it, take a look at nmap's "Remote OS Detection" documentation.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • +1. Simple changing of the MAC Address is unlikely to fool a detailed fingerprinting attempt. –  Aug 01 '12 at 10:15
  • It's probably pretty far down on the list of "things I would use to fingerprint" too. – pdubs Aug 01 '12 at 22:11
  • @pdubs It's always covered in a standard nmap scan anyway, but I agree, for a manual scan there are much stronger indicators. – Polynomial Aug 02 '12 at 05:46
1

If someone is in the same local network then it is entirely possible they could use the mac address to gain information about your hardware. Changing your MAC address makes a certain amount of sense in some cases, however there are other fingerprinting clues that could give your system away, like how it responds to pings, how it negotiates TCP sessions, etc. Just changing the MAC address won't do, you have to look at the entire system.

GdD
  • 17,291
  • 2
  • 41
  • 63