7

When I first got to my university I had to provide my MAC address to get access to the internet. What I want to know is what information can they get from having my MAC address linked to my name. I use Private Internet Access as my VPN and have Zenmate for Chrome. When I'm plugged in to their network can they see what I search just by my MAC address?

kasperd
  • 5,402
  • 1
  • 19
  • 38
MAC09
  • 71
  • 1
  • 1
  • 2
  • 18
    A big caveat here is that MAC address spoofing is trivial; if the school treats the MAC address as your identity (i.e. without other control mechanisms) then you might want to consider the outcome if someone else uses your MAC address to abuse the internet facilities. – symcbean Oct 24 '14 at 15:23

6 Answers6

27

They're requesting your MAC address because they're using MAC filtering to control access to the WiFi network. That does not in and of itself constitute the ability to see what you're doing when you're on the school's network, and certainly not when you're at home.

If this is the only requirement, and they are not also requiring you to install things (monitoring software, root certificates) then it gives them no ability at all to see what happens when you're at home, or on any network other than theirs, and even on their network, they will only have the ability to see unencrypted traffic.

Xander
  • 35,525
  • 27
  • 113
  • 141
18

@Xander is partly right. Documenting your MAC address allows them to do one (or more, or all) of a few things:

  1. MAC Address Filtering
    The school may be using MAC address filtering to (try) to keep unauthorized devices off of the network. While this is easily bypassed, once an attacker knows an authorized address, it does make joining the network a bit more difficult than just hopping on with a shared/stolen password.
  2. Rogue Device Monitoring
    Knowing the addresses for the devices they've approved to be on the network allows them to monitor and recognize when a non-approved device joins.
  3. Activity Monitoring & Attribution
    Knowing which MAC addresses belong to whom allows the school to easily attribute malicious (or otherwise unapproved) activity to a device owner. Given that they probably also have contact information for you, this allows for corrective action to be taken, and/or notifications to be sent, without having to physically track the device down.

Giving them you MAC address alone does not allow them to do any monitoring or control of your device when it is not connected to their network. Unless you've allowed the school to install some software on your computer (or the computer itself is owned and maintained by the school), they will not be able to see what you do with your computer when you're at home or on another network they do not control.

Iszi
  • 26,997
  • 18
  • 98
  • 163
  • Can you please explain the difference between item #1 and item #2 ? Thank you. – James C Oct 24 '14 at 21:24
  • 1
    @JamesC In the first case, network administrators have configured infrastructure devices to only permit access to approved devices, and the filtering is done by MAC address. In the second case, the infrastructure is not configured to block any devices but network admins do monitor for unrecognized devices. – Iszi Oct 24 '14 at 22:03
  • 3
    Re:`"Knowing which MAC addresses belong to whom allows the school to easily attribute malicious (or otherwise unapproved) activity to a device owner."` You should probably mention that any such attempt at "attribution" would be extremely stupid. Any kid with even the slightest knack for mischief could sniff/probe the MAC address of another authorized user (and optionally wait for them to disconnect), then change his/her MAC address to that address, and there you go: ready to frame that user for any kind of bullshit conceivable. – Will Oct 25 '14 at 06:21
  • @Will I'd hardly call it extremely stupid. Certainly, MAC spoofing is a possible issue and that same threat even exists against the MAC filtering. But, unless the school wants to set up more advanced authentication mechanisms for their network, it's often the only device identifier they can rely on to identify owners in cases of abuse. It's not fool-proof, but it's better than nothing - and in most cases, it's likely to be accurate. – Iszi Oct 25 '14 at 07:59
  • 1) Only allowing devices with previously-approved MAC addresses to connect to the network, even with a valid password. 2) Allowing anyone to connect to the network (with a valid password), but being able to tell when a non-previously approved device connects, and being able to monitor what it does. They could also allow assign IP addresses in a different range to approved devices, which could let them allow visitors to access the internet and students/faculty to also access additional network resources (like library databases and such). – jbagdis Oct 24 '14 at 22:00
2

MAC addresses are layer 2 on the OSI model, and as such are only transferred ONE network hop. For instance, it would be impossible for me to collect your MAC address unless you were directly connected to me. MAC addresses are used for direct communication between network device (Routers, switches, etc).

Unless your home network was directly connected to your school's network, it would be impossible for your school to know what your MAC address was at your home network.

Here's a good resource about what your MAC address is and does: http://www.tcpipguide.com/free/t_DataLinkLayerLayer2.htm

Maumee River
  • 384
  • 1
  • 3
  • 1
    Perhaps a bit more definition is in order to describe "directly connected". One might translate this to mean "by a single cable between one device and another". However, MAC addresses are visible across the entire Layer 2 network - i.e.: everything connected to the same switch. – Iszi Oct 24 '14 at 15:37
  • Right, thank you. That is why I said "One network hop." – Maumee River Oct 24 '14 at 17:20
  • 1
    `everything connected to the same switch` is similarly too narrow a definition, although I agree a good definition for most practical purposes. Large networks are likely to have multiple switches sharing a broadcast subnet, perhaps with VLANs and so on. It's strictly anything on the same network *segment*, i.e. sharing a subnet, and not requiring routing at the layer 3 level by a router device. Even then, however, the definitions are blurred, as local ACLs may prevent layer 2 traffic from certain endpoints in the network, switches can also be routers, etc. so a lot of it is topology-specific. – Cosmic Ossifrage Oct 24 '14 at 19:15
1

It depends. If you are using their DNS server and they are logging which IP is assigned to you (IPs can be assigned based on MAC address by the dhcp server) then they can see what sites you visit even when using a VPN solution. They should however be unable to see what you are searching for as this will be tunnelled.

Best is to use a DNS outside their network which is also tunnelled through your VPN.

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
1

If you use VPN you can tunnel all traffic including DNS through the tunnel, and then the university won't see what you're doing online. They can see the tunnel though.

What you search by Google HTTPS should be encrypted, even when not over VPN. The keywords in the URL should appear encrypted in the logs. This is how I understand it, but I haven't tested this so I'm not 100% sure if that is actually the case.

However... organisations can act as MITM (man in the middle) for SSL certificates. To get this working they need to install their own root certificate on your computer. They can require you to do this. This means they can see your logins to Facebook and Gmail if they want to, and see that the query in that Google HTTPS URL. If you have some trust in your university, they won't do this in general. If you are a country where human rights are not high on the agenda, they (or the secret service over there) might do this.

But if you use VPN, that won't work with setting up the connection and the traffic through that tunnel - so I think that is safe.

SPRBRN
  • 7,379
  • 6
  • 33
  • 37
  • 2
    For the MITM to work without generating a notice, they would need to install their root certificate on your computer. This often comes bundled with other software, so be warned. – David Houde Apr 17 '14 at 08:24
-1

Assume there is a TCP packet sniffer that capture all the TCP packets in the campus network (mostly likely for research purposes, or security operation needs), people who have access to this packets trace and the database that maintains the mapping between the MAC address and your real-life identity, will be able to at least know what IP addresses you (it's actually your MAC address) have visited.

There is a notion that you should use HTTPS as much as possible. By doing that, at least other people have no way to know what content (search text, tweets) have been exchanged between you and the remote websites.

Peter Mortensen
  • 877
  • 5
  • 10
ouyangtu
  • 1
  • 1