39

I was logged on to my router and filling out some information. I clicked a button and a field was automatically filled in with my computer's MAC address. How is this possible? Does it present a security risk?

I'm connected through VPN and my computer is up to date and running Microsoft Security Essentials (MSE). Is there JavaScript code that can get the MAC address? Is the MAC address sent in an IP header? I was surprised I wasn't at least prompted to share this information.

Peter Mortensen
  • 877
  • 5
  • 10
Celeritas
  • 10,039
  • 22
  • 77
  • 144
  • 1
    Computer's MAC address or your router's? – SilverlightFox Jun 18 '14 at 09:29
  • @SilverlightFox it was the computers MAC address – Celeritas Jun 18 '14 at 17:49
  • 17
    Ethernet ([802.3](http://en.wikipedia.org/wiki/IEEE_802.3)) and Wi-Fi ([802.11](http://en.wikipedia.org/wiki/802.11)) use MAC addresses to route data packets, so it's not surprising the router knows your MAC address. The fact that this webpage is running/hosted *on the router* is key. – Cornstalks Jun 19 '14 at 03:55

3 Answers3

56

This is not a security risk.

The router looks in its ARP table to find the MAC address of your IP address. The reason it can do this, is because you are connected to the router via layer 2 in the OSI model. The router simply looks up your IP address in the ARP cache to find its MAC address. A website on the Internet is not connected to your LAN and will not be able to determine your MAC address.

In the same way, you from your computer determine the MAC address of your router by looking in the ARP cache of your computer. If you open up your command prompt (cmd.exe on Windows) and type "arp -a", you will see your router's MAC address. This does not pose a security risk, and is required for IP traffic to work on an Ethernet network.

Peter Mortensen
  • 877
  • 5
  • 10
Dog eat cat world
  • 5,759
  • 1
  • 27
  • 46
  • 4
    Which also means only your router (or any device on your local network, for that matter) can do this, but not a web server on the Internet. – user149408 Jun 18 '14 at 13:27
  • 1
    How did the site find the _computer's_ MAC address though? – SilverlightFox Jun 18 '14 at 17:59
  • 9
    @SilverlightFox: The site is running on the router itself, not on a faraway server. – Jan Fabry Jun 18 '14 at 18:08
  • 1
    @JanFabry: Thanks for the clarification - I thought the OP meant they were logged onto a webpage via their router's connection. Long day! – SilverlightFox Jun 18 '14 at 18:20
  • 1
    @Dogeatcatworld, [What about IPv6](http://security.stackexchange.com/questions/61321/how-can-a-webpage-get-the-mac-address/61322#comment150302_61341) as mentioned in the other answer? – Pacerier May 22 '15 at 11:05
18

There is no risk here.

The Internet is not just one protocol, but a series of protocols that stack up on top of each other. The exact definitions of each part of the stack differ somewhat from person to person, but the two we're concerned about here are fairly well-defined: the link layer and the network layer. Depending on who you ask, these layers have different numbers, so I'm going to use the names instead.

The link layer defines how to get a signal across two computers that are directly connected in some way. Ethernet is one example, and so is is the 802.11 family of wireless protocols; I list these because they use MAC addresses. PPP, which is often used by modems, is another example of a link-layer protocol, but it does not use MAC addresses. There are other link-layer protocols too, but I won't get into them here.

The network layer defines how to get a signal across two computers that are NOT directly connected, using computers that ARE directly connected in some way. This is where IP lives, and it doesn't use MAC addresses.* Data still has to be passed between machines that are directly connected to each other, but even if this is done using only protocols that use MAC addresses, it uses the MAC addresses of the two machines that are passing information between them at the moment, not the MAC address that started it all. Your MAC address is only visible to the very first link in the chain -the one between your computer and the router- and it legitimately needs that, because that's how it tells data from your computer apart from data from other computers connected to it. But after that, your address is gone.

The reason that your router knows your MAC address is that you are directly connected to it, using the link layer (it can also see you in the network layer, which is how it's presenting its interface to you, but that doesn't matter here). It cannot see the MAC addresses of anyone who is not directly connected to it in this way, because that information gets lost in the network layer.** The same is true of other machines. So yes, your router can see your MAC address, but no one else can.

*: IPv4 doesn't use MAC addresses, and if you're not sure what IP version you're using, it is probably IPv4. IPv6 allows (but doesn't require) computers to use MAC addresses in certain ways, and some implementations do this, but it has caused a lot of controversy.

**: Again, this assumes you're not using an IP version that leaks MAC address information.

The Spooniest
  • 1,637
  • 9
  • 10
  • @TheSpooniest, Does this mean that with IPv6, it's possible for the MAC addresses to leak over the public internet? – Pacerier May 22 '15 at 11:05
  • @Pacerier: Not necessarily. It depends on the particular implementation of IPv6 that you're using; implementers don't have to leak your MAC address, and not all implementations do. – The Spooniest May 22 '15 at 12:20
0

Nice juicy answers but none of them has answered the question.

How is this possible?

The answer is it's possible with your permission.

Is there JavaScript code that can get the MAC address?

Well.. Java can

The webpage that you have visited most likely has asked for your permission to run a Java application and you must have agreed. A Java application can easily retrieve your MAC and send it back to the webpage.

Community
  • 1
Ulkoma
  • 8,793
  • 16
  • 65
  • 95
  • +1 for mentioning that Java link (via an Applet, you mean, I think). However you need to fix your second link (it points to a web page where no code is available) –  Sep 29 '15 at 15:45
  • 1
    -1. This is simply not what's happening here. As Dog Eat Cat World says, the MAC address is available to any host you're talking to on your LAN, which is what happens when you're talking to your local router. – Steve Sether Nov 20 '15 at 21:08