118

When posting questions, it is often quite useful to include debug output. However, it sometimes include the MAC address of my laptop, router, or both.

What are the possible dangers of releasing these mac addresses publicly?

Adi
  • 43,808
  • 16
  • 135
  • 167
Shelvacu
  • 2,333
  • 4
  • 16
  • 29
  • 3
    In short, there's no danger whatsoever. Please refer to similar question with excellent answers: http://security.stackexchange.com/a/67450/52933 – Jari Huttunen Sep 22 '14 at 07:27
  • 6
    The answers below are all correct-- I just wanted to mention that you should not disclose any personally-identifiable information unnecessarily. It's true that nefarious use is nearly impossible, but when it comes to security, your "enemy" should know as little as possible about you. – David Schwartz Sep 22 '14 at 15:52
  • 38
    I once found an unknown computer on my network (shared between some students), and when I googled the mac. I identified who it was. He had posted debug info on a Q/A forum – Dog eat cat world Sep 22 '14 at 16:46
  • 2
    It’ll make you extra-identifiable by IPv6 address if you’re using IPv6 with [SLAAC](https://en.wikipedia.org/wiki/IPv6_address#Stateless_address_autoconfiguration) without privacy extensions (which is a bad idea already). – Ry- Sep 22 '14 at 23:57
  • @Dogeatcatworld Perfect example of why you share nothing. – asteri Sep 23 '14 at 19:32

9 Answers9

114

Disclosing the MAC address in itself shouldn't be a problem. MAC addresses are already quite predictable, easily sniffable, and any form of authentication dependent on them is inherently weak and shouldn't be relied upon.

MAC addresses are almost always only used "internally" (between you and your immediate gateway). They really don't make it to the outside world and thus cannot be used to connect back to you, locate you, or otherwise cause you any direct harm.

The disclosure can be linked to your real identity since it might be possible to track you using data collected from WiFi networks, or it can be used to falsify a device's MAC address to gain access to some service (mostly some networks) on which your MAC address is white-listed.

Personally, I wouldn't really worry about it. However, when it's not inconvenient, I usually try to redact any irrelevant information when asking for help or sharing anything.

Adi
  • 43,808
  • 16
  • 135
  • 167
  • 18
    +1; I suspect any scenario in which your MAC address would be useful to an attacker (e.g., a MAC-restricted WiFi network) is a scenario in which the attacker can already view your MAC address. – apsillers Sep 22 '14 at 12:04
  • 2
    @apsillers I'll have to disagree. That only works if you're connected and using the network at the time the attacker is attempting to grab the MAC address. If you're not connected to the network, then the attacker must acquire the MAC address through other means. – Adi Sep 23 '14 at 16:55
  • 1
    I'll certainly agree to that, and admit my statement wasn't very complete. Perhaps I should revise it to say that most situations in which an attacker can meaningfully use your MAC address are situations in which your MAC address is clearly visible *when in use*. Learning someone's MAC address might be valuable to an attacker if some particular combination of space/time/usage constraints would prevent them from learning it from your normal use. – apsillers Sep 23 '14 at 17:02
  • 2
    With IPv6 the MAC often makes up part of the IP. – JKAbrams Sep 25 '14 at 00:26
  • Wasn't the author of that iloveyou worm caught because his mac-address was included in that vbasic code? – ott-- Apr 18 '16 at 21:21
  • 1
    @ott-- Even if it were true, it would still be irrelevant. You'd be comparing shouting your name while you're walking down the street to shouting your name while you're robbing a bank. If the story were true, he would have been caught if he left his phone number or email address in the code. So is that an argument against not disclosing your email address or phone number? Of course not. – Adi Apr 18 '16 at 22:34
23

A MAC address is a number used to uniquely identify your device on the local network segment. The address is (and needs to be) visible to everyone on the network segment, but because of how network routing works, is not normally visible to anyone else.

  • Unless you take steps to change it regularly, your MAC address uniquely identifies your device. Someone could use the address you posted to associate the device they've been tracking with an actual person, but if someone's going to the effort to track the movements of a wireless device, they probably already know who owns it.

  • Certain wireless routers set their default password based on the MAC address. This isn't as useful as it sounds, though: in order to actually use the password, they need to be within radio range of your AP, and in that case, they can simply sniff the MAC address off the air.

  • The first digits of the MAC address identify the manufacturer of your device. In theory, someone could use this information to make a targeted attack against a security hole in your card's network driver, but I've never heard of it happening in practice.

In short, there are some theoretical hazards, but in practice, anyone in a situation to exploit them has other ways to get your MAC address.

Mark
  • 34,390
  • 9
  • 85
  • 134
14

One significant thing is that there are databases that, given a mac address, can give the longitude and latitude of a wifi router. Most try to make sure you can only get your own location, but anyone can drive around and scan for the right mac address.

Skyhook wireless unofficial api

CNET article on google maps' database

Google maps official API

Wireless Geographic Logging Engine (thanks to Brad)

Shelvacu
  • 2,333
  • 4
  • 16
  • 29
4

Some Belkin routers set a default WPA password that could easily be derived from the router’s MAC address, and if you have one of those routers, then publishing your MAC address is an obvious security risk, because you’re effectively publishing your WPA password. Of course, the real risk is continuing to use the router without changing the default password, since your MAC address can quite easily be discovered by other means.

Mike Scott
  • 10,118
  • 1
  • 27
  • 35
3

Mostly, no. If knew your MAC, I could disguise my network card as yours when dealing with a gateway (e.g. a Wi-Fi router); that's pretty much all of it. It's extremely unlikely that this could cause any annoyance to you, let alone pose a security risk. The only situation I can think of is something on the lines of

We're staying at the same hotel. The hotel has a Wi-Fi hotspot, to which both you and I have access; additionally, you bought an Internet pass, which enables you to connect to the Internet through the hotspot.
If I come into knowledge of your MAC address, I could connect to the Wi-Fi network disguising as your network card, therefore gaining access to the Internet. All the traffic I'll generate will appear to come from your computer.

There are no security concerns whatsoever, unless you used some kind of very, very badly designed software that only relies on your MAC to give a computer access to your data and an attacker were on the same network as the listener.

The only serious issue I can think of is identification. MAC addresses are designed to be unique; therefore, if you see a debug report coming from user shelvacu with the MAC 00:1C:B3:09:85:15, and then stumble upon another report from user John Doe with the same MAC, you may conclude quite safely that shelvacu and John Doe use the same computer and likely are the same person. See an example of this in the comments to this question.

Community
  • 1
Giulio Muscarello
  • 340
  • 1
  • 2
  • 9
  • You misspelled my name. I can't edit it because it's only two characters and everything else doesn't need changing. – Shelvacu Sep 25 '14 at 06:12
3

There was real case when guy discovered that some website used MySQL's UUID value somewhere in URL. Also he learned that output of function contains MAC address. Guy looked up and found that MAC belongs to Dell. So, server is probably Dell make. After making this discovery about 2am he went to sleep and in some reason looked on this site again on morning. For big surprise this time MAC was IBM's. He sent mail to webmaster@xxxxx with question "Hey, what you did with Dell server?" and as he later found, caused quite a big panic inside company. It came out that Dell server failed at night and was replaced with first handy computer. Only sysadmin knew about it. Because someone from outside started to question it seemed that stranger knows too much and most probably server is deeply hacked.

From this viewpoint it is dangerous. At minimum this MAC leak caused some amount of lost work hours for employees.

Tõnu Samuel
  • 131
  • 3
2

Prelude

The short version is the other accepted answers here are more or less correct, essentially you shouldn't assume your mac address is private, and posting it doesn't pose any direct risk to you as a person unless you're trying to remain anonymous.

The long version: To really understand what risks leaking your MAC address poses requires two parts. Firstly to understand what metadata can be derived from it. And secondly the ways in which it can be used as a unique identifier for you.

Metadata

The MAC address is intended to assist your network in getting you the packets intended for you rather than your co-worker sitting next to you. For legitimate devices it is directly tied to the hardware and often burned into "rom" on the network card itself (but sometimes it's not actually read only). To prevent collisions each vendor has a set of prefixes they're allowed to use, and it's up to them how they use them and how they uniquely generate the rest of the MAC

Therefore you can reliably get

  • The hardware vendor from the prefix
  • Often the approximate generation of the device based on which prefix is used
  • Sometimes the exact model of network card used since most vendors use a predictable process to generate part of the address
  • Very rarely some other piece of information the vendor used to generate it when the card was made which usually isn't very useful
  • If your computer is from an assembly line (like say Dell) sometimes it can be used to identify a possible model for your computer, and any other information that could be inferred from that (like was that model primarily marketed to corporate customers or grandmas? Was it an expensive model or a cheap one?)

You can get the vendor from Wireshark using their tool

But a hacker can, through a variety of ways, falsify a mac address to pretend to be pretty much anything. Even mimicking another device on the network (though if they do this without knocking the other device out you end up with each device receiving only some of the packets which is both useless to the hacker and alerts the admins that something's probably wrong)

Tracking

The MAC can reliably (though not uncontestably) tie traffic to a single "machine". This information is overwritten each time traffic passes through a "layer 3" device (like your router). Normally this means that at most your router's mac address could be seen by another machine (and sometimes not even then, depending how the ISPs route their traffic).

Therefore the biggest things to keep in mind if someone hostile got your mac address are

  • If it's for your router and the hostile party is a hacker it could leak the approximate model and generation of your router which is the first step to deciding which vulnerabilities to try and attack
  • If it's for your router and the hostile party is a website or service, it might be able to log that and track sessions over time across multiple IP addresses and multiple accounts
  • If it's for your local computer or device and is only leaked rarely (say when you post debugging information) it can be used to directly tie those leaks together to infer they were posted by the same person (or multiple people working on the same computer)
  • If it's for your local computer or device and is consistently leaked (say from a software or browser leak), It can be used to uniquely track your computer across multiple sessions regardless of other anonymizing techniques, but it doesn't track YOU as a person. Also you can rotate your MAC using software if you're concerned about this, but that only helps if you remember to do so

Also if you made it this far you might be really interested in this stuff so here's some links to check out

Chris Rudd
  • 141
  • 3
1

The other questions are excellent, but something else that wasn't mentioned is in regards to identifying whether a particular device is yours, by a government or organization.

For example, say you are Edward Snowden and you had once posted your Mac address on a public forum where it's clear you are the one who posted it. Now, say that a government raided your house and found your PC with secret classified documents on it. You took great precautions to make sure there were no traces of you, but the government was able to trace your PC's mac address to the post you made, and now they have caught you.

Or, say that you were an American journalist travelling abroad and you captured by the IS IS and they had traced your Mac address you posted on a public forum to identify your PC, and then they had a mole in the USA who accessed your home PC to discover secrets they wanted to know.

Obviously these are rare or next-to-impossible case scenarios, but nonetheless it is a valid risk, even for more obscure and less blatant reasons.

I think it's always best to keep any potentially personally identifying information private at all times except when absolutely demanded, even if you have done nothing wrong. This goes for everything from obvious things like your SSN or birth date, to more subtle things like merely an idea you have for, say, an invention. A MAc address would fall somewhere in between.

On the contrary, however, it is unlikely in most cases that disclosing your Mac address will pose any threat to your security. It's just better safe than sorry.

p.s. one more thing, some websites are advanced enough to register you Mac address internally when you register (it's rare but it has happened). If they have sniffed out your Mac address when you registered with them, they would be able to trace that registration to you if you posted it publicly in another location on the internet under another account. They would be able to determine you are the same person, since all Mac addresses are totally unique (unlike IP addresses which are recycled), and a malicious person may be able to use this information nefariously.

securityaddict
  • 119
  • 3
  • 4
    *"If they have sniffed out your Mac address when you registered with them, they would be able to trace that registration to you if you posted it publicly in another location on the internet under another account."* No, this is completely incorrect. Under no case is the generically possible. – Xander Sep 23 '14 at 00:06
  • Also: Mac addresses can be spoofed. – Dan Esparza Sep 23 '14 at 12:56
  • 1
    The given examples are probably a bit far fetched but i wouldnt discount it as a Problem that someone could frame you by commiting a Computer fraud (simple stuff like wifi hacking) by specifically spoofing your mac adress. It probably wouldnt hold up in court on its own but the least it can do is cause you a unnecessary headache... – Sebastian B. Sep 24 '14 at 07:20
-1

People have hinted around the possibilities of what a known MAC hardware address can deprive a device of. Two very real uses that I have researched and written programs to do: one, if your address is spoofed on another computer packet sniffing becomes very easy (obtaining usernames, passwords... just about every keystroke); two, you could plant packets or data onto a device by spoofing the MAC (I believe the second is more dangerous than the first as it can present many unwanted problems). Unfortunately, the everyday consumer has to deal with communications from their devices through these manners when networked as the identity of it (the MAC address) is the only way to direct the traffic to and from it.

Mr. Nice Guy
  • 1
  • 1