Can an attacker exploit my /etc/machine-id?

9

1

I originally asked this question on Stack Overflow, but people suggested that I ask here instead.

I am writing software that needs to uniquely identify multiple different machines. I was planning on using /etc/machine-id to do this.

While reading the docs for machine-id, I stumbled upon this passage:

This ID uniquely identifies the host. It should be considered "confidential", and must not be exposed in untrusted environments, in particular on the network. If a stable unique identifier that is tied to the machine is needed for some application, the machine ID or any part of it must not be used directly. Instead the machine ID should be hashed with a cryptographic, keyed hash function, using a fixed, application-specific key.

I don't know much about dbus, but I was under the impression that it's only for IPC. If that's the case, I'm not sure why it would really matter if a remote attacker knew the machine-id. Other than the obvious privacy issues, are there any (known) legitimate security reasons not to share one's machine-id? Or is this just a case of some strongly-worded documentation?

Cameron Sun

Posted 2017-05-31T14:52:32.593

Reputation: 193

You would probably do better to look at any available serial numbers (CPU / HDD) and perhaps the network address (MAC address). /etc/machine-id is a file, and MAC address is easily spoofed - as such can be easily copied (circumventing your identification). – Attie – 2017-05-31T15:32:51.430

What architecture / processor are you on? The i.MX6 I'm working with at the moment has it's truly unique and read-only serial number exposed via sysfs. – Attie – 2017-05-31T15:34:01.907

@Attie There are no real consequences to machines spoofing their ID's in my scenario, so I'm not really concerned about that. In fact, I'm not really short on ideas for how to get a unique id for each machine, this question was more to satisfy my curiosity about how machine-id is specifically used (and if it's potentially dangerous to expose it). – Cameron Sun – 2017-05-31T15:44:52.270

sounds good - I'm keen to hear any answers too... – Attie – 2017-05-31T16:57:49.597

Answers

6

No, this text was added for privacy reasons rather than security.

The machine-id is similar to an iOS UDID or a MAC address; unnecessarily exposing it (over the network or to sandboxed apps) might allow someone to track the program's users across networks, or to link the same person's usage of different apps.

See discussion:

user1686

Posted 2017-05-31T14:52:32.593

Reputation: 283 655

Asked: 2017-05-31T14:52:32.593

Viewed: 972 times

Active: 2017-06-05T18:48:58.360