Is personally identifying info on user hardware sent through internet?

I've read here that it's possible for a website to use cross site scripting to pull your router's MAC address without your permission. This can then be used to determine your location through Google Location Services.
What other information can be sent that can personally identify your hardware? For example, is there a flash plugin that sends out info or ID numbers about your graphics card? I know User Agents send out info about your browser, but do they also include hardware information as well?

Brett Johnson

Posted 2010-11-28T04:37:12.900

Reputation:

I don't think any details of hardware are sent. A MAC address wouldn't give away location either. An IP can give it away in a general sense.. but I think that's more ISP's Router. Which would be within x miles. – barlop – 2010-11-28T04:59:08.107

Answers

This is an HTTP-based service where router MAC addresses are mapped to approximate GPS coordinates from other data sources.

That's a weird statement, IMO. MAC addresses are unique hardware identifiers; they are not location-based. I could take a router anywhere and plug it in and get on the Internet.

In IPv4, MAC addresses are only sent in packets going to other machines on a LAN; they're stripped from packets going past the gateway onto the 'net.

In IPv6, the 64 bit "host" part of the full 128 bit address is often automatically generated from the MAC address, and hence might be visible to the server one connects to. See also How to avoid exposing my MAC address when using IPv6?

goblinbox

Posted 2010-11-28T04:37:12.900

Reputation: 2 414

1You're correct, but Google nevertheless records them (apparently collecting them via Javascript) as part of their "location services." – user55325 – 2010-11-28T05:42:38.647

1MAC addresses are made up of 3 fields: a magical field used for things like address type, a manufacturer ID number, and a sequence number. Collecting MAC address will tell who made the piece of equipment, but tells nothing at all about where it is located. The IP address, on the other hand CAN be mapped to a physical location, though usually not very accurately. (For example, ISP allocated addresses are usually accurate to the city in which the ISP is, and thats about all). – quickly_now – 2010-11-28T08:07:13.787

Mapping MAC addresses to physical locations seems like a futile endeavor since so much hardware is portable, but yes, on further research it does appear that Google is doing so. – goblinbox – 2010-11-30T02:02:38.467

Geolocation in an OS (or a browser) is more likely based on the MAC address of an access point (not the MAC address of a —mobile— computer), which can be harvested (like by Google or Skyhook), or manually added to geo databases. Of course, after that, the device could be moved to another location too, or the registration might be faulty to start with.

– Arjan – 2011-02-09T19:51:50.290

MAC addresses of wireless routers are prime location information, their rate of movement is much less then their rate of discovery by a cellphone with access point assisted localization. When the phone queries the database with the MAC address to get location data, if the phone also happens to have the GPS on it's actually updating the location of the router in the database. After Google seeded it's database with the information gathered by their cars to get the system going, I guess now the cellphones will keep the database updated by them selves. – JKAbrams – 2013-12-18T08:37:52.693

I think the author of that web page doesn't understand how what he's doing works. That's simply IP address geolocation. For me, it shows a location that's several miles from where I actually am. I can't speak to the router vulnerability he claims.

If you'd like to see the range of information that can be obtained (beyond just browser headers), visit BrowserSpy.dk and Panopticlick.

Paused until further notice.

Posted 2010-11-28T04:37:12.900

Reputation: 86 075

You can see your user agent here: http://whatsmyuseragent.com/

For example, mine is: Mozilla/5.0 X11 U Linux x86_64 en-US AppleWebKit/534.13 KHTML, like Gecko Ubuntu/10.04 Chromium/9.0.590.0 Chrome/9.0.590.0 Safari/534.13

As you can see, it identifies my CPU architecture (x86_64) and my OS. However, keep in mind that any hardware information collected by e. g. browser plugins can easily be forged, and should not be relied upon.

It's certainly possible for browser plugins to send hardware information. Ordinarily any such information would be considered "public," like the aforementioned MAC address (if you're concerned about this, it is possible to change it).

So you should be careful what plugins you install, but reputable ones should not send any information considered a security risk.

user55325

Posted 2010-11-28T04:37:12.900

Reputation: 4 693