US cop goes war-driving to find stolen gear by MAC address

What could possibly go wrong? For starters, iOS randomises iThings' MACs

Correction Be careful with your Wi-Fi things' MAC addresses: an Iowa cop wants to sniff hardware addresses to turn up stolen goods.

In a move that opens up a whole new world of "swatting," Iowa City's The Gazette reports that city officer David Schwindt has created software to go war-driving for MAC addresses.

He calls the software L8NT (oh, "latent," l33t-speak from a policeman no less), and with a suitable antenna, it will try to match any MAC addresses it encounters with "known stolen goods."

Schwindt acknowledges that people might not have ever noticed the MAC address of their laptop, desktop, tablet, mobile phone, refrigerator, smart TV, or broadband router. Of course, if the Wi-Fi is turned off or the device is powered down, it's not going to be visible.

The Register notes that while MAC addresses are assigned on a unique basis by the IEEE, they're no longer immutable, meaning any tech-savvy crook with time to spare can hide the provenance of stolen goods. Then there's ploys like Apple's decision to randomly change iThings' MAC addresses, which Cupertino implemented in iOS 8 as a way to make it harder to identify devices connecting to public WiFi networks.

Schwindt promises that his software doesn't look for any personally sensitive information while it's scanning for contraband MAC addresses, but could create another problem if a malefactor with the right information created a new "swatting" attack by entering a target's home gateway via the nearly-always-unchanged default password, then giving it a MAC address that will interest the police.

The Gazette reckons the officer hopes to patent L8NT, which looks a bit of a stretch since "reading MAC addresses" is a pretty fundamental networking capability. ®

Correction: A reader has taken issue with the phrase "MAC addresses are no longer immutable", writing: "Actually, the ability to change the MAC address was mandated by the original spec, back when it was DIX (DEC-Intel-Xerox) Ethernet. DECnet Phase IV changes the system's MAC address to its network/node address."

Thanks for pointing this out. ®


Biting the hand that feeds IT © 1998–2017