Wanted – have you seen this MAC address: f8:e0:79:af:57:eb? German cops appeal for logs in bomb probe

Plod hope to snare DHL blackmailer with a penchant for homemade explosives

police

German police investigating a blackmailer's parcel bombing campaign reckon they know the MAC address of a device used by the scumbag, and hope network logs can help unmask the perp.

Between November 2017 and April 2018, improvised explosive devices were sent to addresses in and around Berlin and Frankfurt an der Oder via DHL, in an apparent attempt to extort the delivery giant: cough up wads of crypto-cash, or get more bombs through the mail.

One package was sent to the Berlin Chamber of Crafts, and another to a pharmacy in Potsdam. The former was defused without exploding after the cops were called in, and the latter failed to go off when opened – it contained firework powder, nails, and screws. A bank in Berlin and an online store in Frankfurt an der Oder also received what appeared to be homemade bombs.

An extortion note was discovered encoded in a QR code on one of the parcels – the cops had to piece it together again after blowing it up in a controlled explosion – and it demanded several million Euros in Bitcoin to call off the campaign.

A police probe turned up the MAC address f8:e0:79:af:57:eb, which, if genuine and non-spoofed, belongs to a Motorola/Lenovo device – most likely a Motorola smartphone.

Blackmail

Sorry friends, I'm afraid I just can't quite afford the Bitcoin to stop that vid from leaking everywhere

READ MORE

MAC addresses, for the uninitiated, are an essential ingredient in Ethernet, Wi-Fi, and Bluetooth network protocols, helping ensuring packets of data make their way across networks to the correct devices. They are assigned in blocks to hardware manufacturers, meaning the first digits typically identify the hardware maker, though they can be altered by system software.

If the address hasn't been changed, either by deliberate spoofing or by security practices such as MAC address randomization, it could help pinpoint the bomber, particularly if they still have the handset: it's possible the extortionist may be unaware of MAC addresses.

In an appeal for help this week, Brandenburg police ruled out randomisation, because a device with the same MAC address logged into “several public WLAN networks in Berlin at different times,” and that's why they also believe the address is most likely unaltered.

“We know that certain programs or apps can change the MAC address," the plod noted. "However, it is unlikely that several different people have used exactly this MAC address up to now in the Berlin and Brandenburg area.”

So basically, the cops hope a device with the above MAC address has connected to other networks, and that there may be a log out there revealing the connection time and location, allowing investigators to trace the extortionist's steps and link him or her to CCTV footage and other evidence.

Officers noted that some households leave Wi-Fi open and unsecured for others to use, so they're hoping those people will also search their device logs for the address. Assuming any records have been kept to this date, or were kept in the first place.

It's a long shot, to put it mildly. But as everything in life, you miss every shot you don't take. It's certainly an interesting first. Just, please, don't all of you set your MAC to f8:e0:79:af:57:eb... ®




Biting the hand that feeds IT © 1998–2019