Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Crime EU

German Police Ask Router Owners For Help In Identifying a Bomber's MAC Address (zdnet.com) 141

An anonymous reader quotes ZDNet: German authorities have asked the public for help in surfacing more details and potentially identifying the owner of a MAC address known to have been used by a bomber in late 2017... The MAC address is f8:e0:79:af:57:eb. Brandenburg police say it belongs to a suspect who tried to blackmail German courier service DHL between November 2017 and April 2018. The suspect demanded large sums of money from DHL and threatened to detonate bombs across Germany, at DHL courier stations, private companies, and in public spaces. [The bomb threats were real, but one caught fire instead of exploding, while the second failed to explode, albeit containing real explosives.]

Investigators called in to negotiate with the bomber managed to exchange emails with the attacker on three occasions, on April 6, 2018, April 13, 2018, and April 14, 2018. One of the details obtained during these conversations was the bomber's MAC address, which based on the hardware industry's MAC address allocation tables, should theoretically belong to a Motorola phone... Now, they're asking router owners to check router access logs for this address, and report any sightings to authorities. Investigators want to know to what routers/networks the bomber has connected before and after the attacks, in order to track his movements and maybe gain an insight into his identity.

This discussion has been archived. No new comments can be posted.

German Police Ask Router Owners For Help In Identifying a Bomber's MAC Address

Comments Filter:
  • If that keeps happening, we'll need to take packages to the post office unsealed, so we can show the contents to the post office employee, and then seal it in front of them. To prevent bombs from getting delivered. Annoying.
    • This is Germany we're talking about. The solution is probably that all parcels containing bombs have to clearly be labeled as such so no future incidents can happen anymore.

      Next week the opposition parties will probably lament why the ruling parties didn't have that idea earlier.

      • It seems reasonable. Then they can sort them into bomb and nonbomb categories without too much effort.
        • It's been done virtually before. RfC 3514 - IETF [ietf.org] aka the "Packet Evil Bit."

          ... often have difficulty distinguishing between packets that have malicious intent and those that are merely unusual. We define a security flag in the IPv4 header as a means of distinguishing the two cases.
        • And knowing their love for bureaucracy, I'm fairly sure that the bomb deliveries will be carried out, although with a "attention, might explode" sticker attached. As long as there's a sticker attached, it's allright.

  • Wait a damn sec (Score:3, Insightful)

    by Squiddie ( 1942230 ) on Saturday January 12, 2019 @01:44PM (#57950406)
    So the police haven't even considered that he might have spoofed his MAC address? Or that he used a burner device? Nice police work.
    • by Anonymous Coward

      I imagine they did since they aren't tracking the device down by who the mac was sold to but rather where that mac address that they keep seeing might have consistently been seen by other devices. From there a search of the area for cameras. Looking at the logs they should also be able to possibly eliminate a false positive.

    • Re:Probably spoofed (Score:5, Informative)

      by wolfheart111 ( 2496796 ) on Saturday January 12, 2019 @01:56PM (#57950460)
      The router will show the spoofed mac, so they will know his location of the router, search street cams of the surrounding area.
    • by Anonymous Coward

      In the minds of idiots they view anything with the word "address" as an inviolable identifier.

      They probably have black vans prowling neighborhoods looking for a WLAN card beaconing it ready to jump and arrest anyone who's device just so happened to randomly set it MAC address to it automatically as part of a security policy.

      When it's revealed that the head rolled because of a security practice, they'll demand a ban on devices being able to change their MAC address during the next wave of "Think of the Terro

    • The MAC address could potentially be used to SWAT someone.
    • by godrik ( 1287354 )

      So the police haven't even considered that he might have spoofed his MAC address? Or that he used a burner device? Nice police work.

      Well, maybe they have considered it. But maybe the bomber isn't very tech savvy and doe not know how to do that or got sloppy. The MAC address seems like a reasonable lead to follow.

      Or do you prefer the following scenario:
      Inspector, we found fingerprints on the murder weapon.
      They can be lifted from a glass and reproduced, we can trust it.
      Inspector, we also found DNA.
      Forget it, someones DNA can be easily found anywhere and planted.
      Inspector, the murder victim wrote a name on the wall in her own blood.
      There i

      • by arth1 ( 260657 )

        Well, maybe they have considered it. But maybe the bomber isn't very tech savvy and doe not know how to do that or got sloppy. The MAC address seems like a reasonable lead to follow.

        In that case, the reasonable cause of action would be to ask Motorola which device model had this particular MAC address, and where it was sold, and then follow it through the serial number to the buyer.
        I can only presume that they have tried and failed this, and that's why they're asking.

        • Comment removed based on user account deletion
          • Well... it's Germany ... so probably they actually DO have forms and paperwork that identifies that MAC address...

          • (At best Motorola might be able to identify the distributor of the hardware in question, after that it's unlikely anyone was tracking MAC addresses to their ultimate buyer.)

            It appears to be a MAC address used on a mobile device. If it is a cellphone, the manufacturer almost certainly can tie it to an IMEI number and probably track exactly where it was sold. I assume that it was used as a burner so there may not be further records of the owner, but the IMEI should be logged by the ISP when it connected to th

    • Re:Wait a damn sec (Score:5, Insightful)

      by bill_mcgonigle ( 4333 ) * on Saturday January 12, 2019 @02:43PM (#57950662) Homepage Journal

      Why would you assume they have assumed that? Those are just two of roughly eight scenarios I can think of without much effort - why would police not follow and extinguish all possible leads?

      Methinks they're doing OK without needing to hire you as a police consultant.

      • Because "everyone" knows that an OUI can be trivially looked up, so the fact that they needed outside consultants to tell them shows their pathetic level of understanding.

    • They've already tracked him via the MAC address using pervasive spying techniques they don't want to reveal. This is cover so they can say a member of the public gave them a tip instead.
    • Comment removed based on user account deletion
    • In this case they have obviously decided that it's worth going public with what they know, even though they risk alerting the suspect.
  • by wolfheart111 ( 2496796 ) on Saturday January 12, 2019 @02:06PM (#57950522)
    Go to Shodan, filter insecure routers in Germany... there's apis for shodan as well... WTF nevermind they should know this shit already.
  • by Artem S. Tashkinov ( 764309 ) on Saturday January 12, 2019 @02:13PM (#57950554) Homepage

    There are several huge issues with this call:

    First of all, mostly likely the suspect has long gotten rid of the device and I'm not sure how finding his device in logs might help anyone (aside from narrowing down his whereabouts but then we have to presume that the CCTV footage at that location still remains which is highly unlikely).

    Second of all, assuming he's not a total idiot, he could have modified his device MAC address which is possible for most Android smartphones.

    Thirdly, this device was probably produced by Motorola/Lenovo, because F8E079 is their unique MAC prefix.

    Fourthly, most people keep their routers password-protected which makes the task even harder.

    Lastly, most Wi-Fi routers can barely keep more than a week worth of logs and they are not stored permanently, so reboot wipes them clean.

    • by dissy ( 172727 )

      There are several huge issues with this call:
      First of all, mostly likely the suspect has long gotten rid of the device and I'm not sure how finding his device in logs might help anyone (aside from narrowing down his whereabouts but then we have to presume that the CCTV footage at that location still remains which is highly unlikely).

      It may possibly lay out a point or two on a map that may possibly show the accused was near the same spot more than once, or may possibly lower other suspects on the priority list who were known to be elsewhere.

      It's quite the long shot for certain, but worst that can happen is "nothing" and they are no worse off than they are now.

      Second of all, assuming he's not a total idiot, he could have modified his device MAC address which is possible for most Android smartphones.
      Thirdly, this device was probably produced by Motorola/Lenovo, because F8E079 is their unique MAC prefix.

      Don't assume they aren't an idiot, there are plenty of idiots that do bad things and shouldn't be crossed off the list just for being an idiot :P

      Fourthly, most people keep their routers password-protected which makes the task even harder.
      Lastly, most Wi-Fi routers can barely keep more than a week worth of logs and they are not stored permanently, so reboot wipes them clean.

      Yea I don't see anything coming out

    • If he plants another bomb they may have a better idea where to go.
    • by AHuxley ( 892839 )
      German police both East and West and now Germany are great at searching for Germans for any reason.
      Powerful laws help with any search they want to do too :)
    • by Mal-2 ( 675116 )

      Any time I've used a modified MAC address, I've set it to appear to be an iPhone, because it's just easier to hide in the sea than in a water hazard. If I get booted off (for being there too long or whatever), I'll spin up another, but with the same device manufacturer range.

  • by Anonymous Coward on Saturday January 12, 2019 @02:16PM (#57950570)

    The German government has barred the BKA from directly working with the NSA, so now they are posting their dead-ends publicly.

  • ... to clone a politician's phone's MAC address for the one time I contact the police or or press with my burner-device.

  • by seoras ( 147590 ) on Saturday January 12, 2019 @02:28PM (#57950622)

    Given the monumental technical task being asked here of Joe Public I wonder if the German cops are really asking hackers, who want to show off their skills, for help?

    • Given the monumental technical task being asked here of Joe Public I wonder if the German cops are really asking hackers, who want to show off their skills, for help?

      Hackers do not help the police ever. They are not faggots like you.

  • What? (Score:5, Interesting)

    by YuppieScum ( 1096 ) on Saturday January 12, 2019 @03:13PM (#57950764) Journal

    Router logs? Really?

    You have the MAC address, so you can identify the manufacturer. You call them, ask them for the IMEI, and the supply chain details.

    From the supply chain details, you can track it to a retailer. You then ask the retailer for the details of whomever bought it.

    From the IMEI, you ask the cellular telcos for details of the SIM associated with it in the period in question, and all the other data they hold - call history, SMS, whatever.

    You ask the SIM vendor for any details on the subscriber - even if it's a PAYG and they paid cash, the location of the transaction will be available.

    From the other telco data, you can track down the suspect's associates, always presuming they might be entirely uninvolved beyond being an acquaintance

    Unless this suspect bought the phone from a second-hand store (or stole it), never put a SIM in it, and used public WiFi for their scheme, you stand a moderate chance of getting close.

    Hoping that random people will (a) see you request, (b) understand what it means, (c) own a router with open access, (d) know how to look at their logs, (e) be bothered to do so, and (f) have logs that go back at least nine months, seems to be a long shot.

    I get the impression that some policeman has equated a MAC address to a car's registration number, so decided to ask if anyone has seen it...

    • Hoping that random people will (a) see you request, (b) understand what it means, (c) own a router with open access, (d) know how to look at their logs, (e) be bothered to do so, and (f) have logs that go back at least nine months, seems to be a long shot.

      It's absolutely a long shot. But it costs them, what, five minutes to type up a press release and hand it to the department media liaison. They'd be stupid not to put out the request.

    • by guruevi ( 827432 )

      Sure, if the vendor keeps track of it. Most likely not. It also seems Motorola has only cheap devices in that range, so this was almost definitely a burner.

    • Just look for insecure routers... thats all. Do what he did... follow his path as such.... go on assumptions. he wasnt at a public wifi... to many cams.... must have been at a grannys house... somewhere next door... hackable router... u got em.... Use assumptions.
  • by certsoft ( 442059 ) on Saturday January 12, 2019 @04:28PM (#57950974) Homepage
    I have the same combination on my luggage.
  • I go with dead beef dead when I spoof mac addresses
  • So the guy either changes the MAC address or if he's a newbie he throws away the hardware.

  • by sweet 'n sour ( 595166 ) on Saturday January 12, 2019 @08:00PM (#57951720)
    I've had two Intel nics with the same MAC address.

    A MAC address is made up of 6 bytes. The first three are the manufacturer so that only leaves three bytes for unique addresses. FFFFFF = 16,777,215 unique addresses.
    Some manufacturers have more than one three-byte identifier, but many just re-use. Using a MAC address as a unique identifier is going to give you a lot of false positives.
    • Doubt that, how would that work on the same LAN?
      • by Mal-2 ( 675116 )

        Not very well. [serverfault.com]

        Short answer: you can either hide them behind different switches, or the network is going to keep alternately connecting one (which disconnects the other), then the other, since it can't tell them apart.

        • you can either hide them behind different switches

          As long as it's on the same LAN, that won't work (as the IP layer is not reached, only the data-link layer) unless you separate the LAN via VLANs, this is done thanks to L3 switches (that use the IP address, like a router without really routing, just pass the packets to the right ports).

  • by Anonymous Coward

    1. Not unique.
    2. Can be spoofed.
    3. Presumption of innocence before pinning blame on anyone with this MAC.
    4. Routers don't typically log access, and even if they did most would be aged out by now (buffer overflow or reboot).

    This is terrible police work on all accounts...

    Can't they just ask the NSA for help?

news: gotcha

Working...