German Police Ask Router Owners For Help In Identifying a Bomber's MAC Address (zdnet.com) 141
An anonymous reader quotes ZDNet: German authorities have asked the public for help in surfacing more details and potentially identifying the owner of a MAC address known to have been used by a bomber in late 2017... The MAC address is f8:e0:79:af:57:eb. Brandenburg police say it belongs to a suspect who tried to blackmail German courier service DHL between November 2017 and April 2018. The suspect demanded large sums of money from DHL and threatened to detonate bombs across Germany, at DHL courier stations, private companies, and in public spaces. [The bomb threats were real, but one caught fire instead of exploding, while the second failed to explode, albeit containing real explosives.]
Investigators called in to negotiate with the bomber managed to exchange emails with the attacker on three occasions, on April 6, 2018, April 13, 2018, and April 14, 2018. One of the details obtained during these conversations was the bomber's MAC address, which based on the hardware industry's MAC address allocation tables, should theoretically belong to a Motorola phone... Now, they're asking router owners to check router access logs for this address, and report any sightings to authorities. Investigators want to know to what routers/networks the bomber has connected before and after the attacks, in order to track his movements and maybe gain an insight into his identity.
Investigators called in to negotiate with the bomber managed to exchange emails with the attacker on three occasions, on April 6, 2018, April 13, 2018, and April 14, 2018. One of the details obtained during these conversations was the bomber's MAC address, which based on the hardware industry's MAC address allocation tables, should theoretically belong to a Motorola phone... Now, they're asking router owners to check router access logs for this address, and report any sightings to authorities. Investigators want to know to what routers/networks the bomber has connected before and after the attacks, in order to track his movements and maybe gain an insight into his identity.
Re: (Score:1)
Don't be ridiculous. It's illegal to spoof a MAC address in Germany. No German terrorist bomber would break the law like that.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Re:Cats not in bag (Score:2)
Re: (Score:2)
Not many. It is Germany, after all.
Re: (Score:3)
So how do they know the address is not spoofed?
to an extent it wouldn't matter right. if he's been using the spoofed address all over his villain base then seeing that spoofed address in your logs could indicate that he was nearby.
But another point is that if he stole someone else's mac address (not "stole" but ya know) then he could basically hide in their wake. But i mean that's the sort of math I'd like to see on basic cable cop procedural. They have a mac address but they have to figure out which locations were the innocent person and which were
Re: (Score:3)
I guess their train of thought is that if he's too stupid to build bombs that actually work, he's probably also too stupid to even know what a MAC address is.
Not all "cyber" criminals are computer wizards and strategic masterminds. Just like very few bank robbers are Ocean's Eleven.
Re: (Score:2)
Re: Spoofed mac? (Score:1)
Lol. He had to be joking. That's too stupid.
Re: (Score:2)
ANYTHING
Heck, I've used a program that lets my network card pretend it's a half dozen other cards each with their own mac.
I used to use it to get around those super slow access places that only let you download one file at a time at the snails pace of less than 2k.
If the site supported segment downloads, then I'd have it split the file between the addresses, and if not, I'd have each one downloading a different file.
Of course, finding spoofing software for your phone migh
Re: (Score:3)
Re: (Score:2)
Re: (Score:1)
You can change the MAC Address in your router settings
Good lord (Score:1)
Forget it. You can't help.
Re:They are on Google (Score:2)
If that keeps happening (Score:2)
Re: (Score:3)
This is Germany we're talking about. The solution is probably that all parcels containing bombs have to clearly be labeled as such so no future incidents can happen anymore.
Next week the opposition parties will probably lament why the ruling parties didn't have that idea earlier.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
And knowing their love for bureaucracy, I'm fairly sure that the bomb deliveries will be carried out, although with a "attention, might explode" sticker attached. As long as there's a sticker attached, it's allright.
Wait a damn sec (Score:3, Insightful)
Re: (Score:1)
I imagine they did since they aren't tracking the device down by who the mac was sold to but rather where that mac address that they keep seeing might have consistently been seen by other devices. From there a search of the area for cameras. Looking at the logs they should also be able to possibly eliminate a false positive.
Re:Probably spoofed (Score:5, Informative)
Re:Fuckn Owww (Score:2)
Re: (Score:1)
In the minds of idiots they view anything with the word "address" as an inviolable identifier.
They probably have black vans prowling neighborhoods looking for a WLAN card beaconing it ready to jump and arrest anyone who's device just so happened to randomly set it MAC address to it automatically as part of a security policy.
When it's revealed that the head rolled because of a security practice, they'll demand a ban on devices being able to change their MAC address during the next wave of "Think of the Terro
Re: Wait a damn sec (Score:2)
Re: (Score:2)
So the police haven't even considered that he might have spoofed his MAC address? Or that he used a burner device? Nice police work.
Well, maybe they have considered it. But maybe the bomber isn't very tech savvy and doe not know how to do that or got sloppy. The MAC address seems like a reasonable lead to follow.
Or do you prefer the following scenario:
Inspector, we found fingerprints on the murder weapon.
They can be lifted from a glass and reproduced, we can trust it.
Inspector, we also found DNA.
Forget it, someones DNA can be easily found anywhere and planted.
Inspector, the murder victim wrote a name on the wall in her own blood.
There i
Re: (Score:2)
Well, maybe they have considered it. But maybe the bomber isn't very tech savvy and doe not know how to do that or got sloppy. The MAC address seems like a reasonable lead to follow.
In that case, the reasonable cause of action would be to ask Motorola which device model had this particular MAC address, and where it was sold, and then follow it through the serial number to the buyer.
I can only presume that they have tried and failed this, and that's why they're asking.
Re: (Score:2)
Re: (Score:2)
Well... it's Germany ... so probably they actually DO have forms and paperwork that identifies that MAC address...
Re: (Score:2)
It appears to be a MAC address used on a mobile device. If it is a cellphone, the manufacturer almost certainly can tie it to an IMEI number and probably track exactly where it was sold. I assume that it was used as a burner so there may not be further records of the owner, but the IMEI should be logged by the ISP when it connected to th
Re:Wait a damn sec (Score:5, Insightful)
Why would you assume they have assumed that? Those are just two of roughly eight scenarios I can think of without much effort - why would police not follow and extinguish all possible leads?
Methinks they're doing OK without needing to hire you as a police consultant.
Re: (Score:2)
Because "everyone" knows that an OUI can be trivially looked up, so the fact that they needed outside consultants to tell them shows their pathetic level of understanding.
Re: (Score:2)
Re: (Score:2)
Yeah, email headers don't contain MAC addresses.
Re: (Score:2)
Last time I checked, the device has to talk to the AP in order to authenticate.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Just to see if my router actually logs this I just checked, my >200 Euro router keeps the logs for just about 24 hours. If that is any indication it seems that their best chance is public WiFi spots that hopefully have a bit more in place to retain logs.
Re:How old is yours.. (Score:2)
Re:Id go wardriving. (Score:2)
Re: No Isp's set up routers now (Score:2)
Re: (Score:2)
While my router forwards logs to a lan server, and also saves daily logs to a USB key, the remote mac address is not normally logged.
I would think that would be fairly uncommon.
Re: (Score:3)
true, I've only got entries from the DHCP server wit MAC addresses in it
Re: (Score:2)
So what do those log look like?
Like "Mon Jan 14 14:39:37 CET 2019: A station associated!"?
Re: (Score:2)
Router logs differ depending on the router, and what it's configured to do. There's no set format for what a router logs or how; it depends on the router OS, model and configuration.
Changes in routing information would normally go in router logs, along with information on packets that cannot or would not be routed, and interfaces that go up or down.
"A station associated" seems to me to be an access point log, not a router log. (Granted, these days some call everything a "router", much like they called eve
Re: (Score:2)
Does Google not do street view around there? Their cars log absolutely everything any of their sensors can grab anytime. So maybe start there or other similar mapping services?
Re: (Score:2)
What, like hundreds of people are now going to set their phones to use this MAC address? That would never happen.
Re: (Score:2)
The guy planted actual, viable bombs that would kill people.
The MAC address is believed to be genuine.
It's no different to saying "We are trying to trace the vehicle the bomber drove off in, with the registration X374 HFU" (or whatever). It's not like they are giving out a personal detail (e.g. a phone number, or an address), but they have given out names and hometowns since forever.
Happens EVERY DAY if you follow any police Twitter account, watch anything like Crimewatch (UK TV programme which is used for
Re: (Score:3)
Of course you can. I do it all the time (HyperV tools to emulate an existing MAC from another server for failover etc.). I've been able to - and have done - it since kernel 2.0 at least... I actually use MAC address as part of things like RADIUS authentication, though. Because 99.999% of people would never be able to work out how to do it.
They've even already eliminated the modern feature of "disposable" MAC addresses given to each Wifi network you probe to prevent such tracking... they know his MAC sta
Re: (Score:3)
A jury wouldn't be involved anyway, Germany generally uses professional judges.
Re: (Score:2)
Or the have, but knowing that the device in question was sold at a given corner store or whatever is one piece of the puzzle; knowing that the person who owned the phone at the time frequented certain locations is another piece of the puzzle.
Only insecure ones. (Score:3)
A near impossible task (Score:5, Insightful)
There are several huge issues with this call:
First of all, mostly likely the suspect has long gotten rid of the device and I'm not sure how finding his device in logs might help anyone (aside from narrowing down his whereabouts but then we have to presume that the CCTV footage at that location still remains which is highly unlikely).
Second of all, assuming he's not a total idiot, he could have modified his device MAC address which is possible for most Android smartphones.
Thirdly, this device was probably produced by Motorola/Lenovo, because F8E079 is their unique MAC prefix.
Fourthly, most people keep their routers password-protected which makes the task even harder.
Lastly, most Wi-Fi routers can barely keep more than a week worth of logs and they are not stored permanently, so reboot wipes them clean.
Re: (Score:1)
There are several huge issues with this call:
First of all, mostly likely the suspect has long gotten rid of the device and I'm not sure how finding his device in logs might help anyone (aside from narrowing down his whereabouts but then we have to presume that the CCTV footage at that location still remains which is highly unlikely).
It may possibly lay out a point or two on a map that may possibly show the accused was near the same spot more than once, or may possibly lower other suspects on the priority list who were known to be elsewhere.
It's quite the long shot for certain, but worst that can happen is "nothing" and they are no worse off than they are now.
Second of all, assuming he's not a total idiot, he could have modified his device MAC address which is possible for most Android smartphones.
Thirdly, this device was probably produced by Motorola/Lenovo, because F8E079 is their unique MAC prefix.
Don't assume they aren't an idiot, there are plenty of idiots that do bad things and shouldn't be crossed off the list just for being an idiot :P
Fourthly, most people keep their routers password-protected which makes the task even harder.
Lastly, most Wi-Fi routers can barely keep more than a week worth of logs and they are not stored permanently, so reboot wipes them clean.
Yea I don't see anything coming out
Re:He's still active (Score:2)
Re: (Score:2)
Powerful laws help with any search they want to do too
Re: (Score:2)
Any time I've used a modified MAC address, I've set it to appear to be an iPhone, because it's just easier to hide in the sea than in a water hazard. If I get booted off (for being there too long or whatever), I'll spin up another, but with the same device manufacturer range.
Not so subtle request to the NSA (Score:4, Funny)
The German government has barred the BKA from directly working with the NSA, so now they are posting their dead-ends publicly.
Remind me if I'm ever planting bombs in Germany... (Score:1)
... to clone a politician's phone's MAC address for the one time I contact the police or or press with my burner-device.
Back for White hat (Score:3)
Given the monumental technical task being asked here of Joe Public I wonder if the German cops are really asking hackers, who want to show off their skills, for help?
Re: (Score:2)
Given the monumental technical task being asked here of Joe Public I wonder if the German cops are really asking hackers, who want to show off their skills, for help?
Hackers do not help the police ever. They are not faggots like you.
Re: (Score:1)
What? (Score:5, Interesting)
Router logs? Really?
You have the MAC address, so you can identify the manufacturer. You call them, ask them for the IMEI, and the supply chain details.
From the supply chain details, you can track it to a retailer. You then ask the retailer for the details of whomever bought it.
From the IMEI, you ask the cellular telcos for details of the SIM associated with it in the period in question, and all the other data they hold - call history, SMS, whatever.
You ask the SIM vendor for any details on the subscriber - even if it's a PAYG and they paid cash, the location of the transaction will be available.
From the other telco data, you can track down the suspect's associates, always presuming they might be entirely uninvolved beyond being an acquaintance
Unless this suspect bought the phone from a second-hand store (or stole it), never put a SIM in it, and used public WiFi for their scheme, you stand a moderate chance of getting close.
Hoping that random people will (a) see you request, (b) understand what it means, (c) own a router with open access, (d) know how to look at their logs, (e) be bothered to do so, and (f) have logs that go back at least nine months, seems to be a long shot.
I get the impression that some policeman has equated a MAC address to a car's registration number, so decided to ask if anyone has seen it...
Re: (Score:3)
It's absolutely a long shot. But it costs them, what, five minutes to type up a press release and hand it to the department media liaison. They'd be stupid not to put out the request.
Re: (Score:2)
Sure, if the vendor keeps track of it. Most likely not. It also seems Motorola has only cheap devices in that range, so this was almost definitely a burner.
Re:Dont need the MAC (Score:2)
Re:Hackable router (Score:2)
Re:Fuck I shoulda (Score:2)
Re: (Score:2)
My ex works for a coroner, and they've used that exact method to formally identify what they call a "decomp" - a body that has been dead for several weeks, and decomposed so much that it's effectively melted into its surroundings.
What a coincidence (Score:4, Funny)
Re:Search Airports (Score:2)
When I spoof (Score:1)
Re:Beef aint dead. (Score:2)
Re:German IP's DL MetaSpl (Score:2)
Well done, cops (Score:2)
So the guy either changes the MAC address or if he's a newbie he throws away the hardware.
Address space collisions... (Score:3)
A MAC address is made up of 6 bytes. The first three are the manufacturer so that only leaves three bytes for unique addresses. FFFFFF = 16,777,215 unique addresses.
Some manufacturers have more than one three-byte identifier, but many just re-use. Using a MAC address as a unique identifier is going to give you a lot of false positives.
Re: (Score:2)
Re: (Score:2)
Not very well. [serverfault.com]
Short answer: you can either hide them behind different switches, or the network is going to keep alternately connecting one (which disconnects the other), then the other, since it can't tell them apart.
Re: (Score:2)
you can either hide them behind different switches
As long as it's on the same LAN, that won't work (as the IP layer is not reached, only the data-link layer) unless you separate the LAN via VLANs, this is done thanks to L3 switches (that use the IP address, like a router without really routing, just pass the packets to the right ports).
MAC's aren't even unique (Score:1)
1. Not unique.
2. Can be spoofed.
3. Presumption of innocence before pinning blame on anyone with this MAC.
4. Routers don't typically log access, and even if they did most would be aged out by now (buffer overflow or reboot).
This is terrible police work on all accounts...
Can't they just ask the NSA for help?
Re: (Score:1)
This seems either an interesting social experiment or just laying a precedent to ask for mandatory access to router logs.