back to article US cop goes war-driving to find stolen gear by MAC address

Be careful with your Wi-Fi things' MAC addresses: an Iowa cop wants to sniff hardware addresses to turn up stolen goods. In a move that opens up a whole new world of "swatting," Iowa City's The Gazette reports that city officer David Schwindt has created software to go war-driving for MAC addresses. He calls the software L8NT …

  1. Henry Wertz 1 Gold badge

    I think it's a reasonable idea.

    I think this is a reasonable idea. I seriously doubt anyone who nicks a device goes in and spoofs the MAC address. My mom pointed out one issue, who writes down the MAC address of their device? That said, I wouldn't want the police routinely logging MAC address versus location (since it could be used to track people's movements), but it sounds like this is just fed in a "hot list" of MACs and would alert when it saw one. That certainly beats the "nothing at all" that can typically be done to find stolen hardware.

    1. Mark 85

      Re: I think it's a reasonable idea.

      As long as there's oversight and "rules" for usage, I see no problem until someone gets the great idea to start "tracking everything". But yes, who keeps the package barcode strip with the MAC or writes it down and puts it somewhere.

      The only real problem is, is it directional? So there's 40 people on a street, the device pings and says "I got one". Well.. which person has it? Is it one of the 40? One of those in a building or house?

      1. Michael Thibault
        Devil

        Re: I think it's a reasonable idea.

        Directional? Triangulation. Over time, too.

        Now things might get a little hairier if the program could be run on a network (writ "large, ad-hoc") of other devices, voluntarily or otherwise, with central reporting... At the very least, running something like this, provided the list of stolen MACs is available, it can be used by ne'er-do-wells to shake down a possible device-thief. But no one's about to complain in such a case *cough*.

    2. Ole Juul

      Re: I think it's a reasonable idea.

      I don't think it's reasonable. The number of people running software (installed by them or part of an application or OS) is ever increasing. People using random MAC addresses could get wrongly accused, and false positives will only increase over time as people or software suppliers become more privacy concious. This is a bad idea because it is based on a false premise. It is reminiscent of the boneheads who insist that an IP address represents an unique user or geographical location. They're in denial because the truth would expose the basic fallacy upon which their "idea" depends.

      1. bazza Silver badge

        Re: I think it's a reasonable idea.

        It is reminiscent of the boneheads who insist that an IP address represents an unique user or geographical location.

        An IP address at any one moment in time does point to a specific connection point, and therefore a fixed geographic location. That's kind of the whole point of an IP address. If they didn't do that then the Internet wouldn't work...

        It's solely a matter of record keeping by everyone involved (the ISPs, telcos, etc) for DHCP allocations, base station connections, etc. to be able to say where in the world an IP was.

        I say was, because AFAIK there's no infrastructure for that data to be reliably queried in real time. And that's probably a good thing; criminals can be pinpointed eventually, but no one can be pinpointed all the time live. Unless they choose to leave location services on the mobile switched on...

        1. Afernie

          Re: I think it's a reasonable idea.

          "An IP address at any one moment in time does point to a specific connection point, and therefore a fixed geographic location."

          My public IP address does indeed provide a fixed geographical location... five hundred miles from where I physically am. Not surprisingly, this is because that's where my ISP is - as you mentioned, their LOGS might provide my location barring other factors, but a dynamic public IP may mean nothing in and of itself. This is before taking into account address spoofing, proxies, and Tor. As for identifying a user by IP address - can you really prove it wasn't someone spoofing my address, cracking and piggybacking off my wireless connection, or a significant other, m'lord?

      2. Anonymous Coward
        Anonymous Coward

        Re: I think it's a reasonable idea.

        > People using random MAC addresses could get wrongly accused,

        Police investigations work as follows. Produce a list of suspects. Examine each those suspects in more detail, with the goal of eliminating them or increasing the confidence that they are the villain. This is no different from looking at CCTV, faces, witness descriptions, number plates, customer lists, employee lists etc to produce a list of suspects. Those all hoover up plenty of innocent people too. With 4 billion MAC addresses a random match won't be common but they will sometimes happen.

        Provided this isn't the only bit of evidence - and recovering the stolen kit would seem to be the only sensible evidence - then fine.

        1. fajensen
          Black Helicopters

          Re: I think it's a reasonable idea.

          Examine each those suspects in more detail, with the goal of ... Discovering *something* that we can nick them for, now that they made us do work and all.

          Fixed.

          New Public Management policing works on Metrics, eliminating suspects fouls up the "charges made per police hour spent"-KPI so, once one is involved in a police investigation, the metrics-driven policing process will want one done for *something* - and plod will keep one's new police record anyway, forever.

          Never let the police in / search without a warrant, never talk to the police without a lawyer, realise that the police are not our friends any more.

        2. druck Silver badge
          Facepalm

          Re: I think it's a reasonable idea.

          Smooth Newt wrote:

          With 4 billion MAC addresses a random match won't be common but they will sometimes happen.

          You are thinking of IPv4 addresses, there 281,474,976,710,656 MAC addresses, so a random match is far less likely - assuming the manufacturer has used unique values, which isn't always the case.

        3. MonkeyCee

          Re: I think it's a reasonable idea.

          You're confusing a police investigation, which is usually capital crimes and some other serious (10+ year jail time) stuff.

          For something like this, which is petty theft, the police investigation consists of :

          - file paperwork needed for insurance company.

          That's it.

          If they happen to find the kit when they are nabbing someone for something else, or they've got someone with a shed load of stolen goods, then you might be in luck.

          Considering the amount of serious crimes that are not investigated, and are of genuine importance, petty property crimes can go by the wayside. Once all the murderers, rapists and violent types are locked up, and all those people committing fraud and theft that cost over 100k a year, then we can bother spending time and resources chasing some $500 iThing.

          Bloody middle class. No idea what real crimes are (ask the upper class about that) or how the cops "work".

          1. Anonymous Coward
            Anonymous Coward

            Re: I think it's a reasonable idea.

            >Considering the amount of serious crimes that are not investigated, and are of genuine importance, petty property crimes can go by the wayside.

            That is not my personal experience though. I had £200 worth of damage to my car, the police investigated and caught the culprit. I guess it wasn't that hard though since they just looked through the CCTV footage and recognized the individual.

            >Bloody middle class. No idea what real crimes are (ask the upper class about that) or how the cops "work".

            The comments guidelines say, "When posting a comment, think about what you're saying and remember you're addressing real people. ... Animated debate is great - nasty arguments and abuse, not so much."

    3. Anonymous Coward
      Anonymous Coward

      Re: I think it's a reasonable idea.

      The last time I poked my head into the Comcast Arris cable-modem/router, I noticed it has recorded the MAC address for each device if it's ever connected. The accuracy is, of course, limited if any devices MAC addresses have been (randomly) changed. I'll give you three guesses to pick whose devices do that regularly, but you'll only need one. [Blowback minimization again.]

      So, if a device has been stolen, logs in your network devices can be your friend.

    4. fajensen

      Re: I think it's a reasonable idea.

      Anything at all that attracts the cops is likely to get innocent people (and dogs) killed by crowds of trigger happy goons right out of a 2 day SWAT-course!

      Is it worth it? Over some consumer shite that everybody and their dogs have?

      Do we want "Stop & Search Anyone" - because the prowling cops software claims that somebody's device has a suspect MAC they can now rummage through your pockets and your device, possibly, detain it while they verify the ownership (and take down all your contacts as "leads").

      I don't think so. I think it's just cops looking for more crime in order to make jobs (and asset forfeiture opportunities) for themselves.

    5. Anonymous Coward
      Anonymous Coward

      Re: I think it's a reasonable idea.

      I think this is a reasonable idea. I seriously doubt anyone who nicks a device goes in and spoofs the MAC address.

      1 - law of unintended consequences. This creates a location log of anything with a MAC address - provided they get into your home WiFi network which is where I'd raise red flag no1: is that part of planned capacity. This also creates a log of where MAC addresses may live which nice feeds into this Big Data fetish they have where more data is presumed to represent more accuracy (newsflash: not if you feed it garbage to begin with).

      2 - "evidence". First of all, who knows the MAC address of their kit, so how can they provide it when it's stolen? Where does that data come from and how reliable is it. And if it is reliable, how did it get to the police without you being involved? Secondly, flipping a MAC address is networking 101, also for very normal, acceptable reasons like testing.

      3 - processing. What is the police going to do when they find a MAC address (which, for sensible reasons, suggests they have hacked the network it lives on)? Go in, in full SWAT mode? I suspect someone is already coding up malware to distribute flagged MACs into home user kit, so this really becomes another exercise in handing back tax payers some of their money through court cases. That is, the ones that survive the experience.

      So no, I don't think it's a good idea. Not even superficially.

  2. Anonymous Coward
    Anonymous Coward

    who writes down the MAC address of their device?

    Anyone who uses MAC addresses for a wifi whitelist? *

    Though I would expect that to be something that only sysadmins and network folks think of.

    1. Voland's right hand Silver badge

      Re: who writes down the MAC address of their device?

      Answer: anyone who uses static DHCP leases on their network. I have a perfect audit trail of all MAC addresses of my devices going back 15 years.

      In any case, if memory serves me right iThings will use a randomized MAC when scanning, but not when connecting to a known network.

      As far as the idea goes, I used to run a similar MAC trap and Bluetooth (in the 2000-es Nokia used to ship with Bluetooth visibility enabled) for years. Initially (~2008) it worked quite well (especially the Bluetooth portion). I turned it off last year - it stopped logging anything meaningful. Randomized MACs and Bluetooth being invisible and/or inactive by default in Android/iOS did with that idea.

      1. Ben Tasker

        Re: who writes down the MAC address of their device?

        In any case, if memory serves me right iThings will use a randomized MAC when scanning, but not when connecting to a known network.

        Ding, ding, ding, correct.

        I was surprised to have got this far through the comments before finding someone point that out. Sadly, I wasn't surprised that El Reg had got that fact wrong :(

        The trial the IEEE ran on randomising MAC addresses did change for more than scanning, though AFAIK that's not gone any further yet.

    2. Anonymous Coward
      Anonymous Coward

      Re: who writes down the MAC address of their device?

      I've been a sysadmin on a number of OSes and never needed to bother about MAC addresses, the networks were always adminstered by a seperate team. Having said that I do use MAC + password authentication on my home router, to paraphrase Del Boy "It only makes sense".

  3. Anonymous Coward
    Anonymous Coward

    Good idea? Ha! Thanks to MAC randomisation, not only might an innocent person be charge with theft, but also witchcraft (at least in some districts). After all, how else might, say, a stolen iPhone 5 be converted into and iPhone 6?

    1. Paul E

      No one is going to be sent to jail on the basis of just a mac address and I doubt anyone trying to investigate if a possible MAC 'hit' is a stolen device is going to go in SWAT style with all guns blazing at the very least because there is a very good chance that the current person in possession of the device may have innocently bought it from the actual culprit.

      One would hope:

      1) The software discards immediately any MAC address not in its hitlist.

      2) Possible 'hits' are investigated without undue force and that the device if found must exactly match the description of the stolen item including checking of serial number (if known) and imei if a phone.

      3) The current possessor of the device is given enough opportunity to explain how they got the device and to demonstrate they are the correct owner,

      1. Richard 12 Silver badge

        Caution

        Your (3) is a "Prove you are innocent"

        1. Anonymous Coward
          Anonymous Coward

          Re: Caution @Richard 12

          Not quite. if there is a dispute about ownership and one person has proof of this then it is reasonable to ask for such information from the other. If someone stole your possessions I suspect you'd be amongst the first to ask the "current possessor" to prove they are theirs.

      2. Anonymous Coward
        Anonymous Coward

        No one is going to be sent to jail on the basis of just a mac address and I doubt ...

        There is quite a *lot* of examples of SWAT going totally guns blazing --- at the wrong address, over trivial things like someone skipping bail - et cetera.

        And "just" only means that the cops will do you for "Resisting Arrest" by twitching too much as they tazer you repeatedly. Or just shoot you. Maybe to get some time off with pay while the enquiry clears them of any wrongdoing.

        And there is Asset Forfeiture - meaning that cops can nick your stuff and you have to sue them to get it back.

        Encounters with cops today are almost as dicey as meeting any other gang-bangers - almost, because the gangs might actually not rob you and not put you in jail and just sell you the weed you wanted.

        1. Anonymous Coward
          Anonymous Coward

          Asset Forfeiture

          Oh god, don't get me started on asset forfeiture.

          The cops can take your stuff, as long as the follow the rules. Which consist of a) is it possible your stuff could be in some way used in a crime and b) do they want to take it.

          Since cash and cars can both potentially be used for crime, you can get it confiscated for just having it. Even if you have a legitimate reason for having it.

          Then once this seizure has happened (no need for any judicial overview) then you have to take them to court (with all the speed and expense that entails) to get your car/cash back. God help you if you're not the whitest of white, because then you're fucked in the courts.

          As for the *intent* of it, well, you'll notice that those people with shit loads of illegal cash also turn out to have veeeeery good lawyers. So they are actually quite good at getting stuff back, along with filing harassment suits etc.

    2. Anonymous Coward
      Anonymous Coward

      Thanks to MAC randomisation, not only might an innocent person be charge with theft, but also witchcraft

      LOL. Upvote for that alone :)

  4. Anonymous Coward
    Anonymous Coward

    The iOS MAC randomization wouldn't help here

    What that does is use a random MAC address (in a particular range, so it won't collide with 'real' MAC addresses assigned to Apple devices or anyone else's) when a device is looking for access points to associate with. If it finds one it has associated with in the past, or you tell it to connect, it uses its real MAC address from that point on. This is intended to prevent tracking of individuals via their phone (they might not have your name, but they know when you come back, and with enough visits that leave other evidence like purchases they could tie your name to your phone's MAC)

    Unless this cop's device is simply masquerading as a passive access point and hoping things will associate with it, it should find stolen iOS devices same as anything else. It sounds like he's actively sniffing, like the Google Streetview car, but rather than sniffing the data like Google, he's (for now) just sniffing the MAC addresses. Encryption won't help there, since that's sent in the clear.

    This all seems rather pointless, and is probably a foot in the door for doing more widespread sniffing of wifi traffic as they drive by like Google was, except on an ongoing basis as cops drive around town 24x7. As if cops really care about finding someone's stolen Dell laptop that was $500 when it was new in 2012 and is worth $40 today. Stolen cell phones are already mostly a non factor in the US these days since most phones are new enough to have Activation Lock on iOS and the equivalent on Android.

    1. Joe Gurman

      Re: The iOS MAC randomization wouldn't help here

      As near as I can tell (from one data point so far), this is correct: my iPhone's current MAC address, when I'm home, reports the address I have hard-coded into my access point for a MAC address-based ACL. Some pooh-pooh that sort of security, but I reckon it's one more thing an intruder in a WiFi-network-rich environment doesn't need to deal with if my neighbo[u]rs' networks are more welcoming.

      And it is also true, here in the Sates at least, that the police are much more interested in finding stolen mobile/electronic devices in general in the first 24 - 48 hours, since they know the chances beyond that are slim to none.

      And finally, it is rare that thieves are after anything less than the latest model mobile device. Their discerning tastes are driven by the same market factors as "legitimate" sales: new drives out old.

  5. Anonymous Coward
    Anonymous Coward

    A lot of mention of false positives?

    There are a possible 255^6 mac addresses, randomly picking one that has been registered as stolen is highly unlikely. Even if Apple stick within the manufacturers/vendors assigned OUI numbers it's still highly unlikely.

    1. Anonymous Coward
      Anonymous Coward

      Re: A lot of mention of false positives?

      I guess you've never had two separate NICs with the same MAC? I have. That was an odd problem to solve when it happened (mid 1990s).

  6. Anonymous Coward
    Anonymous Coward

    Why on earth do you need to access the network?

    airmon-ng shows you all mac addresses in range and their associated base stations.

    1. Anonymous Coward
      Anonymous Coward

      Actually

      You need to use airodump-ng, after using airmon-ng to put your card into promiscuous mode.

  7. Pascal Monett Silver badge
    Unhappy

    patent L8NT

    Not such a stretch actually, given that the USPTO is rubber-stamping everything that falls on their desk these days.

  8. Tromos
    Joke

    Broken promise

    "Schwindt promises that his software doesn't look for any personally sensitive information."

    I would have thought that information such as 'this guy has a stolen laptop' is pretty bloody personally sensitive.

  9. Anonymous Coward
    Anonymous Coward

    Hours of recursive fun to be had from ...

    ... hacking in and assigning hooky MAC addresses to items of police equipment

    1. choleric

      Re: Hours of recursive fun to be had from ...

      An activity henceforth to be known as Schwindtling.

      1. Anonymous Coward
        Anonymous Coward

        Re: Schwindtling

        Defined as "unlawfully editing the Schwindtler's list"

  10. Bota

    Sir you may be innocent but your mac address was flagged..

    Legally, under x law and y statute I'll need to copy your o.s image just to be sure that no laws have been broken.

    Back at the lab "looks like Mr x has been downloading Hollywood shit part 2, issue an arrest warrant".

    What could go wrong?! Or they'll stop at just looking at the mac address?

  11. Anonymous Coward
    Anonymous Coward

    Didn't Google get in trouble for this?

    Google collected MAC address data as it's cars were driving around. Which is what this guy is also doing.

    Kind of suspecting this could turn into the thin edge of a wedge, where routine Wifi data collection by law enforcement becomes the norm ("because reasons"). :(

  12. CaptainBanjax

    Never mind...

    ...all the "is it right" bollocks.

    How do you patent wardriving?

    Id imagine hes using well known tools for harvesting the data and probably some sort of PHP-esque script to put it in a database all wrapped in some sort of bootstrap-esque skin.

    If its the bits in the middle that hes patenting I am going to submit a patent covering piping dmesg into grep.

    Grep exists and piping exists so im going to claim the bit in the middle. I will also trademark and copyright "|".

    Ill then sue every software house that has the audacity to allow this so called "feature" in their OS builds.

    Im also going to write a tool that looks for all these "bits in the middle" and automatically submits them for patenting then when its accepted automatically file a lawsuit.

    P8NT [Usage: --scan-level "apple" --auto-file-patent true --auto-troll true --retries 9001 --invoke-reality-distortion-field true --appeal-on-failure true --flimflam-offset 0.1 --inject-codswallop true --ignore-existing-patents true --filter "round corners, air, candy crush .."]

    Bruteforce patenting tool. By CaptainBanjax.

    Id open source it but in its initial test it patented, sued and shutdown github.

    It also threw an exception when it patented and sued itself.

  13. Alistair
    Windows

    This is a decent *idea*

    Sadly manglement and legal pitbulls will get hold of it and turn it into dataminable "historical data" for "reference" and "analysis"

    a) mac addresses *can* be altered at the device. End of Line.

    The above statement makes the software as proposed INVALID. What more can be said? as a legal tool this is now invalid. Now, don't get me wrong - it makes it possible to *locate a specific mac* if that mac is active - I get that -

    i) find missing hardware that was (lost/stolen/dropped off a cliff)

    ii) find (runaway teen/missing small that has phone/altzheimer patient carrying panic device etc, heck even stolen cars)

    iii) give insurance companies (are you hearing yet?) SOMETHING to recoup losses on stolen devices ... (I suspect this will be the lever that will be applied to make my original proposition occur)

    are all possible, but the consequent data:

    i) which mac addresses were at what location at what times on which date

    ii) which mac addresses were connected to known networks (are you hearing yet) at which location at what time on which day.

    iii) what (dramatic event) ensued within x time of y event when the above devices were connected to THAT network.....

    (i.e you are developing a data pool that will result in witch hunts hours after (dramatic event)s occur that will trash the civil liberties of a substantial number of innocents.)

    I think that the data usage, tracking of said data, and resisting compilation of that data must be written into the baseline proposition before we let the authorities start running this anywhere.

    And good luck on the patent front - I've no less that three utilities that do precisely this.

  14. Gnosis_Carmot

    This is just as creepy as cops going up to every window on every house and looking in to see what's there.With this they'll just be able to do it from the driver's seat while eating their donuts.

  15. Anonymous Coward
    Anonymous Coward

    Works 4 me

    More crims off to prison is a good thing.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like