Re: MAC addresses and privacy... from Harry Halpin on 2010-10-04 (public-privacy@w3.org from October to December 2010)

From: Harry Halpin <hhalpin@ibiblio.org>
Date: Tue, 5 Oct 2010 01:27:25 +0200
To: public-privacy@w3.org
Message-ID: <AANLkTikPGSCZbUEyjFfpcFvHjyWMxyGq82MYqQyFjLP3@mail.gmail.com>

On Tue, Oct 5, 2010 at 1:02 AM, David Singer <singer@apple.com> wrote:
> Indeed, it's the more general concern I was having an anxiety attack about.
>  I always imagined it was *infrastructure* Mac addresses that were
> harvested.  The thought that my *laptop's* Mac address is in the database
> feels rather different.  And no, I never put my laptop into 'infrastructure
> mode' at home.
> Bluetooth also uses Mac addresses.  Maybe someone is harvesting those as
> well.  You could probably track a person's movements by following sightings
> of their WiFi or Bluetooth.  Ugh.  I am effectively broadcasting "It's me,
> I'm nearby" all the time, to anyone who cares to listen.
> Can I have a tin-foil hat, please?

Of course Skyhook [1] whose business model is precisely this. I was
under the impression this was how Apple devices up till April of this
year) (then Apple apparently switched [2]) as well as Google
determined location for Apps like Google Maps.

The only way I can think of stopping these datbases is by changing
your MAC address using (at least on Linux) using ifconfig. However, is
that secure?

Also, the main loss here is that many people (for example, my Uni.)
use the MAC address when logging in on our internal wifi, something I
wouldn't like to lose access to.

             cheers,
                 harry

[1]http://en.wikipedia.org/wiki/Skyhook_Wireless
[2]http://techcrunch.com/2010/07/29/apple-location/


> On Oct 4, 2010, at 11:47 , Richard Barnes wrote:
>
> Worth noting that this attack doesn't even involve any advanced web APIs.
> It's a generic XSS against the web-based interfaces that home gateways
> present.  The more general concern is of course the existence of
> MAC-to-location databases.
>
> On Oct 4, 2010 2:09 PM, "David Singer" <singer@apple.com> wrote:
>
> I was actually quite disturbed when I entered the mac address of my *laptop*
> on this page:
>
> http://www.samy.pl/mapxss/
>
> and it got my location to within one house (i.e. it attributed it to the
> house next door).
>
> This means anyone sniffing my mac address when I am traveling will have a
> pretty good idea of where I am from.  My iPhone's MAC address did not
> trace....
>
> David Singer
> Multimedia and Software Standards, Apple Inc.
>
>
>
>
> David Singer
> Multimedia and Software Standards, Apple Inc.
>

Received on Monday, 4 October 2010 23:27:59 UTC