Re: MAC addresses and privacy... from Thomas Roessler on 2010-10-05 (public-privacy@w3.org from October to December 2010)

From: Thomas Roessler <tlr@w3.org>
Date: Tue, 5 Oct 2010 07:31:17 -0400
To: David Singer <singer@apple.com>
Cc: Thomas Roessler <tlr@w3.org>, Richard Barnes <richard.barnes@gmail.com>, public-privacy@w3.org
Message-Id: <29A486F2-A5BC-49F7-8F13-B8CFB2B12381@w3.org>

David Singer wrote:

> Indeed, it's the more general concern I was having an anxiety attack about.  I always imagined it was *infrastructure* Mac addresses that were harvested.  The thought that my *laptop's* Mac address is in the database feels rather different.  And no, I never put my laptop into 'infrastructure mode' at home.

That's what I thought as well.  

Trying with my laptop, the service was reliably finding the location of the MAC address of the network I'm in, but had nothing about the (wifi) MAC address of my laptop. And yes, I've used the Google geolocation service from that laptop, through both Chrome and Firefox.

> Bluetooth also uses Mac addresses.  Maybe someone is harvesting those as well.  You could probably track a person's movements by following sightings of their WiFi or Bluetooth.  Ugh.  I am effectively broadcasting "It's me, I'm nearby" all the time, to anyone who cares to listen.
> 
> Can I have a tin-foil hat, please?

And yes, it certainly is possible to use a geolocation provider to harvest this sort of information about users' machines. It's also possible (to go down the tin-foil route a bit further) to harvest this sort of information about *nearby* machines, e.g,. using malware.

Cheers,
--
Thomas Roessler, W3C  <tlr@w3.org>  (@roessler)






> On Oct 4, 2010, at 11:47 , Richard Barnes wrote:
> 
>> Worth noting that this attack doesn't even involve any advanced web APIs.  It's a generic XSS against the web-based interfaces that home gateways present.  The more general concern is of course the existence of MAC-to-location databases.
>> 
>> 
>>> On Oct 4, 2010 2:09 PM, "David Singer" <singer@apple.com> wrote:
>>> 
>>> I was actually quite disturbed when I entered the mac address of my *laptop* on this page:
>>> 
>>> http://www.samy.pl/mapxss/
>>> 
>>> and it got my location to within one house (i.e. it attributed it to the house next door).
>>> 
>>> This means anyone sniffing my mac address when I am traveling will have a pretty good idea of where I am from.  My iPhone's MAC address did not trace....
>>> 
>>> David Singer
>>> Multimedia and Software Standards, Apple Inc.
>>> 
>>> 
>> 
> 
> David Singer
> Multimedia and Software Standards, Apple Inc.
>

Received on Tuesday, 5 October 2010 11:31:21 UTC