US cop goes wardriving to sniff out stolen gadgets by MAC address

When it comes to sniffing out unsecure Wi-Fi networks, you can take your pick of vehicle to drive around: we’ve had warbiking, feline warprowling (with bonus mouse catching!), and warstrolling (with high heels packing Wi-Fi hacking tools, no less!).

Now, a US cop has reverted to the plain old vanilla mode of wardriving in a car, but he’s not looking for hotspots or routers that lack passwords.

Nor is he sniffing out routers using the creaky, old, easily cracked WEP encryption protocol.

Rather, Iowa City police officer David Schwindt is stalking stolen gadgets.

Specifically, he’s cooked up some software and rigged up a thumb drive sized-antenna that plugs into the USB port of his squad car laptop to sniff out the media access control (MAC) addresses from a database of known stolen items.

MAC addresses are often called a burned-in address (BIA), an ethernet hardware address (EHA), or simply a “physical” address, because they are literally assigned (by the IEEE) and stamped into your network card by the company that manufactured your hardware.

They’re sort-of unique identification numbers that act like a device’s digital fingerprint.

Researchers have confirmed they also link to your real identity, and, according to Edward Snowden, the National Security Agency (NSA) has a system that tracks the movements of everyone in a city by monitoring the MAC addresses of their electronic devices.

Schwindt says his software product, which he’s calling L8NT – that’s a leet-speak/acronym hybrid that stands for latent analysis of 802.11 network traffic – won’t be used to find the occasional stolen iPod or laptop.

Neither will the tool give police access to personal or private information included in MAC packets, he told The Gazette.

Rather, he has his eye on bigger cases:

If your cellphone is stolen from a bar ... that’s not necessarily what L8NT is intended for. But, if your home is burglarized and your cellphone is stolen, now, as a police chief, I’m interested [in that technology.]

The device – which has a range of about 300 feet – scans for MAC addresses, looking for matches to known stolen items.

The L8NT can also be attached to a directional antenna to allow police to determine where the signal is coming from and to obtain a warrant.

However, the device does not work in all circumstances.

If you walk around with Wi-Fi enabled on your phone, it will broadcast its MAC address indiscriminately and, unlike an IP address which changes over time or when you switch networks, a MAC address is constant for the lifetime of a device (though it can be spoofed, either for legitimate purposes or by a thief who wants to hide it).

But if a device is powered down, or if Wi-Fi has been disabled, the L8NT won’t be able to sniff it out.

Nor will it do much good if legitimate device owners haven’t bothered to record the MAC addresses of their devices.

Then again, it might also prove useless in the case of Apple’s iOS 8 devices.

Apple introduced a random MAC address generator in iOS 8 last year, in an effort to help users fend off marketers’ ability to recognize their devices and thereby ID them at will.

That randomisation isn’t constant, mind you: As Paul Ducklin noted at the time, randomisation only happens before you connect, when your Wi-Fi card is scanning for networks.

When your iGadget finds an access point with a name that matches one of your known networks, it tries to connect by using your real, rather than your random, MAC address.

So the coffee shop you visit regularly won’t have any trouble recognising you, though a shopping mall you merely walk through won’t be able to ID you.

But while there are cases where the officer’s L8NT won’t work, Schwindt still has big plans, he’s developed a proof of concept, has a provisional patent on the device, and plans to apply for a full patent this fall.

In the meantime, he’s sent out surveys to law enforcement agencies to test the waters and see if they might be interested.

Image of police car with full array of lights courtesy of Shutterstock.com

Leave a Reply