MAC Address with Cable Modem

Some websites claim to know my MAC address. Now, is this just a hollow boast on their part, and simply the result of client side JavaScripting? Or can they actually grab it?

We have a small network of computers connected to a router, connected to Cable Modem, connected to large ISP.

Now here's the interesting bit:

With more recent cable modems, the MAC address the websites report is *larger* than an ordinary MAC address, because it is in three parts!

1 The first part is the MAC address (of the router) which I can manually I change from time to time.

2 The second won't change (always the same, potentially trackable(?)) as it is the Cable Modem's MAC address.

3 And the third is a web address.

Here's what it looks like (the numbers/letters have been changed a bit, but are in the exact same pattern), GRC.com calls it a "machine name":

CTU30cf47ee71b7-CR0024c98f70fd.ctu.net.cable.rogers.com

What gives? Please discuss.

Thank you,

LS

 

The notion of a macaddress usually refers to the individual computer connected to the router. This would mean that each computer on you network probably should run a macchanger routine to change its individual NIC (Network Interface Card) prior to connecting to the router via a network connection after bootup without the network connected (each time the computer boots up).

When using TOR, for example, I change the macaddress of my computer prior to turning my router on.

In order to change my router's macaddress, I would have to login as admin after the network connects to my computer (with the router turned on).

As for Cable modem - I don't have one, so am not qualified to comment.

The machine name is probably from a pool of assigned network lease connections to the network from your ISP - since it was reported from GRC.com.

For any browser you use, it is wise to make sure the browser's configuration has geo-location set to false or turned off. Then your actual computer location is not reported as only the location of the ISP assigned machine name is known, and it would probably be necessary to have a warrant to associate your computer with the leased machine name during the time period of network connection - unless your ISP cooperates with LE without warrants. Additionally, if you ran the machanger routine prior to connecting it to the network (for me typically turning the router on after changing the macaddress - it would be different for you as there are other computers on your local network that might be affected by turning off the router to suit your situation).

Most websites do utilize JavaScript. Some use it to detect more information about you - so you have to be careful where you browser on the Internet. They may be able to detect some private information if it is leaked by your browser even though unintended by you.

 

That is the Fully Qualified Domain Name (FQDN) associated with your public IP Address as determined by performing a reverse DNS lookup (https://en.wikipedia.org/wiki/Reverse_DNS_lookup) on your public IP Address.

Forward DNS lookup: Name -> IP Address
Reverse DNS Lookup: IP Address -> Name

Ultimately, I think it would be Rogers that determines the content within that string and in particular the format of the portion that is now CTU30cf47ee71b7-CR0024c98f70fd. FWIW, a quick search turned up a message @ DSLReports from early 2010 about this issue:

http://www.dslreports.com/forum/r23841863-Your-privacy-may-be-violated-Most-of-you-don-t-care.

From a privacy POV it is not good to have a static (never changes) or very sticky (rarely changes) public IP Address or a FQDN that has a unique identifier within it which does not change along with IP Address. It is even worse if the MAC Address of any equipment you personally own is exposed via IPv6 IP Address or FQDN. Such things will be abused for tracking, profiling, etc purposes. Depending on equipment arrangement and what if any MAC Addresses were changed, it could also be possible to guess the MAC Address of an AP the user is using which in turn would in some scenarios provide very fine grained location data to someone remote. That MAC Address can reveal manufacturer and given the right database precise model of equipment, default software load, etc makes such a practice undesirable from a security POV as well. So I'm actually surprised to hear a major ISP is doing that.

Are you using a discrete (not integrated with a router) cable modem belonging to Roger's and a separate router that belongs to you?

 

Yes. There's a cable modem and then a separate router (not supplied by nor registered with Rogers) for the small LAN. I also use a hub to attach more equipment, and the router does wireless that the iPad etc. hooks in by as well.

What GRC.com reports as a "machine name" is the router's MAC + the cable modem's MAC + the ctu.net.cable.rogers.com blurb. Rogers is the big cable company in these parts.

I'm reading the article you posted. Interesting. Some don't seem too concerned.

They say that one is exposed only to a few square miles. Well, web sites certainly can determine which city we're in. And I'm pretty sure there are people at Rogers who, from time to time, can be bribed to release customer information based on this "machine name" (or something), as a number of years ago it seems to have happened here via posts on Usenet.

LS

 

A couple of searches suggest that Roger's residential cable customers have dynamically assigned IP Addresses which may be sticky but should also change under appropriate circumstances. Have you seen yours changing? For example, after you change the MAC Address of your router and power cycle your modem?

By having MAC Addresses in the machine name / FQDN you technically lose the privacy benefits of an IP Address change. Instead of using your (hopefully periodically changing) IP Address as a unique identifier, interested parties can use the modem's MAC Address (and possibly also the router's MAC Address) pulled from reverse DNS. IOW, such a machine name is like a super cookie that is always sent and can't be changed without resorting to something drastic like swapping hardware or changing ISP.

It sounds like you may have already done so, but I would definitely suggest you change the MAC Address in your router and don't simply make one up. If you don't have any anonymous spares to use, use a locally administered unicast address (x2:xx:xx:xx:xx:xx, x6:xx:xx:xx:xx:xx, xA:xx:xx:xx:xx:xx, xE:xx:xx:xx:xx:xx).

 

Thank you for the replies.

Well, that's what I suspected with the "machine name" that it was like a universal tracking cookie.

If I change the router's MAC, Rogers usually assigns a new IP address. But the "super cookie" is still there, because the "machine name" always contains the same MAC of the cable modem, which I do not know how to change.

And even if I could, it would be to of no avail, because Rogers registers our cable modem, so the cable modem signals would be rejected by the Rogers ISP servers (and not work).

Thank you for the unicast suggestion, 'will look into it.

LS

 

Far worse than your typical browser cookie we should add, since it is available across different HTTP/HTTPS sites, will apply to all (other) IP protocols, will be explicitly logged by a wide range of servers including those that make their logfiles publicly accessible/searchable, etc.

Theoretically speaking, you could acquire a cable modem which supports MAC Address changing and then periodically change the MAC Address and register the new one with Rogers. However, I'm not sure that feature is generally available, the act of registering a new modem (just MAC Address in this case) often involves interaction with customer service which makes it more/repetitively time consuming, and messing around with the MAC Address of the cable modem itself seems like the type of thing cable companies would be very intolerant of.

Frankly, I think Roger's customers and Canadian privacy orgs (are there any?) should be taking a very close look at Roger's policies and working to improve those which are harmful to privacy. Same goes for all ISPs really, but here there is something which is of obvious concern and it is rather serious from the looks of it.

 

@TheWindBringeth

Yes, there are Canadian privacy organizations such as:

International Association of Privacy Professionals Canada (IAPP Canada)
Canadian Access and Privacy Association (CAPA / l'acap)
Privacy & Access Council of Canada (PACC-CCAP)
Canadian Marketing Association (CMA).

There is also a government "watch dog" in the Office of the Privacy Commission of Canada.

LS

 

You could use a VPN service.

 

FWIW, the "marketing associations" I've run into over the years were trade associations that promote, defend, and coordinate the business practices desired by those companies which are members. I've seen, on many occasions, such associations attempt to kill, weaken, pervert, delay, and/or otherwise oppose efforts to significantly improve privacy. In general they promote industry self-regulation aka "let us police ourselves" approaches. If they feel they must give some ground in order to counter public outcry and prevent more meaningful changes being forced upon their members, they create/promote their own minimal guidelines and sometimes requirements. Which nearly always revolve around opt-out rather than opt-in, and have numerous other flaws that serve to protect the association's members' interests at the expense of the public at large and especially those who are privacy oriented. IOW, it has been my experience that such "marketing associations" and (many to most of) their members are the problem.

The CMA rings a bell, and a brief look at some information about it turned up various red flags. So that entry in your list, at least, may require reconsideration.