MAC address tracking

Discussion in 'privacy problems' started by Uitlander, Jan 21, 2015.

  1. Uitlander

    Uitlander Registered Member

    Joined:
    May 16, 2010
    Posts:
    71
    Location:
    Albany, CA
    I have started seeing warnings on various sites that advertisers have a new tool for tracking that logs the MAC address. Preliminary research seems to indicate that this MAC address only relates to wi-fi users, but then I saw a couple sites hinting that it also impacts via cable modem, router, and wired NIC card. Anyone know the truth about this? I will never use wi-fi, bluetooth, or any similar junk, so is MAC address tracking a non-issue for me, or do I have to find countermeasures?
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    I don't believe that MAC address will get through IPv4 NAT routers. That would be possible with IPv6, where there is normally no NAT. However, I don't believe that current standards include MACs in IPv6 addresses. But there could be broken stuff out there.

    Me, I still nuke IPv6 in every way that I know :)
     
  3. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    758
  4. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    So if your router/modem has IPv6 capabilities you disable it?
     
  5. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    Yes, I disable IPv6 in my hosts and VMs (pfSense, workspace, etc).

    For example, in Linux, "ip6tables -L" shows:
    Code:
    Chain INPUT (policy DROP)
    target     prot opt source         destination
    DROP       all      anywhere       anywhere
    
    Chain FORWARD (policy DROP)
    target     prot opt source         destination
    DROP       all      anywhere       anywhere
    
    Chain OUTPUT (policy DROP)
    target     prot opt source         destination
    DROP       all      anywhere       anywhere
     
  6. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    What about the future exhaustion of IPv4 addresses and next generation of IPv6?
    We know it's just a matter of time and it's here to stay.

    Don't all current MS OS and Linux distributions already support IPv6?
    (built-in and load at boot)
     
  7. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    Right. But not yet :)

    Yes, one must poke around to disable IPv6.
     
  8. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    Didn't Apple announce their iOS platform would randomize MAC addresses for all WiFi
    connections to help stop device tracking?
     
  9. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    I also disable IPv6 as long as possible. For me what matters is that it is still not unclear what security/privacy impact IPv6 have or can have. There're already some reports and a bit of thing were solved like MAC, but still investigation is on going. I'll wait until either finally situation forces me to use IPv6 (won't come for a time) or discussions matured.
     
  10. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    Right. Just to be clear, IPv6 is not NAT routed. That is the whole point of being globally unique. So if some device has an IPv6 address, that address will be seen everywhere, regardless of how many VPNs, Tor circuits, JonDonym mixes, and whatever else are between the device and whatever it connects to. Right?

    If that's so, compartmentalization across multiple devices will become absolutely essential for protecting privacy. Careless using the same gateway router VM in unrelated circuits will be fatal to anonymity.
     
  11. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,599
    Agree with all above. IPV6 = scary for anonymity.
     
  12. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    MAC isn't poking through IPv4, the problem is - IPv6 is a pretty big privacy hit, and at times, a security vulnerability. FYI: I'm a certified IPv6 Ninja through HHE.

    The way to address this is simple;

    1) Disable IPv6 on your Router.
    2) Go into Network, Adapters, and turn off IPv6 on your network adapters. (uncheck it)
    3) Disable IPHelper service in Windows.

    Done? No. You need to kill the background IPv6, and Tunneling Protocols.

    Hit Start, then run CMD with CTRL-SHIFT-ENTER (Admin Escalation). Type the following;

    netsh int ipv6 isatap set state disabled
    netsh int ipv6 6to4 set state disabled
    netsh interface teredo set state disabled

    Now you are secured from IPv6 vulnerabilities, background tunnels, and snooping.
     
  13. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    I want to be clear on this. If I'm running a modem that has IPv4 and IPv6 gateway firewall settings I should
    then disable the IPv6 firewall completely?
     
  14. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    I'm not sure what "disable the IPv6 firewall completely" means. It's not that you want to disable the firewall. You want the router to block all IPv6 traffic.

    In pfSense, at the top of System: Advanced: Networking, there is this:
    I uncheck the box.
     
  15. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    I re-enabled the IPv6 firewall and checked all boxes to block traffic.
     
  16. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    318
    Thanks for that, ipv6-test.com now shows my pc has no ipv6 address.
     
  17. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    If you do not have IPv6 FW enabled, then theoretically all IPv6 traffic will be rejected. However it's best to ensure it is disabled on all devices, and to be sure apply a firewall rule to block IPv6 traffic (which depends on appliance).

    Also if you take my steps illustrated above then you guarantee no IPv6 traffic, tunneled or otherwise.

    When some servers on the internet enabled IPv6 back when nobody was supposed to be using IPv6 they discovered something remarkable.. Millions of people were sending IPv6 traffic. It turns out it was related to the Sudo-IPv6 tunneling in Windows. Now we know, privacy wise, it's wise to disable this via command line, and let people not concerned with privacy be migrated to IPv6. Some of us will be staying with IPv4 for as long as possible. (myself included) For now, we can take steps to avoid it.
     
  18. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    Then as originally done I disabled the IPv6 firewall as I thought that would stop IPv6 traffic. My software firewall
    handles all IPv4 . The modem also handles IPv4. Should I keep IPv6 firewall enabled and block traffic or disable
    it entirely?
     
  19. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    I'd block all IPv6 traversal. If you do not, some devices MAY decide to use IPv6, such as a TIVO or something. (as an example)
     
  20. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    I use both Linux and Windows. On Windows IPv6 is installed on newer OS.
     
    Last edited: Jan 23, 2015
  21. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    I went further. Edited "HKLM\CurrentControlSet\Services\Tcpip6\Parameters\", disabled all IPv6 related driver and network driver's function via device manager, and disabled all IPv6 and tunnel related communications in Norton's firewall setting.
    Just as a paranoid anti-IPv6 settings.:D
     
  22. Uitlander

    Uitlander Registered Member

    Joined:
    May 16, 2010
    Posts:
    71
    Location:
    Albany, CA
    You answered a question I had yet to ask - thanks!. As for the MAC address, is this a non issue for me? I had heard that Internet Nazis were using it to track down P2P file sharers (not a concern of mine), and that advertisers were now using it to add another layer of tracking to their privacy-invading techniques (that does concern me).
     
  23. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    MAC address isn't an issue for devices that connect via NAT routers, as long as the router blocks IPv6 (which can include MAC). However, wireless APs do capture MACs, and may share (or sell) data. For those using wireless via ISP-supplied routers, the ISP can perhaps see device MACs. That's why it's good to interpose your own router/firewall, and use just the modem function of the ISP box. That way, the ISP sees only your router/firewall MAC, and not any of your device MACs.
     
  24. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    108
    About IPv6:
    http://www.networkworld.com/article...will-allow-them-to-track-you-down---not-.html

    So in IPv4, thanks to Nat, you have many machines behind single IP.
    In IPv6 you have many IP's behind single machine.

    Funny thing: Today I just asked about getting "few" IPv6 addresses from my VPS provider because they have this "unlimited" IPv6 handling.
    I asked the whole /64 block.:D
    They said that was only possible with their dedicate servers.
    So I decided to be less greedy and asked only two free IPv6 addresses for now.

    But next time that I contact them Im going to ask /32 block ......haha

    But: There might come IPv6 Nat. Please see this: https://tools.ietf.org/html/rfc5902

    So better get your free IPv6 addresses folks (and lot's of them), while their still free.
     
  25. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    They miss a key point. For anonymity, it doesn't matter how many IPv6 addresses a particular device has. Let's say that the device normally reaches the Internet though some VPN service, or through Tor, or through some combination of anonymity systems. What matters is the possibility that an adversary will see one of the device's IPv6 addresses directly, perhaps through some accident or misconfiguration, and will associate it with the user's true identity, geolocation, etc. If the device subsequently uses that same IPv6 address while reaching the Internet through an anonymity system, the adversary will recognize the user.