Milan Airport WiFi sends your MAC address to advertisers and trackers (opens in new tab)

(twitter.com)

185 pointsvjvj6y ago61 comments

61 comments

Based on the screenshots it looks like the mac address is leaking out because its in the referer. I would guess this isn't intentional and shouldn't be hard to fix.

I've worked with a number of captive portal systems and they all basically work the same way. The AP/controller intercepts http requests and redirects to the captive portal page with identifying information about the device (ip,mac,ssid,ap_mac,etc.). The captive portal http server shows the user a splash page to accept terms or enter a username/password or a credit card. Once the captive portal server decides the user should be allowed onto the network it needs to communicate that back to the wireless hardware which is done with the user's mac address.

Based on the requests it looks like they have some ads/trackers on the splash page that are getting requests with a referer set to the original splash page url (which includes the client mac address). A no-referrer meta tag or an intermediate redirect would prevent this from happening.

pimterry6y ago

While the mac address is a particularly egregious note, really they shouldn't be sending any data to ad firms whatsoever without consent, and fixing the referrer alone won't help much.

Aside from the data they're explicitly sending in those requests, they're running the response as JS, thereby exposing a bunch of data about your machine & browser, and the response itself is setting a long-term 3rd party cookie too, so that ads on every other site you ever visit can tie all this (and the fact you've used the wifi in this airport) to a long-term profile.

In Milan airport you can make a reasonable bet that most people are EU citizens, so sharing any of their identifiable user data at all for marketing purposes without consent is a huge and expensive no no.

It's not a good look. Referrer aside, I suspect there's no legal option other than dropping this ad script from their wifi login page entirely.

james_in_the_uk6y ago

Consent is not needed for quite a bit of electronic marketing. It is for setting cookies, which is probably going on here to facilitate the marketing, so your point stands, but it's a breach of the ePrivacy Directive not GDPR so fines are lower. No excuse though.

1 more reply

pow_ext6y ago

Milan Airports answered that they have submitted the issue to the "Information technology staff"

source: https://twitter.com/pimterry/status/1192038174408753152?s=20

pimterry6y ago

Update - apparently they've now fixed this: https://twitter.com/MiAirports/status/1192433053743927296

o_____________o6y ago

On my Mac, I leave this running all the time:

https://github.com/halo/LinkLiar

mrgreenfur6y ago

Thanks for sharing this! I know it's included in Win10 and in iOS, surprised it's not in OSX yet!

elyrly6y ago

thanks!

tomcooks6y ago

In the title I suggest substituting Milan Airport with Milan Malpensa MXP Airport (for there are multiple Milan airports)

ComputerGuru6y ago

iPhones randomize the MAC address when connecting to hotspots (on a per-ssid basis, I think?). Other platforms do too (Windows 10 now has an option to do that automatically as well, but I can’t recall if it is enabled by default).

stefan_6y ago

The MAC randomization only applies to probes it sends for known networks when not connected. Once you are connected, it uses the real MAC.

iPhone also still sends the device name to the DHCP server when requesting an IP, so if you haven't changed it, it is broadcasting "<Your first name>'s iPhone" to the network.

tzs6y ago

> iPhone also still sends the device name to the DHCP server when requesting an IP, so if you haven't changed it, it is broadcasting "<Your first name>'s iPhone" to the network.

Awareness of this is probably going up. Comcast is actually running TV ads that point it out [1].

https://www.youtube.com/watch?v=H45-5Rga1B8

rsync6y ago

"iPhone also still sends the device name to the DHCP server when requesting an IP, so if you haven't changed it, it is broadcasting "<Your first name>'s iPhone" to the network."

My iphone has no idea what my first (or last) name is, but I still find it irksome that I cannot change my SSID nor can I hide it.

There is no reason I should be advertising the existence of my phone to everyone in (radio) earshot ...

Gaelan6y ago

IIRC (this is old and might have been wrong in the first place) iOS randomizes when it’s searching for networks but not when it’s connected to one.

angott6y ago

It’s not a bad idea. A randomized IP address at each connection would break many things on quite a few networks (IP-MAC static assignments, for instance).

2 more replies

lbeltrame6y ago

Recent NetworkManager versions on Linux do the same (I don't remember if it's on by default or not, though).

commotionfever6y ago

Yeah it's by default. Learned this the hard way when setting up port forwarding by MAC address on home network. Was wondering why the forward would only last a couple hours

ac296y ago

Android 10 also randomizes MAC addresses when probing, as a client, and as a AP/Hotspot: https://source.android.com/devices/tech/connect/wifi-mac-ran...

hoistbypetard6y ago

Does anyone have a theory on what the "advertisers and trackers" want a MAC address for? If they're using it for anything load bearing, it seems like there is an interesting CCC talk lurking here for anyone who wants to visit that airport with a few hundred dollars worth of devices and stuff a few tens of million spoofed MAC addresses into the system.

s5ma6n6y ago

Since MAC address ranges are allocated to certain manufacturers, it is a simple way to track your device type. Additionally, all MAC addresses are unique so it is the easiest way to match/combine your data from different trackers.

RKearney6y ago

> Additionally, all MAC addresses are unique so it is the easiest way to match/combine your data from different trackers.

This is not true. While it's intended for MAC addresses to be unique, there are plenty of instances where manufacturers re-use MACs when they run out instead of registering more.

Additionally, there is no issue with multiple devices having the same MAC address as long as they're never on the same Layer 2 domain.

2 more replies

hoistbypetard6y ago

Right. I understand what MAC addresses are. In addition to the characteristics you named, they are also entirely at the discretion of the client and therefore are trivially spoofable so long as no one else on the same media currently has the address you're spoofing. And because the advertisers and the trackers are a step removed from the LAN, they have no way to detect an attack where someone just shits tens of millions of nonsense addresses at them.

So I'm suggesting that if we know what they are using those for, there could be something fun (like a CCC talk) to be gained from tainting their data in a creative, easy way. Like a few hundred dollars worth of junk devices in a suitcase sending a bunch of carefully crafted MACs :-)

2 more replies

morpheuskafka6y ago

Knowing whether someone has a Qualcomm, Broadcomm, Intel, or Foxconn WiFi card doesn't seem that useful for profiling.

Of course, the location tracking based on your device's network discovery packets is a whole bigger issue.

2 more replies

fnord776y ago

https://github.com/feross/SpoofMAC

oil256y ago

On OpenBSD:

    # echo "lladdr random" >> /etc/hostname.athn0

Exuma6y ago

Does this work with OSX? Its 5 years since the last update...

heavyset_go6y ago

Had this alias for years and it still works:

    alias random-mac='openssl rand -hex 6 | sed '\''s/\(..\)/\1:/g; s/.$//'\'' | xargs sudo ifconfig en0 ether'

1 more reply

feross6y ago

Yes it still works.

imglorp6y ago

Linux lets you reassign your own MAC. There's no reason to use the same one twice in public! :)

1 more reply

cproctor6y ago

The problem with constantly shuffling MAC addresses is that they are used for device authentication on corporate/school/university networks. Does anyone know of a utility that generates MAC addresses as a hash of the SSID?

buzzkillington6y ago

A bash script?

You can scan for the networks in the area, select the one you want, run the name through, say sha256, select the first 8 characters and reset the mac address to that.

cproctor6y ago

Yeah, not that hard to do manually--I have a nice script for that. But I haven't looked into the logistics of hooking into the wifi connection process and doing this automatically :)

1 more reply

dan12346y ago

Won’t that cause problems if 2 people do this in the same session (and generate duplicate MAC addresses)?

I guess you could get around it by hashing the ssid + a personal salt.

jayalpha6y ago

macchanger

Also extends time limites wifi.

Or use my gypsy code

import random

import os

mac=''

os.system('/etc/init.d/networking stop')

os.system('ifconfig wlan1 down')

os.system('ifconfig eth1 down')

os.system('ifconfig wlp8s0 down')

os.system('ifconfig wlp7s0 down')

for i in range(0,3):

__r=random.randint(16, 256)

__mac=mac+":"+str(hex(r))[2:]

mac="00:07:E9"+mac

print mac

os.system('/etc/init.d/networking stop')

os.system('ifconfig wlan1 hw ether '+mac)

os.system('ifconfig wlp8s0 hw ether '+mac)

os.system('ifconfig wlp7s0 hw ether '+mac)

os.system('ifconfig eth1 hw ether '+mac)

os.system('ifconfig wlan1 up')

os.system('ifconfig eth1 up')

os.system('ifconfig wlp8s0 up')

os.system('ifconfig wlp7s0 up')

os.system('/etc/init.d/networking start')

os.system('ifconfig')

print "echo 'MAC changed..."

print "new random MAC "+mac

jolmg6y ago

You need to indent the code by at least 2 spaces so it doesn't collapse into a paragraph like that. Also, that script isn't really portable. Not everyone has those interface names nor /etc/init.d/networking.

jayalpha6y ago

It is gypsy code and works for me. Use macchanger instead of adopt the script for your purposes.

1 more reply

chupasaurus6y ago

ifconfig is a part of net-tools package, last release of which was in 2001 hence it's deprecated in any major distro since 2013. Unless you're running RHEL6 or something that old, you shouldn't use it.

dreamcompiler6y ago

Great. Guess they have the MAC address of my laptop from when I was there last week then. Fortunately it was a burner Chromebook running Gallium Linux so that makes me care a little less.

rnhmjoj6y ago

What I'm more worried about are probe requests, because sometimes I forget to turn off the wifi. Do you know whether the MAC address, or other identifying data, is sent in this case?

oil256y ago

MAC address of your radio, plus the BSSID of every wireless network you've ever connected to and saved.

anontechworker6y ago

Oof! Does anyone recommend any tools for protecting against this sort of stuff? I feel like a VPN wouldn’t even be enough here since the MAC address is coming through the headers.

Edit: typo

mrgreenfur6y ago

I think the full answer is to never trust anything on a page that isn't from the host domain: achievable via the uMatrix plugin. I dont understand why anyone would trust random scripts from a random company (and sometimes just an unnamed cloudfront endpoint).

A less intense version is to use a PiHole or otherwise block bad domains at the DNS level via a regular ad blocker.

oil256y ago

Can someone post a TLDR? Twitter blocks Tor exit nodes, so the content is unavailable:

> 403 Forbidden: The server understood the request, but is refusing to fulfill it.

pow_ext6y ago

We can't be sure about this, maybe the airport mask the data to a relay

steve_gh6y ago

This looks like a fairly significant GDPR breach

j / k navigate · click thread line to collapse

61 comments

helper6y ago

Based on the screenshots it looks like the mac address is leaking out because its in the referer. I would guess this isn't intentional and shouldn't be hard to fix.

pimterry6y ago

While the mac address is a particularly egregious note, really they shouldn't be sending any data to ad firms whatsoever without consent, and fixing the referrer alone won't help much.

It's not a good look. Referrer aside, I suspect there's no legal option other than dropping this ad script from their wifi login page entirely.

james_in_the_uk6y ago

1 more reply

pow_ext6y ago

Milan Airports answered that they have submitted the issue to the "Information technology staff"

source: https://twitter.com/pimterry/status/1192038174408753152?s=20

pimterry6y ago

Update - apparently they've now fixed this: https://twitter.com/MiAirports/status/1192433053743927296

o_____________o6y ago

On my Mac, I leave this running all the time:

https://github.com/halo/LinkLiar

mrgreenfur6y ago

Thanks for sharing this! I know it's included in Win10 and in iOS, surprised it's not in OSX yet!

elyrly6y ago

thanks!

tomcooks6y ago

In the title I suggest substituting Milan Airport with Milan Malpensa MXP Airport (for there are multiple Milan airports)

ComputerGuru6y ago

stefan_6y ago

The MAC randomization only applies to probes it sends for known networks when not connected. Once you are connected, it uses the real MAC.

iPhone also still sends the device name to the DHCP server when requesting an IP, so if you haven't changed it, it is broadcasting "<Your first name>'s iPhone" to the network.

tzs6y ago

> iPhone also still sends the device name to the DHCP server when requesting an IP, so if you haven't changed it, it is broadcasting "<Your first name>'s iPhone" to the network.

Awareness of this is probably going up. Comcast is actually running TV ads that point it out [1].

https://www.youtube.com/watch?v=H45-5Rga1B8

rsync6y ago

"iPhone also still sends the device name to the DHCP server when requesting an IP, so if you haven't changed it, it is broadcasting "<Your first name>'s iPhone" to the network."

My iphone has no idea what my first (or last) name is, but I still find it irksome that I cannot change my SSID nor can I hide it.

There is no reason I should be advertising the existence of my phone to everyone in (radio) earshot ...

Gaelan6y ago

IIRC (this is old and might have been wrong in the first place) iOS randomizes when it’s searching for networks but not when it’s connected to one.

angott6y ago

It’s not a bad idea. A randomized IP address at each connection would break many things on quite a few networks (IP-MAC static assignments, for instance).

2 more replies

lbeltrame6y ago

Recent NetworkManager versions on Linux do the same (I don't remember if it's on by default or not, though).

commotionfever6y ago

Yeah it's by default. Learned this the hard way when setting up port forwarding by MAC address on home network. Was wondering why the forward would only last a couple hours

ac296y ago

Android 10 also randomizes MAC addresses when probing, as a client, and as a AP/Hotspot: https://source.android.com/devices/tech/connect/wifi-mac-ran...

hoistbypetard6y ago

s5ma6n6y ago

RKearney6y ago

> Additionally, all MAC addresses are unique so it is the easiest way to match/combine your data from different trackers.

This is not true. While it's intended for MAC addresses to be unique, there are plenty of instances where manufacturers re-use MACs when they run out instead of registering more.

Additionally, there is no issue with multiple devices having the same MAC address as long as they're never on the same Layer 2 domain.

2 more replies

hoistbypetard6y ago

2 more replies

morpheuskafka6y ago

Knowing whether someone has a Qualcomm, Broadcomm, Intel, or Foxconn WiFi card doesn't seem that useful for profiling.

Of course, the location tracking based on your device's network discovery packets is a whole bigger issue.

2 more replies

fnord776y ago

https://github.com/feross/SpoofMAC

oil256y ago

On OpenBSD:

    # echo "lladdr random" >> /etc/hostname.athn0

Exuma6y ago

Does this work with OSX? Its 5 years since the last update...

heavyset_go6y ago

Had this alias for years and it still works:

    alias random-mac='openssl rand -hex 6 | sed '\''s/\(..\)/\1:/g; s/.$//'\'' | xargs sudo ifconfig en0 ether'

1 more reply

feross6y ago

Yes it still works.

imglorp6y ago

Linux lets you reassign your own MAC. There's no reason to use the same one twice in public! :)

1 more reply

cproctor6y ago

buzzkillington6y ago

A bash script?

You can scan for the networks in the area, select the one you want, run the name through, say sha256, select the first 8 characters and reset the mac address to that.

cproctor6y ago

Yeah, not that hard to do manually--I have a nice script for that. But I haven't looked into the logistics of hooking into the wifi connection process and doing this automatically :)

1 more reply

dan12346y ago

Won’t that cause problems if 2 people do this in the same session (and generate duplicate MAC addresses)?

I guess you could get around it by hashing the ssid + a personal salt.

jayalpha6y ago

macchanger

Also extends time limites wifi.

Or use my gypsy code

import random

import os

mac=''

os.system('/etc/init.d/networking stop')

os.system('ifconfig wlan1 down')

os.system('ifconfig eth1 down')

os.system('ifconfig wlp8s0 down')

os.system('ifconfig wlp7s0 down')

for i in range(0,3):

__r=random.randint(16, 256)

__mac=mac+":"+str(hex(r))[2:]

mac="00:07:E9"+mac

print mac

os.system('/etc/init.d/networking stop')

os.system('ifconfig wlan1 hw ether '+mac)

os.system('ifconfig wlp8s0 hw ether '+mac)

os.system('ifconfig wlp7s0 hw ether '+mac)

os.system('ifconfig eth1 hw ether '+mac)

os.system('ifconfig wlan1 up')

os.system('ifconfig eth1 up')

os.system('ifconfig wlp8s0 up')

os.system('ifconfig wlp7s0 up')

os.system('/etc/init.d/networking start')

os.system('ifconfig')

print "echo 'MAC changed..."

print "new random MAC "+mac

jolmg6y ago

jayalpha6y ago

It is gypsy code and works for me. Use macchanger instead of adopt the script for your purposes.

1 more reply

chupasaurus6y ago

dreamcompiler6y ago

Great. Guess they have the MAC address of my laptop from when I was there last week then. Fortunately it was a burner Chromebook running Gallium Linux so that makes me care a little less.

rnhmjoj6y ago

What I'm more worried about are probe requests, because sometimes I forget to turn off the wifi. Do you know whether the MAC address, or other identifying data, is sent in this case?

oil256y ago

MAC address of your radio, plus the BSSID of every wireless network you've ever connected to and saved.

anontechworker6y ago

Oof! Does anyone recommend any tools for protecting against this sort of stuff? I feel like a VPN wouldn’t even be enough here since the MAC address is coming through the headers.

Edit: typo

mrgreenfur6y ago

A less intense version is to use a PiHole or otherwise block bad domains at the DNS level via a regular ad blocker.

oil256y ago

Can someone post a TLDR? Twitter blocks Tor exit nodes, so the content is unavailable:

> 403 Forbidden: The server understood the request, but is refusing to fulfill it.

pow_ext6y ago

We can't be sure about this, maybe the airport mask the data to a relay

steve_gh6y ago

This looks like a fairly significant GDPR breach

j / k navigate · click thread line to collapse