MAC addresses: the privacy Achilles' Heel of the Internet of Things

For a device worn or carried by a person the MAC address is effectively a unique ID for that individual; this is a problem now and it will get much worse

This article is one in a series of pieces about Privacy by Design and privacy engineering. More will follow over the coming weeks.

American designer, innovator and anti-surveillance specialist Adam Harvey believes that the media access control (MAC) address, by which devices are commonly identified on a network, represent a significant privacy weak point that will get more serious as the Internet of Things (IoT) takes off.

"We are about to manufacture and deploy billions of devices and we don't even know what the problems are yet," he told a technical audience at a talk hosted by Digital Catapult, the London-based innovation centre.

"If we do this wrong we're really screwed. The MAC address is such a big thing because so many devices use it. Anything with a networking card has a MAC address."

Harvey continued: "When you're walking around with your phone or your health device with Bluetooth or Wi-Fi turned on, some of these are broadcasting your MAC address. It's a number that's burned into the device."

A MAC address is a unique identifier for a device, he explained, and for something regularly worn or carried by a person, it is effectively a unique identifier for that person. To illustrate what sort of information can be deduced from a MAC address, Harvey demonstrated a program created by his colleague the engineer Surya Mattu, using which they had secretly obtained the MAC addresses of smartphones present at an IT security event in Brussels.

"We collected information about everybody in the room just based on what was leaking from their phone," he said. "We were able to do this even with security specialists at a security symposium."

Using this program he was able to find the Wi-Fi networks that each phone had connected to and thus trace the owners' movements around the world.

"It's not perfect because I had to use reverse lookup to get the data points, so it's probabilistic, but I think it's pretty accurate," he explained.

Harvey spoke of how such information could be used: "If I were malicious I could construct a highly targeted phishing attack by saying 'I see you've been to the Grand Hotel, did you enjoy your stay there?'"

Ironically, at the security conference where he harvested the information the delegates were discussing worst-case scenarios that could occur through the hacking of personal devices. Even more serious than phishing, the MAC address could be used by malicious actors to trigger a bomb when a certain person enters a room, Harvey said, or by a workplace to secretly track employees' movements.

"The uses are endless, and when you don't have a way of controlling the MAC address then you're forced to reveal yourself. It's not much different to walking around electronically naked, as Edward Snowden said."

While there are ways to cloak or spoof a MAC address on a smartphone, as the IoT develops and connected devices - many lacking a user interface - proliferate, this will be increasingly difficult.

Entrepreneur Geoff Revill, who has created an app called Krowd that allows users to create an "ad hoc social network" when connected to the same Wi-Fi access point, said that people consider information about their location as very sensitive.

"Of all the metadata consumers are aware of, location is the one that touches intuitively on their privacy sensitivities," he told Computing.

"It's why they avoid downloading apps with location permissions, or turn off that service for apps that seek access to location. Consumers are right to be concerned, location is the most insightful of data. Hence we focused on unlocking location value without knowing location for our Krowd Personal Network."

A 2012 survey by the Pew Research Centre (PDF) found that 54 per cent of smartphone users had decided not to install an app after learning how much personal information they would need to share to use it, while 30 per cent disabled location on their phone.

A later survey by Trust-e found that after contacts, location data was the information that users are most reluctant to share.

Join us in London for our Enterprise Security & Risk Management Summit on 26 November. Registration is free for most delegates.