Have you seen f8:e0:79:af:57:eb ?

Wi-Fi and Ethernet adapters contain a unique MAC address that they use to when exchanging frames in the LAN. These addresses are assigned by IEEE to each manufacturer that is supposed to configure each adapter with a unique address. Everytime you use a laptop, smartphone, tablet or Wi-Fi equipped device, it sends frames with its unique MAC address. These MAC addresses do not leave the LAN where they are used, but they are used by services such as DHCP to allocate addresses. Some of these services log the MAC addresses that they have seen for security reasons.

In a recent press release, the German police asked network engineers to help them find usage of MAC address f8:e0:79:af:57:eb in their logs to help identify a terrorist. As far as I know, this is the first time that police seeks help to locate a MAC address.


As explained in a ZDNet article, one problem with this MAC address search is that many devices can be configured to use different MAC addresses than their assigned one. Recent versions of Android and iOS go one step further by automatically randomising their MAC address. Windows 10 also uses MAC address randomization. A detailed study of these MAC address randomization techniques may be found in Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms written by M. Vanhoef and his colleagues.

Written on January 10, 2019