Hacker News new | past | comments | ask | show | jobs | submit login

It's worse than that, in iOS devices the mac address is easy to predict. For instance my phone and my wife phone have the first four bytes the same.

Example:

F0:AB:C7:11:xx:yy

So you can easily crack this by brute force without sniffing the device address at all.




This is by design[1]. The first 3 bytes are the same for the same manufacturer. The last 3 bytes can be assigned as they wish. Apple probably assign the 4th byte as a product identifier, so would be consistent across iPhones. I wonder what the 4th byte is for other iOS devices, or if it's the same?

[1]http://en.wikipedia.org/wiki/Organizationally_Unique_Identif...


That's very unlikely: an address space of just 65K numbers would be left, which is orders of magnitude less than the number of iPhones produced.

Considering that each phone has at least two MACs (wifi and bluetooth), even the 16 millions that would be given by using the full 3 bytes look scarce.

I think that Apple has several OUIs. In fact, my iPhone's MAC doesn't have a single byte in common with the parent's.


You're right, I didn't do the maths. This list[1] from 2010 shows that Apple has dozens of OUIs and I imagine the list is much, much longer now.

[1]http://www.scribd.com/doc/42074577/Apple-OUI-List


But maybe given products use a small subset of their available addresses...

Ok, there is a simple way, let's collectively compile a list of the HN users reading this thread having an iPhone. I'll start with:

   4s - F0:CB:A1:xx:yy:zz (me)
   4s - F0:CB:A1:xx:yy:zz (wife)
   4s - F0:CB:A1:xx:yy:zz (friend)
Please reply with your first three bytes.


Another friend of mine:

4s - 0C:77:1A:xx:yy:zz


My address was modified completely just to remove information about my actual address. Likely your first three bytes are: F0:CB:A1.


No, it starts with D0:23


Yes I know, but given that of the three bytes reserved for Apple, a specific device type like 4s, 4, 5, or alike, happens to have a subset of the fourth bytes combination, the space is reduced to a bit more than 16 bit, making the brute force attack absolutely feasible.

p.s. I've verified that other 4s have a different (but numerical very "near") fourth byte. It seems in the range 20-24 or alike.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: