Can third parties obtain my MAC address?

APRIL 01, 2023 | FINGERPRINTS

MAC address. No, not the kind you eat, but the type embedded in your device's hardware. In this article, we'll explain what a MAC address is, how it differs from an IP address, and what you can do to protect your privacy.

What is a MAC Address?

MAC addresses are like the secret code that helps your device communicate with the rest of the internet. It's like having a secret handshake that only cool people (i.e., devices) know.

Think of it like this - every device on the internet has a unique identifier, like a digital name tag. The MAC address makes your device's name tag stand out from all the others. It's like your device's unique superpower that helps it connect to all the internet services out there

And get this - while your IP address (another internet identifier) can change, your MAC address is with you for life! It's like a loyal companion always by your device's side. And because it's unique to your device, it can help track what your device is doing on the network.

IP Address vs. MAC Address

An IP address is another way to ID devices on the internet. You've got internal ones used for devices on a local network and external ones that internet service providers (ISPs) hand out for internet communication.

But a MAC address is different - it's like a name tag for your device's network connection. Every type of network interface, from your Wi-Fi card to your Ethernet port to your Bluetooth adapter, has its unique MAC address.

The chances of having the same MAC address as someone else are like winning the lottery. No wonder, then, that we are asked this question so frequently – if websites can obtain your MAC address, then it is a big risk.

Is your MAC address private?

Let's turn back to our original question: are MAC addresses obtainable by sites you visit? The short answer is no, it largely isn't, Previously, technologies like Java and Flash made it possible, but, with these now deprecated or obsolete, the main remaining methods are somewhat more roundabout.

This does not, however, mean this isn't an important point for businesses that are reliant on browser privacy. As we explain, it provides a clear path to where your priorities should lie.

First, however, a brief overview of how a MAC address could be obtained.

The TikTok case

While there is now no longer a one-stop solution to get a MAC address, it is possible by combining information from different channels. You may have seen the case of the Chinese app TikTok/Douyin, where news reports show that it collected users' MAC addresses for 15 months. If you have launched the application then, then TikTok knows at least your MAC address and, through this information, the brand of mobile phone you used.

Captive portals

Internet-connected devices, in shopping malls, coffee shops, stations and more surround us. However, connecting to a public WiFi network has its risks. Connecting means you share your network adapter's MAC address. So far, so innocuous – until you see research from Concordia University, showing some hotspots leak MAC addresses to numerous other parties. Pizza Hut leaks your MAC address to 11 domains, H&M Place Montreal Trust and Discount Car Rental to six. And the receiving domains? Top names include Alphabet (Google), Facebook and Amazon.

Some hotspots, such as Pizza Hut and H&M, leak MAC addresses to numerous third parties.

Some of these third parties set persistent cookies that can sometimes last even as long as 20 years! While your mobile may hide or give a randomized MAC address, our PC or laptop won't. While connecting, most computers will use the OS's default browser, helping the persistent cookie to establish a relationship between our identity and MAC address.

DNS rebinding

DNS or domain name system is what gives us friendly website names – like google.com – instead of complicated strings of IP numbers like 142.250.180.110.

When we connect to that domain, under the cover, our devices ask the domain name server which IP address is assigned to what we browsed (eg google.com). To avoid repeatedly doing this, your device keeps the info for a period of time specified by the domain, called 'time to live' or TTL.

In our case, TTL is set deliberately short so that your device keeps making requests. Meanwhile, your browser executes a malicious script from that website. When the TTL quickly expires, your device makes another request – and the response returns a local IP, such as 192.168.1.1, belonging to your home router.

Eventually, the attacking website can access sensitive information, including the name of devices connected to the router and those devices' associated MAC addresses.

Is this a concern for my business?

The examples above go to show that, yes, there is an element of roundabout risk that your MAC address can be obtained.

However, the key lesson is one of the priorities for businesses that are dependent on preserving their privacy. MAC address is still one of our most frequently asked questions – and yet the direct methods are defunct. In other words, people are focusing on an area of diminishing importance while letting slide some of the key concerns in keeping browser profiles watertight when running multiple accounts.

It is these areas of browser fingerprinting, mainly directly obtainable, that can pose an important risk to your business, so you need to make sure you keep yourself and the technologies you use up-to-date.