Can third parties obtain my MAC address?

One of the most frequently asked questions we get about fingerprinting is whether you can hide your MAC address or not, and what this means for privacy-conscious businesses. Sometimes this is more direct: “can a website or third party obtain my MAC address?” We investigate.

What is a MAC address?

First up, let’s look at the big picture. What actually is a MAC address?

A MAC address is a unique address that is assigned to our Bluetooth, WiFi and Ethernet cards, buried directly in our devices. It’s used in local networks by devices to communicate with each other.

The MAC address is also called the device’s ‘physical’ address, indicating which device it is, whereas the IP address says where the device is connected in a network of millions.

Take an analogy. You call your colleague by his name at work: this is his ‘MAC address’ which indicates it is him. But to reach him, say to send a card, you need his phone number or postal address, which is his ‘IP address’ connecting him to a wider network.

A MAC address is a unique address assigned to our Bluetooth, WiFi and Ethernet cards.

The chances of having the same MAC address as someone else are like winning the lottery. No wonder, then, that we are asked this question so frequently – if websites can obtain your MAC address, then it is a big risk.

Is your MAC address private?

Let’s turn back to our original question: are MAC addresses obtainable by sites you visit? The short answer is no, it largely isn’t, Previously, technologies like Java and Flash made it possible, but, with these now deprecated or obsolete, the main remaining methods are somewhat more roundabout.

This does not however mean this isn’t an important point for businesses who are reliant on browser privacy. As we explain, it provides a clear path to where your priorities should lie.

First, however, a brief overview of how a MAC address could be obtained.

The TikTok case

While there is now no longer a one-stop solution to get a MAC address, it is possible by combining information from different channels. You may have seen the case of Chinese app TikTok/Douyin, where news reports show that it collected users’ MAC addresses for 15 months. If you had launched the application then, then TikTok knows at least your MAC address and, through this information, the brand of mobile phone you used.

Captive portals

We’re surrounded by internet-connected devices, in shopping malls, coffee shops, stations and more. However, connecting to a public WiFi network has its risks. Connecting means you share your network adapter’s MAC address. So far, so innocuous – until you see research from Concordia University, showing some hotspots leak MAC addresses to numerous other parties. Pizza Hut leaks your MAC address to 11 domains, H&M Place Montreal Trust and Discount Car Rental to six. And the receiving domains? Top names including Alphabet (Google), Facebook and Amazon.

Some hotspots, such as Pizza Hut and H&M, leak MAC addresses to numerous third parties.

Some of these third parties set persistent cookies that can last even as long as 20 years in some cases! While your mobile may hide or give a randomized MAC address, our PC or laptop won’t. While connecting, most computers will use the OS’s default browser, helping the persistent cookie to establish a relationship between our identity and MAC address.

DNS rebinding

DNS or domain name system is what gives us friendly website names – like google.com – instead of complicated strings of IP numbers like 142.250.180.110.

When we connect to that domain, under the cover, our devices ask the domain name server which IP address is assigned to what we browsed to (eg google.com). To avoid repeatedly doing this, your device keeps the info for a period of time specified by the domain, called ‘time to live’ or TTL.

In our case, TTL is set deliberately short so that your device keeps making requests. Meanwhile, your browser executes malicious script from that website. When the TTL quickly expires, your device makes another request – and the response returns a local IP, such as 192.168.1.1, belonging to your home router.

Eventually, the attacking website can access sensitive information, including the name of devices connected to the router and those devices’ associated MAC addresses.

Is this a concern for my business?

The examples above go to show that, yes, there is an element of roundabout risk that your MAC address can be obtained.

However, the key lesson is actually one of priorities for businesses who are dependent on preserving their privacy. MAC address is still one of our most frequently asked questions – and yet the direct methods are defunct. In other words, people are focusing on an area of diminishing importance while letting slide some of the key concerns in keeping browser profiles watertight when running multiple accounts.

It is these areas of browser fingerprinting, mainly directly obtainable, that can pose an important risk to your business, so you need to make sure you keep yourself and the technologies you use up-to-date. To do so, sign up for Multilogin’s free email updates below.