German police ask router owners for help in identifying a bomber's MAC address

In a first, German police asks router owners to comb logs for f8:e0:79:af:57:eb and report any sightings to authorities.
Written by Catalin Cimpanu, Contributor

German authorities have asked the public for help in surfacing more details and potentially identifying the owner of a MAC address known to have been used by a bomber in late 2017.

A media access control address, more commonly known as a MAC address, is a unique code assigned to network interfaces embedded in all types of devices, such as smartphones, computers, IoT devices, and any WiFi-capable device.

MAC addresses are an intrinsic part of how the modern internet works, and when devices interact with each other online, they are tracked by several identifiers, such as their IP and MAC address. Local networking devices, such as routers and some firewalls, track MAC addresses in logs.

In a press release published yesterday, police from the German state of Brandenburg, where the city of Berlin is located, is now asking router owners to comb through their logs for a specific MAC address.

The MAC address is f8:e0:79:af:57:eb. Brandenburg police say it belongs to a suspect who tried to blackmail German courier service DHL between November 2017 and April 2018.

The suspect demanded large sums of money from DHL and threatened to detonate bombs across Germany, at DHL courier stations, private companies, and in public spaces.

The bomb threats were real. A first bomb, sent to a company near Berlin, caught fire instead of exploding. A second bomb, sent to a pharmacy in Potsdam, a city near Berlin, also failed to detonate, but the package did contain an actual bomb.

Investigators called in to negotiate with the bomber managed to exchange emails with the attacker on three occasions, on April 6, 2018, April 13, 2018, and April 14, 2018.

One of the details obtained during these conversations was the bomber's MAC address, which based on the hardware industry's MAC address allocation tables, should theoretically belong to a Motorola phone.

However, it is widely known that users can change a device's MAC address that is broadcasted to other devices, meaning the attacker could have used that MAC only for the short time it took for sending those emails.

Nonetheless, German authorities are hoping to find new evidence regardless, or they hope the attacker was careless enough to not have changed his MAC address at all.

Now, they're asking router owners to check router access logs for this address, and report any sightings to authorities. Investigators want to know to what routers/networks the bomber has connected before and after the attacks, in order to track his movements and maybe gain an insight into his identity.

Anyone who can help with the investigation can tip German police via the contact details listed here.

Cybercrime and malware, 2019 predictions

More cybersecurity news:

Editorial standards