10 Jan 2019

German police are seeking the help of the public in order to find the details and identify the owner of a MAC address which is known to have been used by a bomber in late 2017.

A MAC (Media Access Control) address is a unique code that is assigned to network interfaces embedded in all types of devices, such as smartphones, computers, IoT devices, and any WiFi-enabled device.

MAC addresses are an inseparable part of how an Internet operates and when a device interact with another device online, they are tracked by several identifiers, such as their IP and MAC address. Local networking devices, such as routers and some firewalls, track MAC addresses in logs.

According to a press release published yesterday, police from the German state of Brandenburg are asking router owners to search through their logs for a specific MAC address.

The MAC address is f8:e0:79:af:57:eb. Which the police believe is that of a suspect who tried to blackmail German courier service DHL between November 2017 and April 2018.

The suspect demanded huge money from DHL and threatened to detonate bombs across Germany, at DHL courier stations, private companies, and in public spaces.

However, the bomb threats were real. The first bomb, sent to a company near Berlin, caught fire instead of exploding. A second bomb, sent to a pharmacy in Potsdam also failed to detonate, but the package contained a real bomb.

The investigators tried to negotiate with the bomber by exchanging emails with the attacker on three occasions, on April 6, 2018, April 13, 2018, and April 14, 2018.

It was during these conversations that the investigators managed to get the bomber’s MAC address, which is believed to be of a Motorola phone.

It is possible for a user to change a device’s MAC address that is broadcasted to other devices which indicates that the attacker might have used that MAC only for the short period while sending those emails.

Nevertheless, German authorities hope to get new evidence. That is why they are asking the router owners to check router access logs for this address, and report if they know any details. Investigators want to know to what routers/networks the bomber has connected before and after the attacks, in order to track his movements and to find a clue to his identity.

Leave your thought