Skip to content
Naked Security Naked Security

US cop goes wardriving to sniff out stolen gadgets by MAC address

He rigged up a thumb drive sized-antenna that plugs into a squad car laptop’s USB port to sniff out known stolen devices.

shutterstock_117901750When it comes to sniffing out unsecure Wi-Fi networks, you can take your pick of vehicle to drive around: we’ve had warbiking, feline warprowling (with bonus mouse catching!), and warstrolling (with high heels packing Wi-Fi hacking tools, no less!).

Now, a US cop has reverted to the plain old vanilla mode of wardriving in a car, but he’s not looking for hotspots or routers that lack passwords.

Nor is he sniffing out routers using the creaky, old, easily cracked WEP encryption protocol.

Rather, Iowa City police officer David Schwindt is stalking stolen gadgets.

Specifically, he’s cooked up some software and rigged up a thumb drive sized-antenna that plugs into the USB port of his squad car laptop to sniff out the media access control (MAC) addresses from a database of known stolen items.

MAC addresses are unique identification numbers that act like a device’s digital fingerprint.

Researchers have confirmed they also link to your real identity, and, according to Edward Snowden, the National Security Agency (NSA) has a system that tracks the movements of everyone in a city by monitoring the MAC addresses of their electronic devices.

Schwindt says his software product, which he’s calling L8NT – that’s a leet-speak/acronym hybrid that stands for latent analysis of 802.11 network traffic – won’t be used to find the occasional stolen iPod or laptop.

Neither will the tool give police access to personal or private information included in MAC packets, he told The Gazette.

Rather, he has his eye on bigger cases:

If your cellphone is stolen from a bar ... that’s not necessarily what L8NT is intended for. But, if your home is burglarized and your cellphone is stolen, now, as a police chief, I’m interested [in that technology.]

The device – which has a range of about 300 feet – scans for MAC addresses, looking for matches to known stolen items.

The L8NT can also be attached to a directional antenna to allow police to determine where the signal is coming from and to obtain a warrant.

However, the device does not work in all circumstances.

If you walk around with Wi-Fi enabled on your phone, it will broadcast its MAC address indiscriminately and, unlike an IP address which changes over time or when you switch networks, a MAC address is constant (though it can be spoofed, either for legitimate purposes or by a thief who wants to hide it).

But if a device is powered down, or if Wi-Fi has been disabled, the L8NT won’t be able to sniff it out.

Nor will it do much good if legitimate device owners haven’t bothered to record the MAC addresses of their devices.

Then again, it might also prove useless in the case of Apple’s iOS 8 devices.

Apple introduced a random MAC address generator in iOS 8 last year, in an effort to help users fend off marketers’ ability to recognize their devices and thereby ID them at will.

That randomisation isn’t constant, mind you: As Paul Ducklin noted at the time, randomisation only happens before you connect, when your Wi-Fi card is scanning for networks.

When your iGadget finds an access point with a name that matches one of your known networks, it tries to connect by using your real, rather than your random, MAC address.

So the coffee shop you visit regularly won’t have any trouble recognising you, though a shopping mall you merely walk through won’t be able to ID you.

But while there are cases where the officer’s L8NT won’t work, Schwindt still has big plans, he’s developed a proof of concept, has a provisional patent on the device, and plans to apply for a full patent this fall.

In the meantime, he’s sent out surveys to law enforcement agencies to test the waters and see if they might be interested.

Image of police car with full array of lights courtesy of


This is something I wish they were doing years ago. If anyone has had anything stolen from their houses or cars they will agree too. Hopefully they get to arrest a bunch of these thieves.


LE should be able to give a list of MAC addresses of stolen equipment to Telco companies and they can detect them when connected by any method as the hardware of the item is used to identify if it is allowed on their network (can’t use an AT&T phone on Verizon).


Not sure where you’re coming up with your information from, but a MAC address is configurable on just about every piece of equipment. it’s not ‘stamped in’, as you might assert, a MAC address is volatile, and can and quite often is cloned to spoof others who think it’s actually burned in.

Take a look at Technitium’s MAC Address changer for a PC based utility of how quickly and easily it can be changed. Most PCs (Mac computers too) have the ability to modify TCP properties.

In any case. i call bullshit on this story. No, there’s no database of MAC addresses. Snowden (my former classmate) hasn’t suggested there’s anything of the sort. Damn do you people know how to put words in people’s mouths.


Hi, thanks for your comment. We’ve removed any implication that MAC addresses can’t be changed. The “database” Lisa refers to is one that lists the MAC addresses of stolen items recorded by police.


Man: Man didn’t have the right form.
Clerk: What man?
Man: The man from the cat detector van.
Clerk: The loony detector van, you mean.
Man: Look, it’s people like you what cause unrest.
Clerk: What cat detector van?
Man: The cat detector van from the Ministry of Housinge.
Clerk: Housinge?
Man: It was spelt like that on the van. I’m very observant. I never seen so many bleedin’ aerials. The man said their equipment could pinpoint a purr at four hundred yards, and Eric being such a happy cat was a piece of cake.


And do police know that MAC addresses can be spoofed? I

But the thing that REALLY worries me about this kind of crime fighting is that — once again — it’s not officers going after criminals with a warrant and probable cause — it’s cops running pseudo-vigilante operations, spying on EVERYONE in order to catch a SOMEONE they don’t even know committed a crime.


Looking for MAC addresses that are publicly broadcast by a device is hardly “spying,” let alone “spying on EVERYONE,” now, is it?

And if all you’re doing with those MACs is comparing them against a list of reported-stolen devices…that’s not much more intrusive than a cop keeping a look out from his squad car for faces that match mugshots, or bicycles that match theft reports. (Which is also a form of electromagnetic surveillance, eh?)


Paul, when you go out LOOKING for MAC addresses without a warrant — THAT makes it spying. In the United States we still haven’t repealed the 4th Amendment, though one would hardly realize it with such things as this going on. You are looking at the issue from strictly a technical point of view, that is, with blinders on.


The Fourth Amendment is the freedom from unreasonable search and seizure, is that the one? I’m struggling to see how matching openly transmitted MACs against a list of known bad ones is either search or seizure, let alone “spying.”

As an aside, I don’t think you need a warrant to monitor MAC addresses – and for that reason, I am not sure you could actually get one.


Joe, you’re completely off-base with this assertion. The legal hurdle which changes something from normal investigative action to “spying”, as you call it, is “expectation of privacy”. If the cop was walking up to your window, peering into your house, and somehow reading the MAC address from somewhere an average citizen considers private, that’s illegal. If the cop simply picks up a transmission through the air, outside the premises of your house where you have no expectation of privacy, he’s absolutely fine. One doesn’t need a warrant to observe something out in the open.


A couples of days ago this story was posted on that other UK site that reports security news (the one that uses the silly alliterative slang), and it got me thinking about MAC addresses. I asked the non-techs where I work if they knew what a MAC address is; a few had a vague knowledge of MAC addresses, A crook would have to be pretty tech savvy to know how to change or hide the MAC of a stolen device, and the victim would have to know enough to record or find the MAC address for a stolen device. Part of my job is to count the number of users on our publicly available Wi-Fi and I use the MAC addresses along with the device name to count use. I can usually tell staff devices from public by both the MAC address and the device name (e.g. Alice’s iphone). I do have one question about MAC addresses: are MAC addresses included in the packets sent over the Internet? Thanks.


No, MAC address of an device is transmitted in its local areas network only.
When the packet reach the router and transmitted to Internet, the MAC address of the packet is changed to the router’s MAC instead


Thank you. I surmised that port forwarding took over after passing through the router but was not sure if the MAC address was included.


of course, the Monitors are MONITORING the REPLIES…everything has to be MONITORED…and caged.,if a human reads this.,sophos is GREAT STUFF.,…always has been.,this article is pretty stupid.,but the guy is smart.,hes obviously in the wrong INDUSTRY.


. I asked the non-techs where I work if they knew what a MAC address is; a few had a vague knowledge of MAC addresses, A crook would have to be pretty tech savvy to know how to change or hide the MAC of a stolen device, and the victim would have to know enough to record or find the MAC address for a stolen device. Part of my job is to count the number of users on our publicly available Wi-Fi and I use the MAC addresses along with the device name to count use.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!