Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I still don't understand it, TCP/IP doesn't transmit MAC addresses. Your knowledge of it ends at the next router... Therefore you definitely can't authenticate/authorize by MAC address.


> Therefore you definitely can't authenticate/authorize by MAC address.

I would be entirely unsurprised to see that the device is calling out to the API with it's MAC address as some kind of authenticator.

eg: http://foo.example.com/api/prizes?id=xx:xx:xx:xx:xx


I've used quite a few systems where the MAC address is used as a secondary password to verify that someone didn't just steal the hard drive out of a kiosk.


I thought of this. But the OP stated that the traffic is unprotected making this security measure moot.


Exactly, and then the stored MAC is exposed in its un/or-poorly-authenticated API




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: