[unisog] Using IP and Hardware Address Pairing to Identify a Machine...

Mark Cather mark.cather at umbc.edu
Mon Aug 9 20:44:16 GMT 2004

FYI... For anyone who is using some of the latest (or not so latest) web 
based authentication products, please check to see if the vendor you are 
using tracks user's machines by pairing up IP addresses and hardware 
address in a table.  We have now come across two vendors that use this 
pairing to determine if a logged in user leaves the network.  After a 
user logs in, they periodically poll the IP to see if the IP is still in 
use.  If the IP is still in use and the IP address / hardware address 
pairing has not changed, the system assumes that the user on the end of 
that authenticated session has not changed.

The problem to be aware of is that it is very easy, with this method of 
tracking down users, to hijack another user's authenticated session.  We 
have tested and verified that on a Mac OSX laptop, you can change the 
hardware address and the ip address with two commands.  If a hacker 
wanted to steal another user's identity, it would be pretty easy to 
sniff the network for a victim's hardware address and IP, write a script 
that monitors the victim's connection, and then reprograms the hacker's 
NIC and IP as soon as the victim drops off the network.  As long as the 
authentication server gets an answer each time it polls the IP, a hacker 
can take the addresses from a victim's machine and hijack another users 
authenticated session.

Just a friendly warning.  We are testing web-based authentication 
solutions and have found two vendors who both have this problem.  One 
has a work around, the other one does not.  Both have acknowledged the 
problem.  If you want further information, feel free to contact me directly.

Mark Cather
Assistant Director of Communications and Security
Office of Information Technology / UMBC

More information about the unisog mailing list