Ubuntu
apport package

apport's log collecting leaks MAC addresses maybe helping WiFi attacks?

Bug #1904082 reported by Brian Foster
264
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apport (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Some people configure their Internet WiFi modems such that
only certain devices, defined by their MAC addresses, can
(try to?) connect. I am aware this is VERY WEAK "security"
since MAC addresses are easily spoofed.

It occurs to me that the logs collected by apport-cli(1)
and friends, when reporting a bug, contain the system's
MAC addresses. Those logs are normally publicly readable
by anyone browsing Launchpad. That means villains could
reap (collect) MAC addresses to spoof and try to obtain an
unintended WiFi connection. (Isn't necessarily easy since
the attacker would have(?) to be within range of the modem
to try?)

I am NOT saying this has happened — I have no idea.

I just wanted to bring this hypothetical(?) problem/attack
to your attention.

ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: apport 2.20.11-0ubuntu27.12
ProcVersionSignature: Ubuntu 5.4.0-53.59-generic 5.4.65
Uname: Linux 5.4.0-53-generic x86_64
ApportLog:

ApportVersion: 2.20.11-0ubuntu27.12
Architecture: amd64
CasperMD5CheckResult: skip
CrashReports:
 664:1000:125:0:2020-11-13 03:00:18.498740147 +0100:2020-11-13 03:00:18.498740147 +0100:/var/crash/_usr_bin_kglobalaccel5.1000.upload
 600:118:125:37:2020-11-13 03:00:19.490721528 +0100:2020-11-13 03:00:19.490721528 +0100:/var/crash/_usr_bin_kglobalaccel5.1000.uploaded
 640:1000:125:798567:2020-11-13 03:00:16.626756668 +0100:2020-11-13 03:00:17.626756668 +0100:/var/crash/_usr_bin_kglobalaccel5.1000.crash
Date: Fri Nov 13 03:03:36 2020
InstallationDate: Installed on 2020-10-19 (24 days ago)
InstallationMedia: Kubuntu 20.04 LTS "Focal Fossa" - Release amd64 (20200423)
PackageArchitecture: all
SourcePackage: apport
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Brian Foster (blfoster) wrote :
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Hi,

Thanks for reporting this issue. I'm not sure logs would be as helpful once we remove MAC addresses though, and the user is prompted when Apport pops up whether the information can be sent or not.

Can I make this bug public so that the Apport developers can see it?

It may also be a dupe of bug #1440818.

Revision history for this message
Brian Foster (blfoster) wrote :

1. YES, this report may be made public.

2. Bug #1440818 is certainly very similar.

3. Asking the user whether or not to send the information
would perhaps rarely help for the concern/Risk described in
this bug, as most users perhaps never think of the issue?
 E.g., whilst I myself have also been concerned about "leaking"
partition UUIDs (as mentioned in bug #1440818), I've not been
able to devise a situation where that poses an obvious Risk
(with the exception of people suffering from a hostile regime
(e.g., being spied on by their own government)). That prior
report, unlike this report, does not suggest what any specific
Risk is, albeit it does hint at the hostile regime Risk.

4. I'm a bit puzzled why MAC addresses (or partition UUIDs)
are so useful for *most* bug reports? Certainly for some,
yes, but is it really critical for the vast(?) majority of
bug reports?

Steve Beattie (sbeattie)
information type: Private Security → Public Security
Marc Deslauriers (mdeslaur)
Changed in apport (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.