Can an attacker exploit my /etc/machine-id?

I originally asked this question on Stack Overflow, but people suggested that I ask here instead.

I am writing software that needs to uniquely identify multiple different machines. I was planning on using /etc/machine-id to do this.

While reading the docs for machine-id, I stumbled upon this passage:

This ID uniquely identifies the host. It should be considered "confidential", and must not be exposed in untrusted environments, in particular on the network. If a stable unique identifier that is tied to the machine is needed for some application, the machine ID or any part of it must not be used directly. Instead the machine ID should be hashed with a cryptographic, keyed hash function, using a fixed, application-specific key.

I don't know much about dbus, but I was under the impression that it's only for IPC. If that's the case, I'm not sure why it would really matter if a remote attacker knew the machine-id. Other than the obvious privacy issues, are there any (known) legitimate security reasons not to share one's machine-id? Or is this just a case of some strongly-worded documentation?


Solution 1:

No, this text was added for privacy reasons rather than security.

The machine-id is similar to an iOS UDID or a MAC address; unnecessarily exposing it (over the network or to sandboxed apps) might allow someone to track the program's users across networks, or to link the same person's usage of different apps.

See discussion:

  • GitHub issue: #4667 "[RFE] Public API for requesting unique values derived from machine-id"