Using XSS & Google To Find Physical Location

wiredmikey sends along a brief (and quite poorly written) report from Security Week on Samy Kamkar's talk at Black Hat last week. In the video, which is amusing, he demonstrates how to obtain location information (within 30 feet, in the example he shows) of a user who does no more than visit a malicious website. The technique involves sniffing out the local router, breaking into it to obtain its MAC address, and sending that to Google to extract the router's location from Google's Street View database.

Question:

What is a MAC accress?

Re:Question:

[Tubal-Cain]

They're using XXS to access the MAC address.

Way too many S sounds there.

Didn't Google remove that "feature"?

ah, nevermind...

HAR XXXS

Aren't we clever, that joke is sure to woo the ladies.

Location is the least of your problems

[AndrewStephens]

What scares me the most is that to get the location they demonstrate a plausible way to access the settings on your router (if you use the default credentials.) If I was evil (or more evil) I wouldn't care about the location, I would just changed the router's DNS settings and redirect all the traffic through a server of my choice.

Re:Location is the least of your problems

Why would that scare you unless you're stupid enough to leave your routers with the default credentials? Darwin's law applies to the Net, too.

Re:Location is the least of your problems

[AndrewStephens]

Based on my experience, at least 80% of the home routers in use still have the default credentials unchanged since they were unpacked. That's a lot of the population vulnerable.

Re:Location is the least of your problems

[Crudely_Indecent]

In my experience, 100% of routers with default credentials are factory configured to allow access only to addresses within the private subnet used by the router.

Defeating that requires either:
1. Physically going to the location and connecting via wifi to obtain one of the private addresses needed to access the router. While this isn't so hard in a crowded neighborhood, it becomes very dangerous in rural areas where it's harder to remain unnoticed.
2. Compromising one of the machines within the private subnet.
3. Or you could just leave other peoples stuff alone.

I like #3.

Re:Location is the least of your problems

[Crudely_Indecent]

INCORRECT:

Kamkar, by convincing the victim to visit his malicious Web site, used remote JavaScript and AJAX to acquire a routers MAC address. When the unsuspecting user visited his malicious Web site, JavaScript remotely scanned for the type of router used, accessed the routers MAC address and sent it directly to him. From there, he was able to utilize Google Street View data to determine the location of a router – in his case, accurate within 30 feet.

Of course the request comes from inside of the subnet. That request, however, is modified by the router before it is sent to the public internet. Certainly, the router knows the MAC address of the original request, but that MAC isn't sent with the request, it's associated with the request by the router.

This attack only targets a verizon fios router using default credentials! Additionally, it utilizes a data source which relates mac addresses to physical locations - which is hardly complete.

Basically, this guy can identify the geolocation of your mac address if someone else has already identified it.

Wow, he can query a data source.

Re:Location is the least of your problems

[RulerOf]

Based on my experience, at least 80% of the home routers in use still have the default credentials unchanged since they were unpacked. That's a lot of the population vulnerable.

I've got that problem too, but I left mine at default settings because A) I'm silly enough to assume my internal home network is "secure enough" from unauthorized access, and B) it's painfully hard to forget default passwords. That is, of course, unless you're in the majority population of router owners who use stock firmware (because then, of course, you can't remember "admin" to save your f*cking life).

All this talk and proof of concept though has me concerned enough though that I'll go change the creds.

Re:Location is the least of your problems

[interiot]

Wrong, wrong. A default password means you ARE vulnerable. It's such a problem that ISPs are willing to do questionable things to fix it.

(it's a slight variant of your #2, though "compromising" in this case doesn't mean a full compromise, it means mildly abusing the DNS spec to work around XSS restrictions)

Stay classy kdawson

[OverlordQ]

The technique involves sniffing out the local router, breaking into it to obtain its MAC accress, and sending that to Google to extract the router's location from Google's Street View database.

Re:Stay classy kdawson

[Samulus+Maximus]

wiredmikey sends along a brief (and quite poorly written)... ...breaking into it to obtain its MAC accress

Don't be a hypocrite now :P

It's this:

Apple Computer Inc
1 Infinite Loop
Cupertino, CA 95014

Not completely accurate

[Netshroud]

Inputting my friend's router's MAC address on his site (here) results in a location circle about 3km wide and about 10km away from his house. Close, but not close enough.

Re:Not completely accurate

[darkpixel2k]

Inputting my friend's router's MAC address on his site (here) results in a location circle about 3km wide and about 10km away from his house. Close, but not close enough.

Should I be worried that Google knows the correct location for a new WAP which I just turned on about a month ago in a small po-dunk town in the middle of nowhere?

I mean seriously--the town has a population of approximately 10,000. It's hardly Austin or New York. Maybe I just timed it correctly.

Re:Not completely accurate

Too close for comfort.

Re:Not completely accurate

[Barny]

Wow, I let my browser share my details to him, and it was accurate to within 500kM of my current location, scary stuff.

Although it took a good guess as to which of the 7 areas of mainland Australia I was on, it only narrowed it down to 3.

Re:Not completely accurate

Yeah, it found me pretty easily too, even though I don't see any street view data for the area. Not in the largest city's outlying suburbs, but still.

Re:Not completely accurate

[cybereal]

I suspect that the location information for many routers is not found via wardriving by google but instead by unwitting submission of the address from the computer by some software (perhaps one of the various google products, or maybe Flash or something) with the permission of the user. Of course, the user probably never read the EULA because nobody ever does.

There may be other ways, perhaps involving GPS-enabled cell devices using various third party software products, or even first party depending on the party.

Re:Not completely accurate

[AndrewStephens]

I am pretty sure it is cell phones - I believe [citation needed] that the iPhone (for one) does this as part of the anonymized data sent back to Apple. Google's database is probably kept up to date in a similar fashion.

Re:Not completely accurate

[amorsen]

There may be other ways, perhaps involving GPS-enabled cell devices using various third party software products, or even first party depending on the party.

Google Maps on cell phones does that, AFAIK.

Re:Not completely accurate

within 24 metres here. It has guessed the street number, and its right.

Re:Not completely accurate

[Hi_2k]

Holy crap. I just gave it the mac of my parent's router, on a private road in the forests ~30 minutes outside Seattle, and it gave back the correct street address. Then again, what use does this have? Maybe a disoriented traveller could use it to find his way, but other than that I see no reason anyone would be able to abuse mapping MAC address to location. It's a new form of phone book; nothing more.

Re:Not completely accurate

[adolf]

Worried? Why would you worry about that?

It's public spectrum.

If you want to use it, you gotta play by the rules, just like everyone else -- including Google*.

If you don't want to, then don't. Nobody's holding a gun to your head and telling you that you must make WiFi available to yourself.

Just turn it off.

Alternatively, take the tinfoil hat off and get over it. This data is useful to folks, and it's all fair game.

For years, now, my first-gen iPod Touch has done a great job of finding where I am using nothing but Wifi signals, even in my own podunk town -- which was useful when I carried it everywhere to complement my (then) lousy cell phone. But by the time I visited Chicago a few months ago, my GPS-capable Droid did a fine job of figuring out where I was with startling accuracy, within a downtown hotel and without a GPS fix.

Meanwhile, I myself have uploaded a few tens-of-thousands of APs with GPS coordinates to Wigle during my daily wardriving escapades. I have no idea what gets done with that data, but I do enjoy collecting it, and I like looking at the maps it produces.

But, again. If you don't like the game, then don't play it. The price of copper is down right now, so Cat5e is cheap. So just cable your gear up, and nobody will be able to drive by and map it.

*: IIRC, Google got themselves in trouble recently for accidentally recording Wifi traffic when they thought they were only recording location data. Nobody accused them of this; they admitted it all on their own in a very altruist fashion. You've got far more devious organizations than Google to worry about, if you're still insistent on wearing that stupid tin foil hat.

Re:Not completely accurate

[adolf]

Ugh. It seems that I missed a /i in there someplace. Please moderate accordingly.

Re:Not completely accurate

Did you use location services ?
That uses both the one your logged in to and the others around you

Re:Not completely accurate

[Pollardito]

How about when they post "I'm going on vacation" on Facebook?

Re:Not completely accurate

[Woy]

Well my router was located to within about 10 meters. On the country where I lived until around May 2009. I'm impressed.

Re:Not completely accurate

[AndrewNeo]

How on Earth are you going to get their IP address from a Facebook post?

Re:Not completely accurate

[RichiH]

Google Latitude (or Skyhook).

The MAC for my neighbor is still half of Germany away, but then, Latitude is almost non-existant in Germany.

Re:Not completely accurate

[Pollardito]

You don't do it after the fact, you do it via an XSS attack on Facebook (or similar site) users and then watch for those kinds of updates. The point is that people use their PCs to send notifications to friends that they won't be home, which is very valuable information when combined with your address

Re:Not completely accurate

The technology is broken, then. A VHF TV could get cell phone conversations... it's not the TV's fault, it's the brain-dead cell tech. It's not 'fair game'... it's exploiting an expectation of privacy by users who could not reasonably know better. Your 'fair game' got the scanner law. So now a receiver that can get channels a tube TV could get is no longer 'fair game'. Congratulations on your pyrrhic victory over the simpletons. May they have no grater confusion over wireless ethernet.

I should be able to wirelessly connect 6 feet without someone in the street snooping. I'm not lazy, I just expect that whatever I say is between me, the router, and a decent encryption algorithm. If that isn't possible, something is broken. The tin foil hat muffles the siren's call: IT IS INTENTIONALLY BROKEN. So I dare not take it off. Let's just focus on fixing it so that the public domain is no longer a 10m fix on any wireless router.

Re:Not completely accurate

[adolf]

I'm hesitant to reply to this, AC, because I suspect you'll never read it at this point.

That being what it is, let me just say three things:

First, I'm really not sure what you're incoherently rambling on about.

Second, cellular telephones were never covered under part 15 of the FCC rules.

Third, *shrug*

Good news for the anti-fraud workers.

[drHirudo]

So nobody is Anonymous on the Internet? This is know fact since ages, but now with revealing geo-location it us much easier to find people who commit crimes over the Internet. Cyberstalkers, scammers and crooks - watch out, if they can so easily locate you, so can the police. Of course revealing this information now, means the crooks will take precaution actions to hide their traces even more deeply.

Re:Good news for the anti-fraud workers.

[amorsen]

The police just send a warrant to the ISP and get the last 6+ months of activity as well as billing information. No need to bother with breaking into any routers.

Or more likely, the police just files the report of the crime and never investigates.

Re:Good news for the anti-fraud workers.

Or, you vote Pirate Party and get/have laws that prohibits ISPs from saving such confidential data. When the police sends a warrant for wiretapping to the ISP, with a valid court order of course, THEN the ISP might start logging your info.

Your vote. Even in the US.

Re:Good news for the anti-fraud workers.

[JasterBobaMereel]

Solution : Don't use WiFi ... There will be a physical connection to your router, use it and turn off WiFi

There is a huge amount of people using WiFi on their home router to a fixed PC 2 feet away ...and it's those that get hacked, hijacked, and complain about the connection failing ...

Get a cable plug it in and you are invisible to Google's WiFi snooping ...the nearest they can usually get then is your ISP (Mine is 100 miles away from me)

Re:Good news for the anti-fraud workers.

[drHirudo]

I use only physical connection to my desktop computer (micro AmigaOne). But in the other room my wife is with her laptop and she was very annoyed with the long cable, so we installed the WiFi router. Now she is happy, I am still physically connected, but I am happy as well. We also have printer and another laptop physically connected to the network and the live happily on the network. If I did not have router, only one machine is allowed for connection by the ISP.

Re:Good news for the anti-fraud workers.

[amorsen]

Sure, I do that, but the reality is that right now Danish ISP's are FORCED to keep the data. The ISP's have tried to convince the politicians that this is a bad idea, but so far no luck. The same is the case for many other countries, unfortunately.

Not reliable

[Improv]

Any technology that requires the local router to be easily and mechanically hackable is not a reliable one. The title on this post is thus terribly chosen.

Re:Not reliable

Well, while I'm skeptical about my router (which doesn't even HAVE a web interface), and your router (on which you probably set a strong enough password), I'm pretty sure that it would work relatively well with Joe Average's home router, which he unpacked and plugged in several years ago, and that was the end of it.

Re:Not reliable

Then its not actually a security hole neither an exploit.Its just sheer retarded users.Besides who the fuck cares about getting the mac address when you can fucking get ANY setting changed? Any freaking hacker would fucking orgasm if he could just toy with your DNS at his will.

Even considering that XSS would need exploiting , the point is you still need a complete retard to be completely oblivious of the technology they ae using.And in that case they thoroughly deserve it.

On the internet...

[flyingfsck]

Damn, so on the internet, everybody does know that you are a dog?

Bad news for the anti-content naysayers.

And people who download copyrighted content illegally.

Better Explanation

[Manip]

Google has been driving around and scanning WiFi networks in order to use it as a location service (Read: cheap GPS). Thus Google now have a cross referenced list of Wireless networks ("mac addresses") with GPS location data on that network's source (based on triangulation).

We've already seen attacks that allow web-sites to break into routers when the default password isn't change, and for example change their DNS servers to servers operated by the attacker. This is an attack that is also assuming the default router password (and address) and retrieving the WiFi mac address, which is then sent back using postback.

You then create a web-site, when someone visits it, it logs into their router, sends the mac address back to the site, which the owner can then search for on Google Maps for that WiFi network giving you a rough location of that person (without about two street blocks).

Re:Better Explanation

[bgt421]

How often do the scans come through a given place? Would a cron job that changes my MAC addresses to a random value every $AMOUNT_OF_TIME make this ineffective and effectively protect my privacy?

Awesome!

It was off by only a few houses! Privacy be ignored, this here be progress! To Google! Our future overlord!

noscript saves the day, again.

[SpzToid]

Kamkar, by getting a user to visit his malicious Web site, used remote JavaScript and AJAX to acquire a routers MAC address. When the unsuspecting user visits the malicious Web site, JavaScript remotely scans for the type of router used, accesses the routers MAC address and sends it directly to the attacker.

So yeah, if you have noscript installed, this is not a threat to you.

Don't be evil?

[Invisible+Now]

The fundamental question is: Should Google be snooping and publishing MAC locations at all?

Do I have the right to opt out of their system - albeit at the cost of not automatically getting the shortest rout to my nearest pizza place on my iPad without manually entering my address?

What happens when the first battered wife is tracked down and murdered by her husband at a woman's shelter because her hacker smart husband crafts an exploit?

Re:Don't be evil?

[pslam]

The fundamental question is: Should Google be snooping and publishing MAC locations at all?

Did you know there's at least a dozen companies that do this? Did you know Skyhook did this for years before Google?

But I think you're biasing the question by starting out calling it 'snooping'.

Re:Don't be evil?

If you want to keep your MAC address secret, why are you broadcasting it for anyone to hear?

Protip: broadcasting the MAC address is a fundamental principle underlying wireless internet communication.

Re:Don't be evil?

[Xarius]

Can't you just stop your router broadcasting its SSID?

That would prevent Google from picking your router up at all.

Re:Don't be evil?

> Can't you just stop your router broadcasting its SSID?
>
> That would prevent Google from picking your router up at all.

No it wouldn't.

There are TWO different things called a "SSID": the ESSID (the textual "name" of the router you can hide) and the BSSID (basically, the MAC of the access point; you cannot hide this or else the protocol would break, and it is also sent with all packets sent by either the router or its clients).

Google is only interested on the BSSID.

Re:Don't be evil?

You can still detect routers that aren't broadcasting their SSID, and they may even be uniquely identifiable still (not sure on that though).

Re:Don't be evil?

Opt out? Stop broadcasting your mac address across your neighbourhood.

Re:Don't be evil?

Ummmm... what? The wife is going to take a WiFi router with her!? Even then, the location data would be outdated. This isn't looking up MAC addresses of hosts on any WiFi or regular networking, just unprotected routers.

Back up in your ass just like the resurrection

I mean seriously .. can we get CRAPPIER fscking audio in that clip or not? God, wtf was this thing shot with? That device that needs to be sacrificed for the good of the interwebs

Let look at this in more detail...

[maxwells_deamon]

Ok a standard home router has 2 interfaces, one to the WAN (the ISP) the other to the LAN. Each of these has a unique MAC address.

The WAN is known by the ISP and hopefully is not used in this example as it would mean he has no clue. (Google would not know it I hope as it should only be know if you actually connect). It could be used for location services to some extent, but the wireless angle would be a red herring

The other MAC address is for the LAN. You do not need to crack the router to get it as the local machine must have it. Just do an arp -a at a command prompt.

Unless Java script is blocked from getting this info. (I do not do Java script coding at that level in Windows)

I also thought Google tossed encrypted packet, so only people who did not care would be vulnerable.

Re:Let look at this in more detail...

1. Javascript does not have any API function to access the ARP table, nor can it (in theory) execute arbitrary commands on the machine as that would be a huge security hole. That's why - even though it's not really neccessary for legitimate code to access your router to get its IP address - it does it because it's the easiest way to get it in that environment.

2. The MAC address of the sending and receiving stations is transmitted in the clear, even in encrypted packets, and especially in the beacon frames. Google did gather location information about the location of encrypted access points as well.

Re:Let look at this in more detail...

[ledow]

3. Often the MAC address of the internal interfaces and external ones are either a) identical (yes, I've seen it happen) or b) directly related (i.e. add two to the last byte).

Google didn't directly scan your SSID

I doubt Google happened to scan your SSID directly.
Now that they can triangulate users using the SSID they picked up with their cars, they can now also triangulate any new SSIDs reported by users by using the existing location of those users and the strength of the new SSID. After they have a few reports of the new SSID signal strength from various users (and because they know those users location), they can triangulate the new APs position and add it to their location service.

The same goes for people who move house and keep the same router SSID/MAC. Users will start to report the 'moved' SSID from the new location, and Google probably flag the SSID in their database so it's marked as 'moved' (so not used for positioning at the old location), then then later re-position it to the new location once they have enough triangulation data to accurately work out its new location.

They certainly aren't going to keep driving around the globe to update their database to account for people moving house or buying new wireless APs.

I am moving house soon so will be testing this out.
 

Re:Google didn't directly scan your SSID

[fatmatt_oz]

I'm not sure what sort of checks google does on the MAC addresses, but in my case not much. For about 12 months depending on where I stood in my house google maps reported my location as either within 30m of my house in Melbourne (Australia) or downtown London England. When I eventually bothered to try and figure out why I realised they'd scanned by SSID when they drove by for streetmap and either it or my wireless MAC address matched the one in England. I am running a version of DDWRT and I think in the flashing process the MAC was changed. Short story is that it looks like it was taking the MAC address/SSID from the strongest signal only and not the surrounding AP's or the cell phone towers nearby. I stumbled across a form where I could register my MAC address (or SSID, I forget which but I think it was the MAC) with google to correct my location and now "oh my god, they've found me" , I'm thinking that was not such a good idea now...

Some routers even give out their MAC w/o password

Some routers even give out their MAC address without requiring the user to log in with credentials, on an unprivileged status page. That would trivialise this exploit even further.

It's interesting, because as the man said, the router's MAC address is traditionally not thought of as a sensitive piece of information. That is, before companies started mapping MAC addresses.

1mm friends?

Kamkar, author of an XSS worm that spread across MySpace and generated over 1mm friends for him in less than 24 hours

That's nothing! What's so great about having those really tall friends anyway?

you sent a doc to Wikileaks? we send a Drone!

[kubitus]

bye bye freedome!

so this is the real reason for WLAN sniffing of Google!

only NOW possible

[hesaigo999ca]

This is only now possible as before google did not cache all the router info , of which they are also now in hot water for....many of the states in the US are joining together to review how google seemed to overlook some sort of privacy law to cultivate this data.

IPv6 killer app

[mr.gson]

If you use IPv6, the attacker may not even have to break into the access point to find your MAC address, because the IPv6 stateless autoconfiguration mechanism will helpfully embed your complete MAC address in your IPv6 address. Such is progress...

No more than visit a malicious website?

[arose]

So leaving your router wide open is nothing more then visiting a website?

I propose a non-XSS version of this "no frills" attack: obtaining the location of a user who set chrome to tell everyone by default. Run for the hills.

know what i think?

that you fuck sergy brin's anus while gagging on larry page's cock.

Even wireless non-router APs.

[antdude]

Even wireless non-router APs are listed. It's not just wireless routers.

Correct me if I'm wrong, but ...

[RockDoctor]

... this is only going to apply to people who have one of those routers that deliberately broadcast their MAC addresses over radio waves?

Or does the Google car also stop at your front door, open the letter box, feed a "snake camera" and a network jack in, hunt around, plug into a convenient socket, and then read the MAC address.
Silly Google - there's a port in the garden shed, and it's easy to lift the hinge pins!

Concerned about privacy? Don't use a wireless network. It's not rocket science.

Poor Google - foiled by evil householder who put their network sockets at waist height along with the power sockets and light switches!

or you can do it the easy way

http://iwtf.net/2010/08/04/accurate-geolocation-of-your-users/