Slashdot Mirror

← Back to Stories (view on slashdot.org)

Using XSS & Google To Find Physical Location

Posted by kdawson on from the how-i-met-your-girlfriend dept.

wiredmikey sends along a brief (and quite poorly written) report from Security Week on Samy Kamkar's talk at Black Hat last week. In the video, which is amusing, he demonstrates how to obtain location information (within 30 feet, in the example he shows) of a user who does no more than visit a malicious website. The technique involves sniffing out the local router, breaking into it to obtain its MAC address, and sending that to Google to extract the router's location from Google's Street View database.

2 of 77 comments (clear)

  1. Re:Not completely accurate by darkpixel2k · · Score: 5, Interesting

    Inputting my friend's router's MAC address on his site (here) results in a location circle about 3km wide and about 10km away from his house. Close, but not close enough.

    Should I be worried that Google knows the correct location for a new WAP which I just turned on about a month ago in a small po-dunk town in the middle of nowhere?

    I mean seriously--the town has a population of approximately 10,000. It's hardly Austin or New York. Maybe I just timed it correctly.

    --
    There's no place like ::1 (I've completed my transition to IPv6)
  2. Re:Not completely accurate by adolf · · Score: 4, Interesting

    Worried? Why would you worry about that?

    It's public spectrum.

    If you want to use it, you gotta play by the rules, just like everyone else -- including Google*.

    If you don't want to, then don't. Nobody's holding a gun to your head and telling you that you must make WiFi available to yourself.

    Just turn it off.

    Alternatively, take the tinfoil hat off and get over it. This data is useful to folks, and it's all fair game.

    For years, now, my first-gen iPod Touch has done a great job of finding where I am using nothing but Wifi signals, even in my own podunk town -- which was useful when I carried it everywhere to complement my (then) lousy cell phone. But by the time I visited Chicago a few months ago, my GPS-capable Droid did a fine job of figuring out where I was with startling accuracy, within a downtown hotel and without a GPS fix.

    Meanwhile, I myself have uploaded a few tens-of-thousands of APs with GPS coordinates to Wigle during my daily wardriving escapades. I have no idea what gets done with that data, but I do enjoy collecting it, and I like looking at the maps it produces.

    But, again. If you don't like the game, then don't play it. The price of copper is down right now, so Cat5e is cheap. So just cable your gear up, and nobody will be able to drive by and map it.

    *: IIRC, Google got themselves in trouble recently for accidentally recording Wifi traffic when they thought they were only recording location data. Nobody accused them of this; they admitted it all on their own in a very altruist fashion. You've got far more devious organizations than Google to worry about, if you're still insistent on wearing that stupid tin foil hat.

    --
    Kid-proof tablet..