Slashdot Mirror

← Back to Stories (view on slashdot.org)

Using XSS & Google To Find Physical Location

Posted by kdawson on from the how-i-met-your-girlfriend dept.

wiredmikey sends along a brief (and quite poorly written) report from Security Week on Samy Kamkar's talk at Black Hat last week. In the video, which is amusing, he demonstrates how to obtain location information (within 30 feet, in the example he shows) of a user who does no more than visit a malicious website. The technique involves sniffing out the local router, breaking into it to obtain its MAC address, and sending that to Google to extract the router's location from Google's Street View database.

18 of 77 comments (clear)

  1. Location is the least of your problems by AndrewStephens · · Score: 3, Insightful

    What scares me the most is that to get the location they demonstrate a plausible way to access the settings on your router (if you use the default credentials.) If I was evil (or more evil) I wouldn't care about the location, I would just changed the router's DNS settings and redirect all the traffic through a server of my choice.

    --
    sheep.horse - does not contain information on sheep or horses.
    1. Re:Location is the least of your problems by AndrewStephens · · Score: 2, Insightful

      Based on my experience, at least 80% of the home routers in use still have the default credentials unchanged since they were unpacked. That's a lot of the population vulnerable.

      --
      sheep.horse - does not contain information on sheep or horses.
    2. Re:Location is the least of your problems by interiot · · Score: 3, Informative

      Wrong, wrong. A default password means you ARE vulnerable. It's such a problem that ISPs are willing to do questionable things to fix it.

      (it's a slight variant of your #2, though "compromising" in this case doesn't mean a full compromise, it means mildly abusing the DNS spec to work around XSS restrictions)

  2. It's this: by Anonymous Coward · · Score: 4, Funny

    Apple Computer Inc
    1 Infinite Loop
    Cupertino, CA 95014

  3. Not completely accurate by Netshroud · · Score: 4, Informative

    Inputting my friend's router's MAC address on his site (here) results in a location circle about 3km wide and about 10km away from his house. Close, but not close enough.

    1. Re:Not completely accurate by darkpixel2k · · Score: 5, Interesting

      Inputting my friend's router's MAC address on his site (here) results in a location circle about 3km wide and about 10km away from his house. Close, but not close enough.

      Should I be worried that Google knows the correct location for a new WAP which I just turned on about a month ago in a small po-dunk town in the middle of nowhere?

      I mean seriously--the town has a population of approximately 10,000. It's hardly Austin or New York. Maybe I just timed it correctly.

      --
      There's no place like ::1 (I've completed my transition to IPv6)
    2. Re:Not completely accurate by AndrewStephens · · Score: 3, Interesting

      I am pretty sure it is cell phones - I believe [citation needed] that the iPhone (for one) does this as part of the anonymized data sent back to Apple. Google's database is probably kept up to date in a similar fashion.

      --
      sheep.horse - does not contain information on sheep or horses.
    3. Re:Not completely accurate by amorsen · · Score: 2, Informative

      There may be other ways, perhaps involving GPS-enabled cell devices using various third party software products, or even first party depending on the party.

      Google Maps on cell phones does that, AFAIK.

      --
      Finally! A year of moderation! Ready for 2019?
    4. Re:Not completely accurate by adolf · · Score: 4, Interesting

      Worried? Why would you worry about that?

      It's public spectrum.

      If you want to use it, you gotta play by the rules, just like everyone else -- including Google*.

      If you don't want to, then don't. Nobody's holding a gun to your head and telling you that you must make WiFi available to yourself.

      Just turn it off.

      Alternatively, take the tinfoil hat off and get over it. This data is useful to folks, and it's all fair game.

      For years, now, my first-gen iPod Touch has done a great job of finding where I am using nothing but Wifi signals, even in my own podunk town -- which was useful when I carried it everywhere to complement my (then) lousy cell phone. But by the time I visited Chicago a few months ago, my GPS-capable Droid did a fine job of figuring out where I was with startling accuracy, within a downtown hotel and without a GPS fix.

      Meanwhile, I myself have uploaded a few tens-of-thousands of APs with GPS coordinates to Wigle during my daily wardriving escapades. I have no idea what gets done with that data, but I do enjoy collecting it, and I like looking at the maps it produces.

      But, again. If you don't like the game, then don't play it. The price of copper is down right now, so Cat5e is cheap. So just cable your gear up, and nobody will be able to drive by and map it.

      *: IIRC, Google got themselves in trouble recently for accidentally recording Wifi traffic when they thought they were only recording location data. Nobody accused them of this; they admitted it all on their own in a very altruist fashion. You've got far more devious organizations than Google to worry about, if you're still insistent on wearing that stupid tin foil hat.

      --
      Kid-proof tablet..
  4. Good news for the anti-fraud workers. by drHirudo · · Score: 2, Interesting

    So nobody is Anonymous on the Internet? This is know fact since ages, but now with revealing geo-location it us much easier to find people who commit crimes over the Internet. Cyberstalkers, scammers and crooks - watch out, if they can so easily locate you, so can the police. Of course revealing this information now, means the crooks will take precaution actions to hide their traces even more deeply.

  5. Not reliable by Improv · · Score: 2, Insightful

    Any technology that requires the local router to be easily and mechanically hackable is not a reliable one. The title on this post is thus terribly chosen.

    --
    For every problem, there is at least one solution that is simple, neat, and wrong.
  6. Better Explanation by Manip · · Score: 4, Informative

    Google has been driving around and scanning WiFi networks in order to use it as a location service (Read: cheap GPS). Thus Google now have a cross referenced list of Wireless networks ("mac addresses") with GPS location data on that network's source (based on triangulation).

    We've already seen attacks that allow web-sites to break into routers when the default password isn't change, and for example change their DNS servers to servers operated by the attacker. This is an attack that is also assuming the default router password (and address) and retrieving the WiFi mac address, which is then sent back using postback.

    You then create a web-site, when someone visits it, it logs into their router, sends the mac address back to the site, which the owner can then search for on Google Maps for that WiFi network giving you a rough location of that person (without about two street blocks).

  7. Don't be evil? by Invisible+Now · · Score: 3, Insightful

    The fundamental question is: Should Google be snooping and publishing MAC locations at all?

    Do I have the right to opt out of their system - albeit at the cost of not automatically getting the shortest rout to my nearest pizza place on my iPad without manually entering my address?

    What happens when the first battered wife is tracked down and murdered by her husband at a woman's shelter because her hacker smart husband crafts an exploit?

    --

    "Knowing everything doesn't help..."

    1. Re:Don't be evil? by pslam · · Score: 2, Informative

      The fundamental question is: Should Google be snooping and publishing MAC locations at all?

      Did you know there's at least a dozen companies that do this? Did you know Skyhook did this for years before Google?

      But I think you're biasing the question by starting out calling it 'snooping'.

  8. Let look at this in more detail... by maxwells_deamon · · Score: 3, Interesting

    Ok a standard home router has 2 interfaces, one to the WAN (the ISP) the other to the LAN. Each of these has a unique MAC address.

    The WAN is known by the ISP and hopefully is not used in this example as it would mean he has no clue. (Google would not know it I hope as it should only be know if you actually connect). It could be used for location services to some extent, but the wireless angle would be a red herring

    The other MAC address is for the LAN. You do not need to crack the router to get it as the local machine must have it. Just do an arp -a at a command prompt.

    Unless Java script is blocked from getting this info. (I do not do Java script coding at that level in Windows)

    I also thought Google tossed encrypted packet, so only people who did not care would be vulnerable.

    1. Re:Let look at this in more detail... by ledow · · Score: 2, Interesting

      3. Often the MAC address of the internal interfaces and external ones are either a) identical (yes, I've seen it happen) or b) directly related (i.e. add two to the last byte).

  9. Re:Google didn't directly scan your SSID by fatmatt_oz · · Score: 3, Informative

    I'm not sure what sort of checks google does on the MAC addresses, but in my case not much. For about 12 months depending on where I stood in my house google maps reported my location as either within 30m of my house in Melbourne (Australia) or downtown London England. When I eventually bothered to try and figure out why I realised they'd scanned by SSID when they drove by for streetmap and either it or my wireless MAC address matched the one in England. I am running a version of DDWRT and I think in the flashing process the MAC was changed. Short story is that it looks like it was taking the MAC address/SSID from the strongest signal only and not the surrounding AP's or the cell phone towers nearby. I stumbled across a form where I could register my MAC address (or SSID, I forget which but I think it was the MAC) with google to correct my location and now "oh my god, they've found me" , I'm thinking that was not such a good idea now...

  10. you sent a doc to Wikileaks? we send a Drone! by kubitus · · Score: 3, Insightful
    bye bye freedome!

    so this is the real reason for WLAN sniffing of Google!