Using XSS & Google To Find Physical Location

wiredmikey sends along a brief (and quite poorly written) report from Security Week on Samy Kamkar's talk at Black Hat last week. In the video, which is amusing, he demonstrates how to obtain location information (within 30 feet, in the example he shows) of a user who does no more than visit a malicious website. The technique involves sniffing out the local router, breaking into it to obtain its MAC address, and sending that to Google to extract the router's location from Google's Street View database.

It's this:

Apple Computer Inc
1 Infinite Loop
Cupertino, CA 95014

Not completely accurate

[Netshroud]

Inputting my friend's router's MAC address on his site (here) results in a location circle about 3km wide and about 10km away from his house. Close, but not close enough.

Re:Not completely accurate

[darkpixel2k]

Inputting my friend's router's MAC address on his site (here) results in a location circle about 3km wide and about 10km away from his house. Close, but not close enough.

Should I be worried that Google knows the correct location for a new WAP which I just turned on about a month ago in a small po-dunk town in the middle of nowhere?

I mean seriously--the town has a population of approximately 10,000. It's hardly Austin or New York. Maybe I just timed it correctly.

Re:Not completely accurate

[adolf]

Worried? Why would you worry about that?

It's public spectrum.

If you want to use it, you gotta play by the rules, just like everyone else -- including Google*.

If you don't want to, then don't. Nobody's holding a gun to your head and telling you that you must make WiFi available to yourself.

Just turn it off.

Alternatively, take the tinfoil hat off and get over it. This data is useful to folks, and it's all fair game.

For years, now, my first-gen iPod Touch has done a great job of finding where I am using nothing but Wifi signals, even in my own podunk town -- which was useful when I carried it everywhere to complement my (then) lousy cell phone. But by the time I visited Chicago a few months ago, my GPS-capable Droid did a fine job of figuring out where I was with startling accuracy, within a downtown hotel and without a GPS fix.

Meanwhile, I myself have uploaded a few tens-of-thousands of APs with GPS coordinates to Wigle during my daily wardriving escapades. I have no idea what gets done with that data, but I do enjoy collecting it, and I like looking at the maps it produces.

But, again. If you don't like the game, then don't play it. The price of copper is down right now, so Cat5e is cheap. So just cable your gear up, and nobody will be able to drive by and map it.

*: IIRC, Google got themselves in trouble recently for accidentally recording Wifi traffic when they thought they were only recording location data. Nobody accused them of this; they admitted it all on their own in a very altruist fashion. You've got far more devious organizations than Google to worry about, if you're still insistent on wearing that stupid tin foil hat.

Better Explanation

[Manip]

Google has been driving around and scanning WiFi networks in order to use it as a location service (Read: cheap GPS). Thus Google now have a cross referenced list of Wireless networks ("mac addresses") with GPS location data on that network's source (based on triangulation).

We've already seen attacks that allow web-sites to break into routers when the default password isn't change, and for example change their DNS servers to servers operated by the attacker. This is an attack that is also assuming the default router password (and address) and retrieving the WiFi mac address, which is then sent back using postback.

You then create a web-site, when someone visits it, it logs into their router, sends the mac address back to the site, which the owner can then search for on Google Maps for that WiFi network giving you a rough location of that person (without about two street blocks).