Slashdot Mirror
Geolocation XSS Tracker Proof of Concept
Jamie found a bit of a scary link this morning that demonstrates a router XSS getting your MAC address and using it to map your current location. Which I'm sure is totally no big deal for anyone.
← Back to Stories (view on slashdot.org)
http://www.securityweek.com/hacker-uses-xss-and-google-streetview-data-determine-physical-location
this is old and has already been posted here.
It's not a bug, it's a feature.
I'm in chilly Minneapolis, but the l33t hax says I'm located just near Santa Monica Blvd.
Even worse, with some clever XSS you can make Slashdot post the same story twice!
Oh wait, that's just shitty editing. Sorry.
In addition, did you know that websites you visit can find out your IP ADDRESS? Not only that, but your OPERATING SYSTEM and BROWSER VERSION? OMG OMG OMG!
Look, just because it's October is no reason to start inundating us with tech horror stories. Save up some of the scary stuff for the end of the month!
Very nice. I'm terrified if law enforcement agents, mafia goons, terrorists, or my ex wife ever get a hold of this kind of technology. It was so accurate it was scary. I had to zoom out several steps to see what it had identified, then I saw it was a 200 mile wide circle, that didn't even remotely contain me.
Dear god, if the Russians get a hold of this, they'll know exactly where NOT to aim a nuke to hit me.
Oh and no I wasn't dumb enough to log into the router and click the link that calls "fiospwn.js" from my own router. {sigh}
> 5. I then take the MAC address and send it along to Google Location Services. This is an HTTP-based service where router MAC addresses are mapped to approximate GPS coordinates from other data sources. There are NO special browser requirements, nor does a user need to be prompted. I determined this protocol by using Firefox's Location-Aware Browsing.
It's not supposed to be a geolocation IP lookup, but he fails to describe how it ISN'T. Sure looks like it to me.
Often wrong but never in doubt.
I am Jack9.
Everyone knows me.
Apparently my router is currently sitting in the former main office of the major telco for my area. Which is across town from me.
And here I was thinking it was on my desk.
So, fail
This story is a bit of a meh. I can go to those sites that tell you everything about your IP, and what the software on your machine tells about you. Got me narrowed down to the closest city.
No location given when I entered my MAC on the test site. Pah.
I'm in southern Indiana. It says I'm in Chicago.
So close...
Gone!
I'm in Moscow, but my coordinates seem to be
"latitude":34.0919483
"longitude":-118.3462152
"country":"United States"
"country_code":"US"
"region":"California"
"county":"Los Angeles"
"city":"Los Angeles"
"street":"N Formosa Ave"
"street_number":"1140"
"postal_code":"90046"
"accuracy":36.0
It has no data on my MAC, but here I am posting away. I wonder what sort of app I'm using to post without a computer.
Apparently 00-de-ad-be-ef-00 is in downtown Toronto.
They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
I'm apparently in Hollywood, according to this.
I'm physically in Phoenix, AZ.
This would make for an awesome geek comedy plot in the vein of The Big Lebowski or so, where some stupid script kiddies think this is a reliable hack to rob somebody's house, and when they show up the people are still there, but it's not who they thought it was, it's somebody far more nefarious who thinks that the script kiddies are somebody else who perhaps owes them something and then the nefarious people force the script kiddies to do awful things anyway since they are now wrapped up in the whole thing.
The XSS FAQ
http://www.cgisecurity.com/xss-faq.html
Believe me, if I started murdering people, there would be none of you left.
NoScript will protect you from this (XSS) - even if you have it set to globally allow javascript.
Mine says not found. Probably because I don't have broadcast SSID on my wireless, judging by the procedure he's using (google locator). If this is the case, why does anyone broadcast their SSID to begin with? I never really understood that. There's no benefit for home users, since chances are 99% of the devices you use on a daily basis are not new, and so you only have to take the extra 5 seconds to manually enter the SSID once.
It gets to my general area when I use my desktop, but, when I tried it on my iPod Touch (Safari), it asked twice that "Safari wants to use your current location", and then pinpointed me at my exact house.
since when has my router been over 200 miles away from me when i was messing with it afew hours ago lol
FAIL
Typed in the MAC (00-23-97-20-EA-9B) and got this: Sorry, didn't find anything for 00-23-97-20-ea-9b.
Also tried the other two links.. one just brings up my router page (192.168.1.1:80) which asks for a login & password, and the firefox one (I'm using Chrome) doesn't work either. Well kind of. If I enable location services in Chrome, it will load a map, but it won't place a mark anywhere, and it's centered on a town about a 35 minute drive away.
Allowed his page temporarily but still doesn't work.
Other than google analytics, everything else is permitted.
no script,
flashblock,
adblock,
web of trust
better privacy
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
The XSS posted works only on a small class of SOHO routers, e.g. Westell UltraLine Series3 Routers.
If you have anything more sophisticated then a Westell UltraLine Series3 router, you are not affected.
The XSS uses the factory default router IP 192.168.1.1 to send HTTP requests to your router.
Well, I entered my router's MAC just for giggles, and it said "Sorry, didn't find anything". This router has been continuously connected with a fixed public IP address for over a year.
Then I entered my previous router's MAC, and got the same result. The previous router is in storage in the attic, but was in use with very few brief breaks for about 6 years. Also with a fixed public IP address.
Clearly, their MAC geolocation database has a teeny hole - or more likely loads of vast gaping chasms.
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
This could be fun to abuse with Black Alchemy's "Fake AP" application...
So it sounds like my house is immune for many obscure reasons, which is to say, I apparently have been practicing "obscurity in depth" as my security strategy.
Firstly, for slightly complicated historical reasons, I have my internal home network on 192.168.N.0/24, where N is not zero or one.
Secondly, my desktop machines are not on the wireless, they're wired to the router, and the wired port has a different MAC than the wireless, invisible to Google.
Thirdly, I don't broadcast my SSID, which might mean it's not in the Google database.
And fourthly, my router has a nondefault password. I think this is the only obstacle to the hack that is an actual, real security measure.
2*3*3*3*3*11*251
He didn't get my address, but he did my neighbor, Mike's house across the street. Which means anyone trying to rob me will go there, instead. Which means I guess it's perfectly safe for me to leave this on, since I don't much like Mike, anyway.
God invented whiskey so the Irish would not rule the world.
Isn't this just looking at wardriving data that was submitted to various wardriving geolocation databases?
1) You broadcast your wireless MAC to the universe via wireless.
2) Dude picks it up on a wardrive scan.
3) Dude uploads his logs to http://wigle.net/ or some other database.
4) Google gets data from these databases (how?) and puts it into their geolocation database
I know I've uploaded my own wireless MAC to wigle before, so no help there. Then again, I have an android phone that connects to my wireless router. Perhaps when your android device has a GPS lock and is connected to a wireless router, it uploads the wireless MAC and current lat/lon values to the Great Google Database in the Sky? That wouldn't surprise me at all.
I tried putting in my WIRED and LAN MAC addresses into the proof of concept website and it put them in locations a thousand miles away (Maryland and New York).
With the first link, the chain is forged.
works just fine for most IPs in the US and doesn't require router exploits.
I fed it my MAC address. It gave me a reply (in red at the top of the page): Sorry nothing found for (then my MAC address). My Internet anonymity is thus, once again assured!
Yours Sincerely,
Anonymous Coward esq.
I have the same router, but apparently the script is broken if you have your internal DHCP server dishing out any other IP range BESIDES 192.168.1.x
Mine is set to 192.168.25.1 and the script failed on an unprotected browser.
Could this be another win for non-standard setups... Or would this be easy enough to code around?
This signature is lame.
I find broadcasting the SSID helps greatly in troubleshooting wireless issues for other people, if nothing else.
If I get called out to the typical home user's place to help them "fix their problems getting on the Internet", they often don't have any clue what their SSID is set to. All they know is that "It worked ever since the Geeksquad guys came out and set it all up for us!" or what-have-you.
On more than one occasion, I discovered the reason someone had issues had to do with neighbors buying new Linksys routers that had default SSID's of "linksys", matching the default of THEIR Linksys router they'd been using for months/years. Sometimes they were actually connecting to a neighbor's unsecured router for quite some time, before that neighbor made changes that booted them out -- and only THEN did they think they had things mis-configured.
None of this worked on my home PC.
Then again ... I don't have javascript enabled by default either.
00-23-CD-C5-0D-0C, Hong Kong to be precise COOL! but so very wrong seeing as I'm in Europe and looking at my router right now.
I cannot count the number of ISPs that I've had to deal with where if you do a reverse-dns lookup of a user's IP address, their MAC address shows up in the DNS name given by the ISP's DNS server. Moreso from this, virtually every wireless router I've worked on to date has the WAN, LAN, and Wifi MAC address in sequential order.
So, who needs XSS for this? Simply pull a reverse-dns of the IP address, and odds are that the MAC address will be +- 1 or 2 away from the WAN MAC that the ISP just handed over to you.
On a side note, I looked up my MAC address using that tool, and they have me pegged down EXACTLY to my house. That almost makes me want to switch my MAC address on my wireless now (which thankfully is quite easy on Tomato firmware)
I have two Wireless APs -- one of which is only active occasionally for guests. Here's what I got when I entered my MACs:
Everyday (always on) router: It found my city, but the address was about two miles away.
Guest router: It pinpointed my father-in-law's address. This is strange, because my router has never been located at his house. But, HE HAS CONNECTED TO MY ROUTER. Interesting.
I checked the first address again, and this would be a friend's house, who I once connected his laptop to my network when I was fixing it.
I'm not completely familiar with 802.11, but it would appear that computers that had previously connected to my MAC are regularly pinging this MAC in such a way as to be received by the Google drive-by's and recorded as actual MACs of actual APs. Is there another explanation?
sig: sauer
It's worth noting that the presentation titled "Bad Memmories" was presented at the BlackHat conference is very similar to this. PDF available http://media.blackhat.com/bh-us-10/whitepapers/Bursztein_Gourdin_Rydstedt/BlackHat-USA-2010-Bursztein-Bad-Memories-wp.pdf
Is it possible, this is based on google street view data? We know, they sniffed wifi data. What if they put together the mac adresses with their positions?
I am amazed that this actually is tracked by the google van or whatever. It found my old address based on the mac address of my wireless adapter in that particular router. The wan and lan addresses were not found. So it appears that google has a list of many MAC addresses and their locations. Quite scary, and obviously impossible to opt out of.
I really hope some north american government looks into this. What possible non abusive use could this possibly serve? At least the router i am using allows me to change the mac addresses, which is what i am doing now.
As a potential lottery winner, I totally support tax cuts for the wealthy
Phew! good thing I use a PC
With Apple devices only using wifi/telcos, maps grabbing MACS, apps grabbing gps/MAC/serial numbers. Ads tracking deep in flash/html5 databases.
Modems/wifi units selling with bar code MACS on the side of the box with online extra warranty forms.
This is all a lot of internal work to track a few ads to message you about 'free' coffee as you walk past a cafe.
Is the MAC one of the few stats of value now in any device?
Why are so many dumb devices leaking so much unique info out of the box?
Domestic spying is now "Benign Information Gathering"
If you use your smartphone on your encrypted wifi and are using location finder then Google will grab the MAC.
Ipv6 may use the MAC in the ip address, depending on your O.S. so I'm not sure I'm happy about this.
just manually entered my wlan router's MAC (the page didn't work, not in firefox (got noscript), not in konqueror and not in opera - maybe ubuntu is helping me a little bit?) and it got my adress 100% accurate. the point on the map is also correct. this is scary, first because i have my SSID broadcast disabled since day one, and second, because google maps usually can't show my adress correctly (always hit our neigbors 3 streets away). this is really scary. why is google allowed to collect MACs?
need to get this to track my gf when she is out of country, so i know when she is getting back....lol