Slashdot Mirror
Geolocation XSS Tracker Proof of Concept
Jamie found a bit of a scary link this morning that demonstrates a router XSS getting your MAC address and using it to map your current location. Which I'm sure is totally no big deal for anyone.
← Back to Stories (view on slashdot.org)
Even worse, with some clever XSS you can make Slashdot post the same story twice!
Oh wait, that's just shitty editing. Sorry.
TFA isn't very long. Author explains that the address it shows initially is:
"(Example: MAC of my previous router, 00-11-24-ec-72-cf, actually located at 7070 Flight Ave, Culver City CA for comparison)"
Which has nothing to do with this article.
Apparently my router is currently sitting in the former main office of the major telco for my area. Which is across town from me.
And here I was thinking it was on my desk.
So, fail
Good job, dumbass. Now you are uniquely identifiable.
MAC based geolocation of wireless routers is far more accurate than geolocation using ip alone.
Candy Browser (Graham Cracker OS 4_1) Version/2.7
Hell, it can't be any worse at rendering standard HTML/CSS than IE.
If libertarians are so opposed to effective government, why don't they all move to Somalia?
No location given when I entered my MAC on the test site. Pah.
I'm in southern Indiana. It says I'm in Chicago.
So close...
Gone!
It's not geolocation in the traditional sense, because it's not mapping an IP address to a location. It's combining an XSS attack which gets your mac address from your router (from the inside of your network) with google's MAC to location lookup from their massive drive-by wifi sniffing done when the streetview car drives past your house. Typically a server can determine your IP address, and use that to map your approximate location. This can determine your MAC address and (in some cases) use that to determine your EXACT location.
Of course, you need to have:
a) not changed the default password on your router
b) have a wireless network google has sniffed
What I'm not sure about is if google's sniffing gathers the mac address of encrypted wireless, so possibly this only works on unencrypted wireless connections. I don't if a wireless router reveals its mac before or after encryption is established. Anyone?
Either way, standard security such as changing the default password on your router is sufficient to render this ineffective.
Of course, it also doesn't work if you move your router somewhere else after google sniffs it.
I'm in Moscow, but my coordinates seem to be
"latitude":34.0919483
"longitude":-118.3462152
"country":"United States"
"country_code":"US"
"region":"California"
"county":"Los Angeles"
"city":"Los Angeles"
"street":"N Formosa Ave"
"street_number":"1140"
"postal_code":"90046"
"accuracy":36.0
It has no data on my MAC, but here I am posting away. I wonder what sort of app I'm using to post without a computer.
Apparently 00-de-ad-be-ef-00 is in downtown Toronto.
They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
This would make for an awesome geek comedy plot in the vein of The Big Lebowski or so, where some stupid script kiddies think this is a reliable hack to rob somebody's house, and when they show up the people are still there, but it's not who they thought it was, it's somebody far more nefarious who thinks that the script kiddies are somebody else who perhaps owes them something and then the nefarious people force the script kiddies to do awful things anyway since they are now wrapped up in the whole thing.
Google will certainly grab the MAC address of any broadcasting base station whether or not encryption is in use -- the SSID and MAC are not encrypted. I think the only question is whether they will grab the SSID of of a non-broadcasting station that is in use.
SIG: HUP
The XSS FAQ
http://www.cgisecurity.com/xss-faq.html
Believe me, if I started murdering people, there would be none of you left.
NoScript will protect you from this (XSS) - even if you have it set to globally allow javascript.
Mine says not found. Probably because I don't have broadcast SSID on my wireless, judging by the procedure he's using (google locator). If this is the case, why does anyone broadcast their SSID to begin with? I never really understood that. There's no benefit for home users, since chances are 99% of the devices you use on a daily basis are not new, and so you only have to take the extra 5 seconds to manually enter the SSID once.
Well, in my case the IP-based location is accurate to 5 miles, while this guy's thingy placed me 50 miles away...
Typed in the MAC (00-23-97-20-EA-9B) and got this: Sorry, didn't find anything for 00-23-97-20-ea-9b.
Also tried the other two links.. one just brings up my router page (192.168.1.1:80) which asks for a login & password, and the firefox one (I'm using Chrome) doesn't work either. Well kind of. If I enable location services in Chrome, it will load a map, but it won't place a mark anywhere, and it's centered on a town about a 35 minute drive away.
Allowed his page temporarily but still doesn't work.
Other than google analytics, everything else is permitted.
no script,
flashblock,
adblock,
web of trust
better privacy
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
You forgot
c) Not moved the router since google came by
---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"
The XSS posted works only on a small class of SOHO routers, e.g. Westell UltraLine Series3 Routers.
If you have anything more sophisticated then a Westell UltraLine Series3 router, you are not affected.
The XSS uses the factory default router IP 192.168.1.1 to send HTTP requests to your router.
Well, I entered my router's MAC just for giggles, and it said "Sorry, didn't find anything". This router has been continuously connected with a fixed public IP address for over a year.
Then I entered my previous router's MAC, and got the same result. The previous router is in storage in the attic, but was in use with very few brief breaks for about 6 years. Also with a fixed public IP address.
Clearly, their MAC geolocation database has a teeny hole - or more likely loads of vast gaping chasms.
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
His XSS only works against the verizon FiOS router.
So it sounds like my house is immune for many obscure reasons, which is to say, I apparently have been practicing "obscurity in depth" as my security strategy.
Firstly, for slightly complicated historical reasons, I have my internal home network on 192.168.N.0/24, where N is not zero or one.
Secondly, my desktop machines are not on the wireless, they're wired to the router, and the wired port has a different MAC than the wireless, invisible to Google.
Thirdly, I don't broadcast my SSID, which might mean it's not in the Google database.
And fourthly, my router has a nondefault password. I think this is the only obstacle to the hack that is an actual, real security measure.
2*3*3*3*3*11*251
He didn't get my address, but he did my neighbor, Mike's house across the street. Which means anyone trying to rob me will go there, instead. Which means I guess it's perfectly safe for me to leave this on, since I don't much like Mike, anyway.
God invented whiskey so the Irish would not rule the world.
Isn't this just looking at wardriving data that was submitted to various wardriving geolocation databases?
1) You broadcast your wireless MAC to the universe via wireless.
2) Dude picks it up on a wardrive scan.
3) Dude uploads his logs to http://wigle.net/ or some other database.
4) Google gets data from these databases (how?) and puts it into their geolocation database
I know I've uploaded my own wireless MAC to wigle before, so no help there. Then again, I have an android phone that connects to my wireless router. Perhaps when your android device has a GPS lock and is connected to a wireless router, it uploads the wireless MAC and current lat/lon values to the Great Google Database in the Sky? That wouldn't surprise me at all.
I tried putting in my WIRED and LAN MAC addresses into the proof of concept website and it put them in locations a thousand miles away (Maryland and New York).
With the first link, the chain is forged.
I have the same router, but apparently the script is broken if you have your internal DHCP server dishing out any other IP range BESIDES 192.168.1.x
Mine is set to 192.168.25.1 and the script failed on an unprotected browser.
Could this be another win for non-standard setups... Or would this be easy enough to code around?
This signature is lame.
I find broadcasting the SSID helps greatly in troubleshooting wireless issues for other people, if nothing else.
If I get called out to the typical home user's place to help them "fix their problems getting on the Internet", they often don't have any clue what their SSID is set to. All they know is that "It worked ever since the Geeksquad guys came out and set it all up for us!" or what-have-you.
On more than one occasion, I discovered the reason someone had issues had to do with neighbors buying new Linksys routers that had default SSID's of "linksys", matching the default of THEIR Linksys router they'd been using for months/years. Sometimes they were actually connecting to a neighbor's unsecured router for quite some time, before that neighbor made changes that booted them out -- and only THEN did they think they had things mis-configured.
Which standard ?
The one that is already 10 years out of date, or the new one that will be 10 years out of date before it's finalized ?
I have two Wireless APs -- one of which is only active occasionally for guests. Here's what I got when I entered my MACs:
Everyday (always on) router: It found my city, but the address was about two miles away.
Guest router: It pinpointed my father-in-law's address. This is strange, because my router has never been located at his house. But, HE HAS CONNECTED TO MY ROUTER. Interesting.
I checked the first address again, and this would be a friend's house, who I once connected his laptop to my network when I was fixing it.
I'm not completely familiar with 802.11, but it would appear that computers that had previously connected to my MAC are regularly pinging this MAC in such a way as to be received by the Google drive-by's and recorded as actual MACs of actual APs. Is there another explanation?
sig: sauer
It's worth noting that the presentation titled "Bad Memmories" was presented at the BlackHat conference is very similar to this. PDF available http://media.blackhat.com/bh-us-10/whitepapers/Bursztein_Gourdin_Rydstedt/BlackHat-USA-2010-Bursztein-Bad-Memories-wp.pdf
Of course, it also doesn't work if you move your router somewhere else after google sniffs it.
It could always be randomly generated.
I am amazed that this actually is tracked by the google van or whatever. It found my old address based on the mac address of my wireless adapter in that particular router. The wan and lan addresses were not found. So it appears that google has a list of many MAC addresses and their locations. Quite scary, and obviously impossible to opt out of.
I really hope some north american government looks into this. What possible non abusive use could this possibly serve? At least the router i am using allows me to change the mac addresses, which is what i am doing now.
As a potential lottery winner, I totally support tax cuts for the wealthy
On his website he states that the google car got my wifi mac address, but the google car drove past 2 years ago and I wasnt living there so must be mapping mac to IP as i also changed my wifi router about 3 months ago. Unless the google car has come by again (which i doubt) and if it has then where are my updated streetview pics google!
Phew! good thing I use a PC
Using XSS & Google To Find Physical Location
http://it.slashdot.org/article.pl?sid=10/08/03/0117215
With Apple devices only using wifi/telcos, maps grabbing MACS, apps grabbing gps/MAC/serial numbers. Ads tracking deep in flash/html5 databases.
Modems/wifi units selling with bar code MACS on the side of the box with online extra warranty forms.
This is all a lot of internal work to track a few ads to message you about 'free' coffee as you walk past a cafe.
Is the MAC one of the few stats of value now in any device?
Why are so many dumb devices leaking so much unique info out of the box?
Domestic spying is now "Benign Information Gathering"
need to get this to track my gf when she is out of country, so i know when she is getting back....lol
Not very impressive.
1) (as others have pointed out) I don't see how it's any different than IP lookup.
2) First attempted - nothing worked, (need to temporarily allow scripts on samy.pl
3) Then I get prompt "samy.pl wants you to share information about your location. Share (y/n) [ ] - remember this decision?"... (ok, no, don't remember)
4) It returned my location accurate within 120km (75miles). Not very impressive.