Punters using Wi-Fi based positioning systems on their mobile devices would do well to look before they leap. Security vulnerabilities have discovered location spoofing flaws in the Skyhook positioning system that might be used to lead users astray. Devices using Skyhook's Wi-Fi Positioning System (WPS), including the iPod touch …
Theory is nice
But it's hardly going to have any impact on old Blighty. We can't even get propper 3G coverage, yet alone good enough public wi-fi to use a service like this.
Mines the one with the AA 2008 road map in the pocket...
Disciples off the true path... in the absence of a GSM signal.
Unlike all the Windows Mobile and Symbian disciples...
Reading the paper, the iPhone actually overrules the spoofed WPS system if it has a GSM signal, where the Nokia, Windows Mobile and computers running the plugin just report the false location.
Also, the Loki plugin runs on Macs as well as PCs, Windows Mobile not just Symbian and Skyhook's website is http://www.skyhookwireless.com/
Skyhook also do a scary plugin that updates your location to your blog, website, RSS feed, etc. I wish they wouldn't do things like that, it'll give people ideas...
Waiting for Webster, as clearly this news means iPhone users are all idiots and fanbois, right?
All very well and good, but...
Firstly you have to actually block the other signals. Also for the Jesus phone you would have to block out the cell phone tower signal since it uses that as well. So assuming that the user doesn't notice that they don't have any mobile coverage then yes it could be done. However in practice this sounds like scaremongering with a hint of possibility.
Not a problem for most people
Skyhook's coverage map. Sketchy, outside of London...
Maybe it's just me...
But I can't see why anyone cares. I mean Oh Noes say the wrong location comes up on the map, if anyone has even half a clue they'd realise the map is wrong pretty quickly, especially if the street they are currently on is not currently on screen, that'd be a pretty big give away. So I can't see why anyone would even care enough to waste peoples time spoofing their location.
@AC "Maybe it's just me"
I'd agree and take it further - why would anyone want to do this anyway?
Arse backwards - the attack only works if the phone isn't within range of a Skyhook-tracked Wifi network. Which is less of a problem.
So it's a good attack against Skyhook users that don't have any GSM coverage, and are outside urban areas, but also don't know where they are.
But you can really only try to fool them into thinking they're in a skyhook covered area (which are all urban with good GSM signal).
Those idiot Jesus Phone disciples will fall for anything, huh?
Asus EEE PC
Is there nothing it can't do? =]
>"the attack only works if the phone isn't within range of a Skyhook-tracked Wifi network."
No, it doesn't. Read TFA. Look at the many examples of skyhook being spoofed in the center of Zurich. Get the facts before you ignorantly spout off.
When I saw the phrase Skyhook I thought El Reg was going to go into tehnical details of Maseratis adaptive damping system as used on the 3200GT.
None of this wifi location crap - why would you want that anyway, if you have wifi/GPRS/3G, just find the street name [avaliable on most good street corners] and wang it into GMaps or Streetmap, and bang, there is your location to a useful degree.
And if you haven't got GSM coverage, it's a fair bet there won't be a wifi point nearby methinks.
Paris, because she is also a waste of resources and only fun for about ten minutes before you realise that there is no depth to her.
@AC "Maybe it's just me"
> "Oh Noes say the wrong location comes up on the map, if anyone has even half a
clue they'd realise the map is wrong pretty quickly"
The prosecution refers m'learned friend to every "sat nav caused me to run over my own testicles" story ever run to date...
If my Jesus phone tells me I'm in the middle of Kansas while standing on Oxford Street who am I to argue?
Asus EEE PC
We assume that the person using the Asus EEE PC in this nefarious way was the young lady on the beach?
Thank you. I've just had a most amusing mental image of Judy Garland as Dorothy standing in Oxford Street with an iPhone and saying "I don't think we're in Kansas any more."
It's a computer.
If I had a Wi-Fi based mapping system I'd be amazed if it worked at all...giving the wrong location would get the response "Oh atleast it's doing something". Sat-Nav phones aren't expensive anymore, if you need accurate mapping they're still an option and if you don't it's a bit of a gimmick.
The odds of someone setting up a jamming and spoofing setup telling you to walk through the dark alley with your expensive looking mobile are still very slim, and even slimmer that people wouldn't question it's validity.
Damm you beat me to it....
"The team used an Asus eeePC configured to impersonate access points and software radios to jam legitimate networks."
I for one am shocked and appalled at the lack of eeePC lady on beach pictures. Surely this story constitutes at least a flimsy argument to display one, its never stopped El REG before!
Paris 'cos it looks like she's just lost her eeePC.
One word... GEEKS.
How sad are the people that firstly thought this project up and then spend the time and effort to do it?? Why exactly? Because they could??
I can't think of a single reason anyone would exploit this "hack"?
Are Securicor vans iPhone mapping to find their way around with vans full of money?
Ignorantly spouting off
Er, I did read the TFA, it says:
"If a device is not in range of any wireless networks known to Skyhook, we can easily spoof its location by access point impersonation and thus can completely control the result of the device localization process"
"In these examples, the device located at ETH Zurich was showing locations in downtown Zurich (1 km away) and New York (6,300 km away)."
If you check the coverage map, ETH is outside the coverage area, which is why the screen shots only show the spoofed networks. They spoofed network in Central Zurich *and* NY ones, on devices on the outskirts of Zurich without WPS coverage.
Suggestion - read and understand TFA before being so damn rude, next time? Also, it was my post I was correcting as arse-backwards.