back to article Hack uses Google Street View data to stalk its victims

A security researcher has devised an attack suitable for stalking and similarly creepy endeavors that uses JavaScript and geo location data from Google to pinpoint a victim's precise location. In a talk titled “How I Met Your Girlfriend,” at the Black Hat conference last week, hacker Samy Kamkar demoed the technique, which he …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    How I LOLLED

    Bad jokes aside, I've been telling people for years that this could be possible via a large WarChalking exercise.

    Vindication at last. EXCELSIOR!

    PS I also predicted Melissa in 1995 :)

    1. Anonymous Coward
      Anonymous Coward

      How I LOLled myself

      So you predicted something that doesn't actually work? That's clever of you.

  2. Drew Green

    Sumfin not quite right....

    Wait a minute....

    “How I Met Your Girlfriend,” at the Black Hat conference...

    ...a conference of geeks...

    1. Anonymous Coward
      FAIL

      Yup spot on

      "How I met YOUR girlfriend....got excited, took a blurry photo and made a mess of it", not How I met MY girlfriend...

      1. Wize

        But the 'your' in question...

        ...is the other geeks in the room.

  3. Tom 15

    Your privacy was never safe...

    If your router is set to the default password then you never had any privacy...

  4. An_Old_Dog Silver badge
    Unhappy

    countermeasures

    Countermeasures: a script which randomly changes one's MAC address, a script which does a frequent DHCP release/renew, and locking IPv6 OFF.

    Though, this isn't helpful for the average, non-tech Sam- or Sally-in-the-street.

    1. King Edward I
      Stop

      Or...

      Countermeasure: Change your router password?

  5. I didn't do IT.
    Pirate

    Privacy is dead?

    “Privacy is dead, people.”

    Privacy has always been there for those that want it. Those that assume they have privacy have never had it.

  6. Ned Ludd
    Coat

    Ha!

    Let's see how smug all those MAC users are now!

    1. prathlev
      Happy

      @MAC users

      Yeah, screw MAC users, let's start using X.25 again!

    2. This post has been deleted by its author

      1. Martin 71 Silver badge
        Pint

        Failure to spot joke icon.. penalty

        One pint of beer plz :-)

        1. Anonymous Coward
          Anonymous Coward

          Fail yourself

          That post doesn't have the joke icon, it has the one next to it. DTs affecting your mouse control?

          1. Anonymous Coward
            Thumb Up

            Double fail yourself!

            The coat is an alternative joke icon. As in "I'll get my coat". I love a cascade of fools.

      2. Shakje
        FAIL

        @Dino

        Everyone who uses a computer is (capable of sarcasm) - (sarcasm is a form of irony that attacks a person or belief through harsh and bitter remarks that often mean the opposite of what they say). I guess anything to put it to (intelligent people) though eigh?? !!

  7. Jacqui

    wireless router

    NTHell are coming with my noo 50M services later this month :-)

    Evidently this means a new box with built in wireless, replacing the current box RJ45'd into my linux firewall. But unless *they* can disable the wireless during the install, the service will be getting cancelled within the week.

    Wireless on the net gateway has always just felt wrong to me.

    my dedicated WAP has its own zone and IP range - and has limited access to both the net and local systems.

    Jacqui

    1. tony trolle

      @wireless router

      tin foil ?

      yet to meet a router that cannot turn off wireless side but who knows virgin (insert joke)

    2. ElNumbre
      WTF?

      Meh.

      Even if you can't disable the wireless, what's the massive risk when its on the dirty side of your firewall anyway? Even if someone penetrates the security on the AP, all they can do is get out to the internet provided you've setup your untrust-trust firewall properly.

    3. Paul 129

      MAC of wireless is the issue

      Each Wirless device has its own mac which is communicated in the clear. Google and others have compiled a geographic database of wireless macs. All it takes is an exploit that leaks that internal mac address, of your home network, and they have a good idea of your address.

      Hacking the router seems excessive, lots of people use laptops via wireless at home, you just need some way to look at the arp table and the job is done. The mac adress also gives you the brand of the device, and if you had a bit enough sample size, I would think it gives you the model too.

      Solution is to regularly randomize the wireless mac address. I think techno stalkers will have fun for a while.

    4. Anonymous Coward
      Happy

      Virgin

      If by NTL: you mean Virgin, the 50mb modem is a stand alone box and they give you a D-Link DIR615 router with Virgin firmware to go with it.

      Certainly was when they did my install last month.

  8. David Eddleman
    FAIL

    Not compelling

    The two requirements for this are major 'if's. For starters, it would require someone to be on a network that is completely open (either with default credentials, which is the more likely scenario, or on a router that doesn't require authentication to get to the admin page (of which I've seen none)). Given how I'm seeing fewer and fewer open wifi networks out there there's very little chance for this to take root. It also requires Google Maps to have cached the area. That means only someone with a wifi signal strong enough to be broadcasted to a Googlecar or more likely, living in proximity to a street where a Googlecar would be bothered going through, is at risk.

    Sorry, buddy. Not very likely.

    1. ArmanX

      Re: Not compelling

      I think you underestimate and/or misunderstand Google's geolocation... while you can get a good position using Wifi, Google can also use your IP address with some success; if you are using this to track someone's location, it would be fairly accurate, especially if averaged over some amount of time. This isn't a "difficult" hack; it uses a very simple web page, a tiny amount of Javascript, and Google Location Services. You might not get accuracy to millimeters, but you get close enough to tell if someone is home or away.

      As I said - this isn't a difficult hack. This barely qualifies as script kiddy. Now, maybe if you use something more sophisticated to set up some sort of automatic position ping, that might be more interesting/useful, but as it is... this information is easy to find.

      Then again, how is this considered stalking? It's less stalking than FaceBook...

      1. Anonymous Coward
        Anonymous Coward

        Laugh?!

        "Google can also use your IP address with some success;"

        Whenever anybody mentions the use of IP addresses for geolocation I have to try not to laugh. OK so with some ISPs it's possible to get somewhere near but most ISPs don't tie an IP to even a vague geographic area. I've looked at some of this geolocation nonsense in the past and the nearest any of these services has got is at least a county away (note for Merkin readers: a county in the UK will generally contain several large towns or cities). Some of them even put me in London.

        As for Google's sinister WiFi database, sorry but again it's a big fat FAIL. From the day it was collected it's been out of date and it's getting worse and worse. Google are not updating the data in any serious way, but the world is changing. People are buying new routers, people are moving house. Things are changing.

        So this particular "scare" is yet another case of unfounded headline grabbing or maybe just looking for peer approval (it's a geek thing). OK so it might work, but only for a very, very small subset of people. People who fit into all these groups.

        People who can be lured to the malicious website.

        Who have a wireless router (not everybody has them you know).

        People who's router has no password or default password.

        People who don't have any wireless encryption on their home router.

        People who have the same router they did when the Google car went past.

        People who still live where they did when the Google car went past.

        People who's router was switched on when the Google car went past.

        People who's wireless can be picked up from the street (mine doesn't reach).

        Some venn diagram isn't it? And the thing is that the number of people who fall into all those groups is falling all the time.

        Oh and even then it relies on their visiting the website from home. What if they decide to visit it from their phone or maybe an internet cafe or somebody else's home?

    2. JohnG

      More compelling than you think

      Whilst many people will have changed the default router password, many people also allow their browser to store the router password, which achieves the same result.

      The network does not need to be completely open, all that is required is for the victim to visit a web site which includes the malicious code.

      The WiFi network also does not need to be open to be geoloccated - Google just needs to have captured some packets - all of which will include the MAC address of the router, regardless of any payload encryption.

      Lastly, Google's geolocation is not the only game in town - there is also Skyhook. Whilst country folk may have their houses too far enough from public roads for their WiFi to be geolocated, this is less likely for city dwellers.

    3. stizzleswick
      Go

      Re: Not compelling

      The hotel across the river from where I do some of my work has a completely open network -- router password is factory standard, and you can look it up on the 'net. I have tried it (though I have not done anything to their network except notifying their manager that their network is seriously asking for abuse due to a complete lack of both common sense and security. That was two months ago. Nothing has since happened.)

      Unfortunately, in the real world, there is an abundance of completely unsecured and set-to-factory-standard routers out there. That is my bitter experience from several years of working as an IT consultant.

      Try to hack mine, though. See if you can get at the message for those who think they are successful... and yes, I know that even the best practices can be circumvented. So, if you get as far as the message, it includes one of my email addresses. Drop me a line telling me how you did it, so I can fix it...

      1. Tim Bates

        Re: stizzleswick's Re: Not compelling

        Same sort of thing here at a local function centre. We noticed that they had open wireless while we definitely weren't cheating during a trivia night, and then found the router was default password.

        When we told the guy who does their tech stuff, he was quite OK with that because the open wireless was actually NATed into their LAN, not direct connected. Didn't seem to worry him that the real router's IP address was obtainable via the open wireless router's status page... Nor that said real router's password also wasn't changed from the default...

        Oh, as for this exploit - easier to just ask people where they are. The stupid ones will tell you anyway.

  9. heyrick Silver badge

    Too damn new-agey for me...

    Call me old-fashioned, but I believe you need to have some sort of "connection" to the person you're stalking. You know, you buy her stuff, send her parcels, and generally know a load of things about her routine and location from simple observation. Any idiot can clicky-clicky on a website. You might end up hassling Auntie Vera. Yuck. Where's the fun in that? Or have we been so conditioned by our pitiful excuse of television programming and the equally pitiful "celebrity culture" that it's now the done thing to fall in love with a so-called celebrity that wouldn't look at you twice, lure her to a website to snarf her location, to send Interflora across the world to somebody you'll probably never meet? WTF?

    I think this is a geek with a solution that's desperately looking for a problem...

    1. Anonymous Coward
      Unhappy

      @HeyRick

      Girl / Guy (yes it happens) you are perving over is stupid enough to publish her email address, maybe on facebook, or forget to hide it on a mailto: for on their website. If they have done that, chances are they haven't secured their router to well.

      Next send them an email. You have enough info from their website / facebook to target them. Send them to website to run code.

      Back you have the local area they live in.

      Drive (or catch bus).

      Bingo, there is target.

      See not that hard to stalk the person of your (twisted) dreams.

      1. heyrick Silver badge
        Happy

        @ AC

        Yes, I can understand the mechanics behind it working - I just think "cute girl in the flower shop" would be a more worthy target than "random person on Facebook" or whatever. At least you get to see the flower shop girl, how she dresses, how she interacts, what sort of person she is. With an Internet location, well... Is the picture of the person a real picture of that person? Mine is an animé girl which is obviously not a real person, but some of the girls at work have pictures of OTHER girls as their photo, which is bizarre IMHO. If you were to obsess over that, you'd get a shock if you meet the real person. That isn't to say they're bad looking, just that they look nothing like the published photo.

        Yeah. I see the potential application of this, but give me a real live person any day...

  10. Anonymous Coward
    Grenade

    Google Geo-location Not All That Good Yet

    Judging by streetview, we've had the Google vans up and down most streets around us in the past few years (after deploying the present wifi router in use w/o any MAC change since then) and while they claim the location is within hiking distance it is hardly close enough to begin to guess which of many thousands of buildings or towers it might be coming from.

    Some geolocations may be better, others may be worse, but the remaining problem is that if you live in a high density area it is not as likely as some imply that you can get a location fix to any reasonable degree of certainty.

  11. petur

    What's the point?

    If you can manage to get somebody to run some dodgy javascript, you can just use that to ask the browser for your location. FF and chrome can provide a site with your location.

    So this all seems a bit complicated when there are far easier ways. And how the hell are you going to get the MAC of my wireless anyway? You'd need to login to my router, unless you assume the PC I am using is on wireless too (which is not always the case) - good luck hunting the MAC of my wired network in the Google database :P

  12. Graham Bartlett

    @Jacqui

    On the plus side, NTHell, for all their failings in customer support if anything goes wrong, are the only ISP in the country whose bandwidth approaches (i.e. better than 80% of) the quoted bandwidth. All the rest of those surveyed were at 50%+/-10%.

  13. Anonymous Coward
    Anonymous Coward

    I can do one better...

    Find a random house, sit across the road in a coffee shop, see which car the occupant gets into - I've just hacked your numberplate to your house location! Except with my attack i also know what you look like... be afraid, be very afraid!!!!

  14. JaitcH
    Pint

    More and more I become ....

    convinced that wiring my homes and office with Ethernet and banning WiFi was the right decision!

    Of course Google could disallow MAC searching and the whole thing would be castrated.

  15. Anonymous Coward
    Happy

    why go through all that trouble

    Most APs MACs are sequential, and sequential in the same order. so if you can communicate with the users' browser, simply have some code run there that can extract the contents of the ARP cache....you might be overjoyed at what you find

    Unless you hack mine, and you'll think you just connected to a network from 1990... All of my MACs are old Proteon and BBN addresses.....sometimes I just love being old.

  16. david 12 Silver badge

    Samy Worm ... knocked the site out of commission

    Samy Worm nocked MySpace out of commission? I think not.

    MySpace took their site down because they didn't know what was going on, and wanted to roll-back to a safe state.

    Which is fair enough.

    But that's not the same as saying that their site collapsed because Samy had a million friends. Saying so is a little unfari, both to Samy and to MySpace.

  17. xyz Silver badge
    Black Helicopters

    So that's why Google was doing "it"

    What better way for <insert security service of your choice> to find a "person of interest" in an internet cafe someplace. Large latte and a tinfoil hat please.

  18. Anonymous Coward
    Happy

    Hold on!

    Is this the same Kamkar geezer who did some bird time for some naughtyness involving ripping people off over security claims?

  19. Anonymous Coward
    FAIL

    So street view got the mac address from my phone?

    .. and then i lost it etc etc.

    Yes, there is other means to find someone on a mobile network, so lets conveniently forget about that.... instead we find YOUR girlfriend's HOUSE where her router is, not the same as that person.

    This kind of story is very alarmist but the STALKING bit is missing as you would need to do lots more to ensure only your intended victim gave up their router. Instead you can STALK a load of random people who came to your website..... lucky you!!

  20. Gav
    FAIL

    Meh

    “Privacy is dead, people.”

    Utter wiffle. Privacy is dead for those who are foolish enough to run a router without setting a unique password. These people have never had any hope of privacy as they have been leaving the key in their front door.

    For everyone else this is a big "Meh!"

  21. SpaceQ
    Alert

    my experience

    bias warning: I am developing and testing exooc.com

    Actual Comment: new HTML5 geolocation can get your location pretty close even without GPS I saw 36m precision quite common.... of course browser asks you if you want to allow it but... there are cases/places with proxy where somebody else clicked to share this information with specific web server-> therefore coz u r using same public IP your address could be already known to same web server without you knowing.

    anyhow if you wish to check how precise your location might be known to others go to exooc.com

  22. Tim Almond

    Can Someone Explain

    Precisely how this hack works? As far as I can tell, you can't get a MAC address via Javascript. Does it basically rely on people having default router passwords? Some form of human idiocy?

    I'm confused.

  23. andy gibson
    FAIL

    Google Location Services FAIL

    I gave the link a try. First of all Firefox asked me if I wanted to share my location. When I clicked "Share" the Google Map brought up Coventry!

    1. Anonymous Coward
      Anonymous Coward

      its based on html5 geolocation draft from feb. 2010

      good .. so your ip and other details are not in database... however there are more database which differ...l

      Article discusses different method where attacker uses xss to get mac address of your router via administration page of your router... and you must have default loging name and password...

      connection with geolocation comes to picture when he used geolocation's database to check where is MAC address of your router located.

    2. Anonymous Coward
      Anonymous Coward

      Coventry?

      So even Google want to send you to Coventry?

      Actually it did pretty well for you, at least it found the continent. I hit the share button and it brought up a world map with a little clock whizzing round and several hours later it was still going. What a great service.

  24. Robert Hill

    If you have a smartphone and Google Maps....

    Then it appears that your Google-reported "position" happens to be the last place that you used Google Maps to actually get a position for your smartphone. Irrespective of your actual home router location.

    All I can think of is checking my location on my iPhone from Wrigley ballpark now...just in case the neo-Nazis come after me!

  25. Anonymous Coward
    Anonymous Coward

    How?

    BTW how do you search for a mac address on google?

  26. This post has been deleted by its author

  27. simon newton

    Easier way of doing it

    Forge the shady XSS

    http://iwtf.net/2010/08/04/accurate-geolocation-of-your-users/

  28. Anonymous Coward
    Anonymous Coward

    Geolocation By Router MACs?

    As far as I understand the principal of Google's geolation by router MACs it's a pretty shite service.

    From what I've read it looks at all the wireless networks your PC can see (so if you're on a wired network this hack is right out). It then compares the MAC addresses of the unencrypted ones with it's database. As a service this has so many flaws it's untrue.

    Flaw #1 it only works if your PC has wireless enabled.

    Flaw #2 it only works if your PC can see at least one unencrypted network.

    Flaw #3 It only works if that network is in Google's database.

    If you have firefox it's pretty easy to try. Give it a go and see if you get a location at all (from a quick straw poll at work it's very unlikely that you will) and if you do how accurate it is (of the two people who got a location one was in the wrong town, the other was in the wrong country). Now consider how likely this evil stalking hack is to work.

    We already know traditional Geolocation by IP is a non-starter. Geolocation by wireless MAC is also pretty useless ATM. So this nasty evil stalking tool is so unlikely to work that even the most desperate virgin dweeb is likely to get bored long before he finds a cute girl for whom it actually works.

This topic is closed for new posts.

Other stories you might like