Web Attack Uses Google Geolocation Database to Identify Address of Routers
August 4th, 2010First of all, as usual with stories like this, I have to refer back to my old essay that deals with the Ugly Truth About Online Anonymity.
Second, this hack isn’t new. See the Skyhook Wireless antics, circa 2008.
Third, the article below doesn’t make it clear, but this will only reveal your exact location if you’re using a wi-fi router that is in Google’s location services database.
So, yes, “Privacy is dead, people,” like the man says, but it’s not because of this. This is just another blunt blow of the rubber hose on the lifeless body of privacy.
Via: BBC:
One visit to a booby-trapped website could direct attackers to a person’s home, a security expert has shown.
The attack, thought up by hacker Samy Kamkar, exploits shortcomings in many routers to find out a key identification number.
It uses this number and widely available net tools to find out where a router is located.
Demonstrating the attack, Mr Kamkar located one router to within nine metres of its real world position.
‘Creepy’ attack
Many people go online via a router and typically only the computer directly connected to the device can interrogate it for ID information.
However, Mr Kamkar found a way to booby-trap a webpage via a browser so the request for the ID information looks like it is coming from the PC on which that page is being viewed.
He then coupled the ID information, known as a MAC address, with a geo-location feature of the Firefox web browser. This interrogates a Google database created when its cars were carrying out surveys for its Street View service.
This database links Mac addresses of routers with GPS co-ordinates to help locate them. During the demonstration, Mr Kamkar showed how straightforward it was to use the attack to identify someone’s location to within a few metres.
“This is geo-location gone terrible,” said Mr Kamkar during his presentation. “Privacy is dead, people. I’m sorry.”
Research Credit: GP
