Skip to content

August 19, 2010

Hack Uses Geolocation to Pinpoint Your Location

In one of the more simple yet clever attacks I’ve seen this year, at BlackHat and Defcon, Samy Kamkar (author of the 2005 Samy MySpace worm) showed how javascript and geolocation could be used to more or less pinpoint a user’s location. An attack Samy dubbed ‘XXXSS‘.

The attack works by using javascript to obtain the MAC address (a unique hardware identifier) of the victim’s network router or gateway, and then submitting it to Google’s Geolocation service to obtain the coordinates.

Google’s Geolocation service is based on wireless data sniffed by its mindless drone army fleet of Street View cars. As well as taking pictures of your house, the cars are recording the MAC addresses of local broadcasting wifi routers. Samy uses javascript to log in to the victim’s local wireless router, using the default credentials (if these are still set), in order to extract the device’s MAC address.

One example of Samy’s initial javascript which detects the local router make/model is as follows:

<iframe style=”visibility:hidden” onload=”alert(‘detected Belkin’)” src=””></iframe>

If the local network IP and path successfully loads, the script has successfully detected the router (in this instance, a Belkin) and can move on with the next part of the attack. It essentially uses javascript as a boolean check by attempting to load known local-network addresses. After this, another javascript will attempt to log in to the router’s administrative console by using the default credentials (eg. admin/admin). The purpose of this is to get access to the page which lists the MAC address of the router. In one example Samy shows how he uses a XSS in Verizon’s FiOS router to perform an Ajax request.

Moral of the story:

  1. Routers and other embedded devices are worthy of software updates too
  2. Always change default credentials
  3. Consider changing the IP address of your router to something other than the default

Here are the slides, and video of Samy’s talk below. Worth a watch.

[Updated] Attack Vector has a good post (including Perl script) on BSSID Geolocation.

Share your thoughts, post a comment.


Note: HTML is allowed. Your email address will never be published.

Subscribe to comments