NEWS : Web attack knows where you live

BBC News - Web attack knows where you live

 

So right after the Google car comes down your street, everyone needs to run out and get a new router

 

No, just a baseball bat. For the Google Car.

 

To a point, yes, it's true.

Not many routers have GPS in them, the closest you can get to me is 10-20 miles, which is where my ISP's offices are located. Also, this assumes your wireless mac address is the same as your internet mac address, which is rarely true.

Is it a threat, yes, but a very remote one at the moment.

 

I think it's not about a GPS being inside the router but rather about your MAC address' coordinates being recorded by Google Spy Car (or whatever it's called) hence its GPS coordinates being available for wireless MAC address.
But I've never seen wireless MAC address being the same as Ethernet MAC address. The worst I saw (by that I mean "worst") is when USB has the same MAC as Ethernet- which is pretty obvious.
So it's not a real threat in my opinion but still thanks Tinderbox (UK) for bringing that up- it's interesting and possibly dangerous.

 

Exactly, I was going to explain it more, but it got ridiculously long so I tried to leave it kind of layman.

I totally agree, the whole MAC vs IP is a major issue with this whole idea. I get the idea, but it's just not realistic.

 

The MAC address in question is your wireless access point's BSSID, not your computer's MAC or the MAC address of your router's Internet facing interface.
BSSID's are very similar to MAC addresses in that they are both almost globally unique. If you had multiple access points with the same SSID, the BSSID would identify each individual device.
You can use inSSIDer, netsh, or other tools to see the BSSID of your access point. i.e. netsh wlan show networks mode=bssid in an administrative command prompt in Win7.

Assuming a wireless access point never moves very far, once Google finds the BSSID and it's approximate GPS coordinates, anyone with an API or application that can access Google's database can simply query that BSSID and get the associated GPS location.

All the attacker has to do is retrieve the BSSID of the access point you're associated to. With the BSSID, the attacker queries Google's database, gets the GPS coordinates, and punches it into Google maps or something to see where it's at.

Seems more than realistic to me, assuming this database of Google's is really open to the public. I did a quick search just now and didn't see how to get access to it. Apparently Google got a lot of heat when people found out they were mapping location of wireless access points. If you can, changing to BSSID of your access point might be a good idea.

 

It's not about that. Their idea is that a special "planted" website can make a request for your MAC (making it look like your PC did it) to your router.
Having gained your MAC address is crosschecks it with google database and that way knows your location. This way someone can know your exact location even if you just visit this special website.
And my and leslieann’s point was that BSSID MAC and Ethernet MAC are two different ones so if you visit this "special" website what they get is your Ethernet MAC which doesn't help at all while crosschecking it with BSSIDs from google database unless both are the same which is at least unlikely.

 

Didn't Google say they're purging the router data they "inadvertently" collected? Whether they do it or not is another story, but "do no evil" right?

IN OTHER NEWS: Yellow Pages knows where you live.
PAGE 2: You also posted it in your Facebook and MySpace accounts.

 

Perhaps I'm misunderstanding the article, but why would the attacker want the MAC of any interface on your computer when all that is needed to approximate your location is the location of the wireless access point (via BSSID and Google db)?

The computer associated to the AP is most likely going to be very close to the AP.

 

That's how I understand it. You can't get someone’s BSSID from anywhere in the world and if you do get a Google database of BSSIDs (coupled with MAC addresses and GPS data) you still don't know who is your target.
So in order to find your target you obtain its MAC address (routers MAC to be exact) and crosscheck it with Google database- hence you got the location. And again the problem I pointed out- Google records wireless MAC while the bogus website the Ethernet one- it's not the same in any router I know.

EDIT: Look here for a proof of concept.

EDIT 2: The script used to obtain your MAC gets filtered by NoSript even if you allow (in NoScript settings) scripts to be run on a given site. This type of XSS is so suspect that it gets filtered anyway (tested on FF 3.6.8 and NoScript 2.0 and my own router)

 

Wow good link. I just punched in the BSSID of one of the APs here at work and it took me straight to the building I'm in.
@ Lithus I guess Google isn't purging the data after all.

 

My wireless MAC got me to within 100m from my actual location too.
I wonder if this XSS query can actually gets wireless MAC instead of cable MAC. If it can you really need to get used to NoScript (even though it's annoying)

 

It got me too, though i had to give it my mac address , right on the outside edge of the circle though, I am not a happy bunny.

 

Does it know if you've been naughty or nice?

it didn't find me. Sorry, didn't find anything for..................

 

When I put in my routers external port mac address, it found nothing. When I put in my desktops mac address, it again found nothing.

My wireless mac was found, AFTER I manually entered it, but...
It placed it within, oh, 100meters, but the map is wrong (the town changed the plan without informing anyone) and even has me on the wrong street, granted my wireless probably reaches there.

The problem still though is that how do you get my wireless mac?
My desktop never touches the wireless mac, so it never sends it. In fact my wireless mac should not be getting broadcasted anywhere except over wireless. I assume this is where the poison page comes in.

It sounds to me like the test has to be performed on a target connecting through wireless and through a router that contains a hole. While it can work, I guess, what are the odds that the person you are after is on a wireless connection, is listed in Google, and on a router with a hole? That is a lot of prerequisites that need to be there.

 

I'm not sure if there's a whole in router's software needed. Wireless MAC shouldn't be broadcasted to computers not on your LAN so while it doesn't get send over the net it does get send to your computer, which coincidentally is on the net- one XSS script and your wireless MAC is known to whoever operates the bogus site.
So no whole in firmware needed. Wireless is very popular and as for the odds of being recorded by Google- so far 4 out of 5 of us in this thread have been found. It looks more plausible than it did at first glance if you ask me.

 

Maybe.

There is still an issue though.
If you just put up a page to get these, what use is it to you just having someone's mac address. You know nothing about these people other than the fact that they have wireless and live at such and such address. If you are targeting a specific person, you have to get that specific person and then sort through everyone who also visits.

It just seems a bit silly, worrisome, but also silly.

 

I admit it's not the most practical thing in the world but I'm afraid someone will make us of that. But as a concept it sounds really bad for ones privacy