14 DAY TRIAL // A computer hacker revealed how Google's Street View data can be abused to pinpoint someone's physical location without relying on IP address information. The attack exploits a variety of security issues and loopholes in otherwise legitimate services and systems.
The new technique was demoed last week at the Black Hat technical conference in Las Vegas by computer hacker and Web security researcher Samy Kamkar. Dubbed “How I Met Your Girlfriend,” Kamkar's presentation revealed how someone's location can be determined by searching their router's MAC address against data gathered by Google's Street View program.
In order to initiate the attack, the target needs to be tricked into visiting a specially crafted Web page set up by the attacker. The malicious site loads JavaScript code which tries to determine the type of wireless router used by the victim. This is done by iterating through a series of default router Web interface addresses corresponding to different models and checking if they were visited by their browser.
Once the model has been determined, another piece of JavaScript attempts to login with default credentials and access a router status page which lists the MAC address of the wireless controller. However, according to the hacker, in many cases logging in is not even necessary.
Once the MAC address has been grabbed, the attacker uses it to formulate a request to the Google Geolocation API. Data on wireless access points, called wifi_towers in the API, is gathered from all across US and other countries by the Google Street View cars. The location of these towers, which include wireless home routers, can be retrieved by searching for their corresponding MAC address (unique identifiers for networking equipment).
Kamkar's demo focused on finding the location of american actress Anna Faris. “This is how accurate this is […]. I took Anna Faris' location [determined via the exploitation] and I compared it to the actual address. Driving directions to Casa de Faris [...]. I looked over at the router. It was 30 feet away,” the hacker told his audience.
Most people probably know Samy Kamkar for his brush with the law. In 2007, without realizing its full potential, Kamkar released an XSS worm on MySpace. Technically known as JS.Spacehero, but regularly referred to as Samy, the worm became one of the fastest spreading threats in history and earned the hacker 90 days of community service and three years of probation.
You can follow the editor on Twitter @lconstantin