Oct 6, 2010
Where in the world are you?
I was tipped off about this interesting little ‘utility’ today.
Now, I don’t know much about the author (other than being able to see something of his social graph) and anything you do, or any information you provide, via that link is at your own risk.
But two things made me sit up and take notice. One being that it pinpointed my current position exactly, working on a laptop, via Wi-Fi, in my kitchen. No IP address, GPS or mobile mast triangulation involved. Simply by (taking Samy’s explanation at face value) accessing my router and looking up its address on a database of routers and their physical locations. My router is password-protected, in case you were wondering. Secondly, because a number of people I rate as being well informed about this sort of identification issue also seemed surprised by its capability.
And what, I hear you cry, is that database of routers and where they are? I don’t know, but one suggestion has come in from @exmosis who offers these suggestions on how this positioning function works. Read past the bit on mobile phones – it’s the bit at the end that might be relevant. Is this Skyhook outfit something to do with it? Have they been driving round East Surrey sniffing for router locations and addresses? Seems hard to comprehend that something could have happened on this scale without a word of it coming to my attention until now.
Regardless of whatever method is being used, the implication is clear. A malevolent site could covertly hold such code: one click, and your precise location could be transmitted without you knowing.
It rather makes location self-disclosure via Foursquare, Gowalla, Places etc. pale into insignificance, in my book.
Wham: pinpointed
Yes – Skyhook did wardrive surrey – and most of the rest of the country! Also iPhone (& iPod – no GPS) use Skyhook for Wifi and celltower position, and help self heal their database as they spot out of place routers.
Yes, Skyhook did wardrive Surrey, the rest of the UK and other countries, they do provide non-GPS location enhancing services for iPhone and iPod (no GPS) and developers who want to work with their API. Oh and the iOS devices help self heal the database, passing back info on out-of-place routers…consider yourself located!
Says i’m off the coast of africa, at 0,0. Only seems to work in the first world.
“one click, and your precise location could be transmitted without you knowing.” … only if your router a) has a great big gaping security hole, in the form of a publicly known XSS vulnerability, and b) the malicious site correctly guesses which vulnerable router you have, and c) the malicious site correctly guesses the IP of your router. It also has to get the right combination of b and c of course.
Considering it says “I then take the MAC address and send it along to Google Location Services.” I think we can safely presume most of that database was cooked up when Street View was going around saving wifi mac addresses.
Also, I don’t think this has anything to do with Skyhook – the database of WiFi router’s mac addresses used here is the one Google collected while doing streetview stuff.
Paul – for what it’s worth, it looks to me as if this utility is doing nothing more than a reverse IP lookup – innocuous technology that has been publicly available since the creation of the Internet. Details below (*).
All the stuff on samy’s page about XSS exploits, router databases etc. is – as far as I can make out – a load of codswallop (technical term).
Reverse IP lookup is a widely used tool that enables a web site to know where the visitor is geographically located. The information can be used in good ways or in bad ways, depending on the intentions of the web site owner. Examples of good: Amazon switches to French when you connect from Paris (annoying though if you don’t speak French); Google Analytics tells you where in the world your web site visitors are located.
I actually use reverse IP lookup on my clients’ ecommerce sites, because it can help them detect fraudulent transactions – for example, a buyer enters their credit card address as Miami, but reverse IP lookup puts them in St Petersburg!
Accuracy of the service depends on the requester’s location. For built-up areas it is generally poor (1 to 5 miles depending on the service), due to the high density of local network addresses, but for rural areas it can definitely be pin-point accurate down to tens of yards.
So there is really nothing to be worried about – or if you ARE worried about samy’s page, then you should also be worried about the thousands of mainstream web sites that are also tracking your geographical location. Ebay, Google, Amazon, Flickr, Facebook, Twittr… They all do it, all the time, whether or not you know it, even if you switch off the geolocation “feature” on your profile.
The only surefire way to keep your location confidential is to do all your browsing through anonymous proxy servers, which of course is technically difficult for most “normal” Internet users. It can also have legal ramifications in certain countries.
Bottom line – you should assume that your IP address is to all intents and purposes public whenever you are browsing, and that any web site you visit can determine your geolocation to within a couple of miles. Whether or not this information is used “malevolently” is another question entirely – and with that in mind it is essential to password protect your router and to use a good firewall on each computer on your network (e.g. Zone Alarm).
(*) How does reverse IP lookup work? Any time someone requests a web page, the IP address of their computer (or router if they are on a firewalled network) is sent to the web site, as an integral part of the request. Without this IP address, the web server would not know where to send the requested page.
Based on the IP address, there are many readily available “reverse lookup” scripts that convert an IP address to a more or less accurate latitude/longitude pair. These scripts work using publicly available information about Internet structure, i.e. databases that enable internet traffic (data packets) to be routed correctly.
OK….so is the MAC address personally identifiable data? It sure feels as if it is. So can we do a subject access request? Not if its Skyhook, because they’re US-based with no apparent UK subsidiary. But yes if it’s Google. (No idea what happens if you do a SAR on Google BTW. If they send it on paper like Orange do they’ll need a large lorry). And, either way (Google or Skyhook) is this legal?
Possibly not. I suspect it turns on what other reference sources might link the address to the person. @nevali suggested the useful comparison of a postal address visible from the street. Clearly you have to make it visible so that visitors can find you (and likewise so that your laptop can detect the network), but the look-up table (e.g. the electoral roll) is where we build some safeguards. I say ‘some’ safeguards, as the protective wall here is leaky – to those with time to spare (rooting through hard copy books at the library) or money (via any number of resellers who will sell you the lookup) it can be found. But we have got some friction in this system, as an offset to the speed and reach that the internet would otherwise bring. AFAIK there is no publicly available free internet search available that will tell me who lives at a particular address or vice versa. If anyone knows of one, I’d love to hear.
So the question perhaps becomes “if triangulation of a person’s physical location is becoming ever more prevalent, should we be putting yet greater protection around the sources that link the location to the person?”
OK well I asked my serious geek mates at FIPR what they thought. So far it hasnt even nearly worked for four out of four of them. Has it been disabled do you think?
As someone who works in data protection, I find this quite alarming. The address of someone’s router is (in my opinion at least) personal data, because it probably wouldn’t be difficult to match it up with other data, such as the electoral roll, and identify an individual.
It’d be interesting to know more about this company. If they’re ‘processing’ data in the UK, which they clearly are, they should be on the Information Commissioner’s public register…I will have a look and report back later.
The exploit implies that there’s a database of geocoded routers. That’s not strictly correct. There’s a database of geocoded public wifi access points, some of which also routers. In the exploit it looks like they’re utilising Google’s location API, some of which was collected during war-driving for Street View, some of which (if I recall correctly) is backed up with other WPS sources for where Street View coverage is incomplete or missing.
The fact that there’s a database of geocoded wifi access points isn’t alarming at all. It’s part of the A-GPS system which uses GPS, WPS and cell tower triangulation. It’s what drove Google Maps on the iPhone before the iPhone 3 added GPS and what still drives Google Maps on the iPad, which doesn’t have GPS. It’s also what drives the W3C geolocation API.
What is alarming is that all the safe-guards and opt-ins (either implied or explicit) can be circumvented without the user’s knowledge and permission.
But this is still a proof of concept .. it needs a very specific set of circumstances to be utilised … a vulnerable wifi access point, being logged into the access point’s administration console.
For now, this isn’t usable on a wide scale. Yet. But it does show that as any technology becomes mainstream, it comes under the scrutiny of those who would subvert and abuse it.
Shameless plug: thanks to Paul noticing this and writing about it, I’ve just posted another take on the issue of geolocation abuse, including this XSS vulnerability – http://vtny.org/C9
I don’t think so. I guess they just have better protection and/or unmapped routers!
Louise … the “address” of your wifi router isn’t your street address and it can’t be considered personal data. The address of your (wifi enabled) router is merely a number which identifies that piece of hardware. What’s being stored in WPS systems isn’t the geocoded address of your house, it’s the geocoded location at which the signal from your wifi access point was recorded, together with the signal strength. This is very different from a postal address.
If you were to take the stance that this (hardware MAC) address were to be personal information you’d probably have to turn off anything that broadcasts over the radio spectrum … your wifi access point, your mobile phone, your CB radio, your walkie-talkie, your HAM radio … the list goes on an on.
While the “address” of a wifi router sounds alarming, it isn’t. It’s just a case of conflicting terminology. Wifi address doesn’t equal hardware MAC address doesn’t equal street address … it’s just that address in this context is being used for multiple (conflicting) purposes in this case.
Rob — reverse IP lookups aren’t that accurate. In a previous work life we used reverse IP for geolocation. In the US it’s relatively accurate to around the district level due to the way in which IP addresses are allocated. In the UK it’s pretty much useless below country level with any usable degree of accuracy.
Reverse IP for country level web blocking? Yes. For the level of accuracy that the XSS exploit uses? No.
Paul — Even if you “hide” your access point by removing the SSID, it still broadcasts the MAC address. This is fundamentally part of how wifi works. You’d need to know your SSID to connect but the broadcast still takes place and is still capable of being detected and added to a WPS database, SkyHook or Google or whoever.