Attacks/Breaches
1/6/2010
03:38 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Hack Pinpoints Victim's Physical Location

'Samy worm' writer publishes proof-of-concept that gleans home router GPS coordinates

Samy might know where you live: Samy Kamkar, the hacker who spread the massive MySpace worm in 2005, has published a proof-of-concept attack that identifies a victim's geographic location via his home router.

Kamkar says it all started when he found a cross-site scripting (XSS) bug in a Verizon FiOS wireless router, which allowed him to grab the browser's MAC address and then map it to the GPS coordinates via Google Location Services. The attack works on any browser and doesn't rely on browser-based geolocation features.

"The interesting bit is I'm not piggybacking off of the browser's geolocation feature. I simply reimplemented the feature as a server-side tool," Kamkar says. "This way if I can obtain the user's router's MAC address in any way, regardless of browser, nationality, or age, I can typically determine their location and show up at their place with pizza and beer later that night."

His PoC is based on an XSS flaw in the Verizon FiOS router, but Kamkar says the same method would work with any other router with a XSS vulnerability. For the attack to work, the victim must be logged into her router and have visited a malicious or infected Website loaded with the XSS exploit. The attacker then gleans the victim's router's MAC address via Ajax and maps it to her GPS coordinates via Google Location Services.

"Samy has proved that [by] utilizing bad programming practices within routers, he can utilize that information through indirect means, like identifying your physical location," says Robert "RSnake" Hansen, CEO of SecTheory. "The browsers themselves are being used against the user, which is a known technique, but he has certainly put a creative spin on how that can be used by an attacker."

Hansen says exploiting an XSS on a home router can allow some other invasive attacks, as well, including altering the firmware and rerouting the traffic to a malicious router.

Kamkar -- best known for the Samy worm he unleashed six years ago on MySpace, which made him more than 1 million "friends" in less than 24 hours and disrupted service on the site -- says the underlying weakness he's demonstrating in this latest hack is the XSS vulnerabilities in the router: "Privacy zealots may also think the Google Location Services is a bit too extreme, but someone's going to have a database like this one way or another," he says.

The XSS could also be used to reroute DNS settings on the victim's end, he says, to divert traffic from the victim to his bank's site, for instance. "I can then divert any host name-based traffic to locations of my choice -- for example, sending DNS requests for 'bankofamerica.com' to my own IP address/Website, which we'll just call 'Bank of Samy' or simply proxy all traffic, becoming a man-in-the-middle [and] reading their email and chatting in place of them with their significant others," Kamkar says.

He says the crux of the problem is that security isn't part of the equation in router software. "It's probably assumed that because the router sits on your local network and isn't accessible from the outside world, it's safer," he says. "However, the fact is we can easily trick a user's Web browser to launch the attack for us."

Kamkar, who is also a co-founder of a VoIP company, says he alerted Verizon about the vulnerability. He says users should change default passwords when they configure their home routers and shouldn't remain logged into their router administrative interface unless they need to be.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7407
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2014-3675
Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

CVE-2014-3676
Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

CVE-2014-3677
Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

CVE-2014-4448
Published: 2014-10-22
House Arrest in Apple iOS before 8.1 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information from a Documents directory by obtaining this UID.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.