03:38 PM
Connect Directly

Hack Pinpoints Victim's Physical Location

'Samy worm' writer publishes proof-of-concept that gleans home router GPS coordinates

Samy might know where you live: Samy Kamkar, the hacker who spread the massive MySpace worm in 2005, has published a proof-of-concept attack that identifies a victim's geographic location via his home router.

Kamkar says it all started when he found a cross-site scripting (XSS) bug in a Verizon FiOS wireless router, which allowed him to grab the browser's MAC address and then map it to the GPS coordinates via Google Location Services. The attack works on any browser and doesn't rely on browser-based geolocation features.

"The interesting bit is I'm not piggybacking off of the browser's geolocation feature. I simply reimplemented the feature as a server-side tool," Kamkar says. "This way if I can obtain the user's router's MAC address in any way, regardless of browser, nationality, or age, I can typically determine their location and show up at their place with pizza and beer later that night."

His PoC is based on an XSS flaw in the Verizon FiOS router, but Kamkar says the same method would work with any other router with a XSS vulnerability. For the attack to work, the victim must be logged into her router and have visited a malicious or infected Website loaded with the XSS exploit. The attacker then gleans the victim's router's MAC address via Ajax and maps it to her GPS coordinates via Google Location Services.

"Samy has proved that [by] utilizing bad programming practices within routers, he can utilize that information through indirect means, like identifying your physical location," says Robert "RSnake" Hansen, CEO of SecTheory. "The browsers themselves are being used against the user, which is a known technique, but he has certainly put a creative spin on how that can be used by an attacker."

Hansen says exploiting an XSS on a home router can allow some other invasive attacks, as well, including altering the firmware and rerouting the traffic to a malicious router.

Kamkar -- best known for the Samy worm he unleashed six years ago on MySpace, which made him more than 1 million "friends" in less than 24 hours and disrupted service on the site -- says the underlying weakness he's demonstrating in this latest hack is the XSS vulnerabilities in the router: "Privacy zealots may also think the Google Location Services is a bit too extreme, but someone's going to have a database like this one way or another," he says.

The XSS could also be used to reroute DNS settings on the victim's end, he says, to divert traffic from the victim to his bank's site, for instance. "I can then divert any host name-based traffic to locations of my choice -- for example, sending DNS requests for '' to my own IP address/Website, which we'll just call 'Bank of Samy' or simply proxy all traffic, becoming a man-in-the-middle [and] reading their email and chatting in place of them with their significant others," Kamkar says.

He says the crux of the problem is that security isn't part of the equation in router software. "It's probably assumed that because the router sits on your local network and isn't accessible from the outside world, it's safer," he says. "However, the fact is we can easily trick a user's Web browser to launch the attack for us."

Kamkar, who is also a co-founder of a VoIP company, says he alerted Verizon about the vulnerability. He says users should change default passwords when they configure their home routers and shouldn't remain logged into their router administrative interface unless they need to be.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
According to industry estimates, about a million new IT security jobs will be created in the next two years but there aren't enough skilled professionals to fill them. On top of that, there isn't necessarily a clear path to a career in security. Dark Reading Executive Editor Kelly Jackson Higgins hosts guests Carson Sweet, co-founder and CTO of CloudPassage, which published a shocking study of the security gap in top US undergrad computer science programs, and Rodney Petersen, head of NIST's new National Initiative for Cybersecurity Education.