Attacks/Breaches
1/6/2010
03:38 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

Hack Pinpoints Victim's Physical Location

'Samy worm' writer publishes proof-of-concept that gleans home router GPS coordinates

Samy might know where you live: Samy Kamkar, the hacker who spread the massive MySpace worm in 2005, has published a proof-of-concept attack that identifies a victim's geographic location via his home router.

Kamkar says it all started when he found a cross-site scripting (XSS) bug in a Verizon FiOS wireless router, which allowed him to grab the browser's MAC address and then map it to the GPS coordinates via Google Location Services. The attack works on any browser and doesn't rely on browser-based geolocation features.

"The interesting bit is I'm not piggybacking off of the browser's geolocation feature. I simply reimplemented the feature as a server-side tool," Kamkar says. "This way if I can obtain the user's router's MAC address in any way, regardless of browser, nationality, or age, I can typically determine their location and show up at their place with pizza and beer later that night."

His PoC is based on an XSS flaw in the Verizon FiOS router, but Kamkar says the same method would work with any other router with a XSS vulnerability. For the attack to work, the victim must be logged into her router and have visited a malicious or infected Website loaded with the XSS exploit. The attacker then gleans the victim's router's MAC address via Ajax and maps it to her GPS coordinates via Google Location Services.

"Samy has proved that [by] utilizing bad programming practices within routers, he can utilize that information through indirect means, like identifying your physical location," says Robert "RSnake" Hansen, CEO of SecTheory. "The browsers themselves are being used against the user, which is a known technique, but he has certainly put a creative spin on how that can be used by an attacker."

Hansen says exploiting an XSS on a home router can allow some other invasive attacks, as well, including altering the firmware and rerouting the traffic to a malicious router.

Kamkar -- best known for the Samy worm he unleashed six years ago on MySpace, which made him more than 1 million "friends" in less than 24 hours and disrupted service on the site -- says the underlying weakness he's demonstrating in this latest hack is the XSS vulnerabilities in the router: "Privacy zealots may also think the Google Location Services is a bit too extreme, but someone's going to have a database like this one way or another," he says.

The XSS could also be used to reroute DNS settings on the victim's end, he says, to divert traffic from the victim to his bank's site, for instance. "I can then divert any host name-based traffic to locations of my choice -- for example, sending DNS requests for 'bankofamerica.com' to my own IP address/Website, which we'll just call 'Bank of Samy' or simply proxy all traffic, becoming a man-in-the-middle [and] reading their email and chatting in place of them with their significant others," Kamkar says.

He says the crux of the problem is that security isn't part of the equation in router software. "It's probably assumed that because the router sits on your local network and isn't accessible from the outside world, it's safer," he says. "However, the fact is we can easily trick a user's Web browser to launch the attack for us."

Kamkar, who is also a co-founder of a VoIP company, says he alerted Verizon about the vulnerability. He says users should change default passwords when they configure their home routers and shouldn't remain logged into their router administrative interface unless they need to be.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-0460
Published: 2014-04-16
The init script in kbd, possibly 1.14.1 and earlier, allows local users to overwrite arbitrary files via a symlink attack on /dev/shm/defkeymap.map.

CVE-2011-0993
Published: 2014-04-16
SUSE Lifecycle Management Server before 1.1 uses world readable postgres credentials, which allows local users to obtain sensitive information via unspecified vectors.

CVE-2011-3180
Published: 2014-04-16
kiwi before 4.98.08, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands via shell metacharacters in the path of an overlay file, related to chown.

CVE-2011-4089
Published: 2014-04-16
The bzexe command in bzip2 1.0.5 and earlier generates compressed executables that do not properly handle temporary files during extraction, which allows local users to execute arbitrary code by precreating a temporary directory.

CVE-2011-4192
Published: 2014-04-16
kiwi before 4.85.1, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands as demonstrated by "double quotes in kiwi_oemtitle of .profile."

Best of the Web