Kamkar says it all started when he found a cross-site scripting (XSS) bug in a Verizon FiOS wireless router, which allowed him to grab the browser's MAC address and then map it to the GPS coordinates via Google Location Services. The attack works on any browser and doesn't rely on browser-based geolocation features.
"The interesting bit is I'm not piggybacking off of the browser's geolocation feature. I simply reimplemented the feature as a server-side tool," Kamkar says. "This way if I can obtain the user's router's MAC address in any way, regardless of browser, nationality, or age, I can typically determine their location and show up at their place with pizza and beer later that night."
His PoC is based on an XSS flaw in the Verizon FiOS router, but Kamkar says the same method would work with any other router with a XSS vulnerability. For the attack to work, the victim must be logged into her router and have visited a malicious or infected Website loaded with the XSS exploit. The attacker then gleans the victim's router's MAC address via Ajax and maps it to her GPS coordinates via Google Location Services.
"Samy has proved that [by] utilizing bad programming practices within routers, he can utilize that information through indirect means, like identifying your physical location," says Robert "RSnake" Hansen, CEO of SecTheory. "The browsers themselves are being used against the user, which is a known technique, but he has certainly put a creative spin on how that can be used by an attacker."
Hansen says exploiting an XSS on a home router can allow some other invasive attacks, as well, including altering the firmware and rerouting the traffic to a malicious router.
Kamkar -- best known for the Samy worm he unleashed six years ago on MySpace, which made him more than 1 million "friends" in less than 24 hours and disrupted service on the site -- says the underlying weakness he's demonstrating in this latest hack is the XSS vulnerabilities in the router: "Privacy zealots may also think the Google Location Services is a bit too extreme, but someone's going to have a database like this one way or another," he says.
The XSS could also be used to reroute DNS settings on the victim's end, he says, to divert traffic from the victim to his bank's site, for instance. "I can then divert any host name-based traffic to locations of my choice -- for example, sending DNS requests for 'bankofamerica.com' to my own IP address/Website, which we'll just call 'Bank of Samy' or simply proxy all traffic, becoming a man-in-the-middle [and] reading their email and chatting in place of them with their significant others," Kamkar says.
He says the crux of the problem is that security isn't part of the equation in router software. "It's probably assumed that because the router sits on your local network and isn't accessible from the outside world, it's safer," he says. "However, the fact is we can easily trick a user's Web browser to launch the attack for us."
Kamkar, who is also a co-founder of a VoIP company, says he alerted Verizon about the vulnerability. He says users should change default passwords when they configure their home routers and shouldn't remain logged into their router administrative interface unless they need to be.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.