informa
3 min read
Commentary

Spoofing WiFi Positioning (and the Boss)

The boss wants it both ways. On one hand, she doesn't like me hanging around the office, disrupting a normal, pleasant working environment. On the other hand, she w...

The boss wants it both ways. On one hand, she doesn't like me hanging around the office, disrupting a normal, pleasant working environment. On the other hand, she wants to know where I am at all times -- right, like I'm going to tell.

 

Which is why she was delighted to learn a couple of months ago that Apple (she's a Mac kind of person) would be using a WiFi Positioning System (WPS) from Skyhook Wireless for Apple's mapping applications. The WPS database contains information on access points throughout the world, which means that I could run but not hide. But the boss apparently hasn't had the last word in all this, thanks to a team of researchers at ETH Zurich, the Swiss Federal Institute of Technology, have pointed out security vulnerabilities in the Skyhook positioning system.

According to Srdjan Capkun and his team in their paper iPhone and iPod Location Spoofing Attacks, when an Apple iPod or iPhone wants to find its position, it detects its neighboring access points, and sends this information to Skyhook servers. The servers then return the access point locations to the device. Based on this data, the device computes its location. To attack this localization process, Capkun's team decided to use a dual approach.


  • First, access points from a known remote location were impersonated.
  • Second, signals sent by access points in the vicinity were eliminated by jamming.

These actions created the illusion in localized devices that their locations were different from their actual physical locations.

Skyhook's WPS works by requiring a device to report the Media Access Control (MAC) addresses that it detects. However, since MAC addresses can be forged by rogue access points, they can be easily impersonated. Furthermore, access point signals can be jammed and signals from access points in the vicinity of the device can thus be eliminated. These two actions make location spoofing attacks possible.

In demonstrating these attacks, Capkun and his the team hoped to point out the limitations, despite guarantees, of public WLAN-based localization services as well as of applications for such services. He adds that "Given the relative simplicity of the performed attacks, it is clear that the use of WLAN-based public localization systems, such as Skyhook's WPS, should be restricted in security and safety-critical applications."

As for the boss, for the time being she will just have to take my word that I really am at that press conference and not hanging out at the Java Dive.