August 3, 2010

Booby Trap Can Show Your Router Location

A security expert has shown that one visit to a booby-trapped website could direct attackers to a person's home.

The attack exploits shortcomings in many routers to try and find out a key identification number.

It uses this number along with Internet applications to determine where a router is located.

Hacker Samy Kamkar demonstrated the attack by locating one router to within roughly 21 feet of its real world position.

Many people go online through a router and only the computer directly connected to the device can interrogate it for ID information.

However, Kamkar, who created the attack, found a way to booby-trap a webpage through a browser so the request for the ID information looks like it is coming from the computer connected to the device.

He then coupled the Mac address with a geo-location feature of the Firefox web browser.  This queries a Google database created when its cars were carrying out surveys for its Street View service.

This database links Mac addresses of routers with GPS co-ordinates to help locate them.

Kamkar showed how straightforward it was to use the attack to find someone's location within a few feet. 

"This is geo-location gone terrible," said Mr Kamkar during his presentation. "Privacy is dead people. I'm sorry."

Mikko Hypponen, senior researcher at security firm F secure, attended the presentation and told BBC news that it was "very interesting research."

"The thought that someone, somewhere on the net can find where you are is pretty creepy," he said.

"Scenarios where an attack like this would be used would be stalking or targeted attacks against an individual," he added.

"The fact that databases like Google Streetview's Mac-to-Location database or the Skyhook database can be used in these attacks just underlines how much responsibility companies that collect such data have to safeguard it correctly," said Hypponen.

Kamkar showed off the attack during a presentation at Black Hat hacker conference.  In 2005, Kamkar created a worm that exploited security failings in web browsers to help gather over one million "friends" on MySpace social network in a day.

Kamkar was prosecuted for the hack and given three years probation.  He also was banned from using the Internet for personal purposes for an undisclosed amount of time.


On the Net: