ericjang

Thursday hacking adventures: XXXSS and Creepy Geolocation

Is it possible to geolocate someone without their permission? I enjoy not having a 7th period so I can sit in front of my computer and reinforce my perpetual virginity by answering these kinds of questions.

A couple years back, Samy Kamkar’s gave an excellent talk at DEFCON 18 about using triple-XSS to trick a user into hacking into their own router, and then using the acquired router BSSID to fetch its location via Google Map’s Geolocation API (thanks, street view!).

He didn’t release his code, but lots of people put together a bunch of scripts to achieve bssid-based geolocation. Unfortunately those scripts no longer work as Google and Skyhook have updated their APIs to use different GET requests.

At least geolocation still works legitimately in Firefox…

Thankfully, Firefox makes their low-level HTTPS processing code available. Which means we can tamper with it!

We see that the decrypted GET request is formatted like this:

URL=https://maps.googleapis.com/maps/api/browserlocation/json?browser=firefox&sensor=true&wifi=mac:00-14-bf-28-80-69%7Cssid:10160%7Css:-26&wifi=mac:00-26-50-38-ca-11%7Cssid:2WIRE084%7Css:-69&wifi=mac:34-ef-44-7c-0e-b1%7Cssid:2WIRE202%7Css:-70&wifi=mac:00-1f-b3-64-b3-f1%7Cssid:2WIRE605%7Css:-74&wifi=mac:00-26-50-e3-1f-81%7Cssid:2WIRE137%7Css:-79&wifi=mac:00-1d-5a-ef-4d-b9%7Cssid:2WIRE495%7Css:-81&wifi=mac:c0-83-0a-69-c4-b9%7Cssid:2WIRE431%7Css:-81&wifi=mac:30-46-9a-43-3d-71%7Cssid:MacAdamN%7Css:-84&wifi=mac:64-0f-28-bf-e2-91%7Cssid:2WIRE552%7Css:-86&wifi=mac:00-14-d1-cd-a4-88%7Cssid:TRENDnet637%7Css:-86&wifi=mac:00-23-5e-b0-70-90%7Cssid:AppleWiFi%7Css:-86&wifi=mac:00-23-5e-af-39-a0%7Cssid:AppleWiFi%7Css:-86&wifi=mac:00-1d-d1-55-0d-90%7Cssid:HOME-0D92%7Css:-88

Evidently, the API works by scanning the network for other MAC addresses.

The request returns a JSON object.

Plugging these coordinates into Google Maps, we see some pretty scary shit indeed.

I did some tinkering with the URL, and it turns out that we don’t need too much information about the router SSID or signal strength, but we need to have at least one other MAC address before we can get a good location (providing just 1 MAC gives us a terrible estimate, about as good as regular IP address geolocation). Here is a much more concise request that gives pretty much the same result:

URL=https://maps.googleapis.com/maps/api/browserlocation/json?browser=firefox&sensor=true&wifi=mac:00-14-bf-28-80-69&wifi=mac:00-26-50-38-ca-11

I suspect the order of MAC addresses provided matters in terms of how Google determines the precise location. If so, we can use our home as a midpoint and assume that the map API provides us the midpoint between the actual location of my house to the location of the network. Measurement can probably be improved by scaling according to accuracy value or using some combinatorial reverse-intersection algorithm.

So I guess the problem now is getting the user to send us their own BSSID, along with the BSSID of a nearby router. Typically people don’t bother changing the password to their router admin panel (after all, it is unlikely that we will get physical access to the device or crack the WEP/WPA code - well, WPA at least).

It used to be possible to use the following bit of JavaScript to router-jack (provided that the user is foolish enough to not change their default password). The following works for Verizon FIOS routers (each one has different login procedures and default passwords).

Scan for router access panel:

Log in to the router:

Now that we’ve iframed’ the router access panel, we can just run a script to fetch the MAC address.

Unfortunately, we still need to somehow obtain 2 MAC addresses for accuracy. It’s pretty much impossible to get this information using JavaScript (Firefox gives JavaScript some extra priviledges but we would still need to grant permission) and the router admin panel doesn’t usually store info on other routers. We could use a signed Java applet (people have a tendency to grant access to all applets they see) without telling them that it is getting their MAC addresses. Although it’s inherently fishy, there are a lot of clever ways to get suckers to fall for that kind of trick.

If we were in the proximity, perhaps we could build up a cache of some sort of all the different locations. I suspect that Google could theoretically only require 1 address by fetching locations from a big cache of theirs (people usually don’t move their routers around a lot) but I suppose it’s for security reasons to thwart this kind of thing.

BUT WAIT A SECOND! What if we didn’t use Google, and instead simply queried a wardriving database with the single MAC address we fetch from the user? We could fetch additional MAC addresses from there, and still call the Google Geolocation API to fetch a more accurate result.

Ta-da! We have found the location of the person who clicked the link, down to the nearest 30 ft.

This shit is so cray.

On a side note, it’s a grand shame that Mozilla prompts the user for permission in GeoLocation data. Otherwise we could potentially create a JavaScript page that auto-fetches nearby MAC addresses of visiting clients, and creates a self-assembling network topology based on contributed MAC addresses and Google Street view.