Don't "Locate Me"

by Terry Stenvold

General Information

As you may know, there is a new feature included in the Google Maps 1.1.3 update for the Apple iPhone and iPod Touch: the "Locate Me" feature.  The new feature is provided by another company called Skyhook Wireless.

Skyhook's system is named Wireless Positioning System (WPS), and locates users by knowing the location of their wireless access point.  In another context, "WPS" also is a coined by the Wi-Fi Alliance to mean "Wi-Fi Protected Setup."  Skyhook performs their location features in an unique way because WPS requires knowledge of the specific geographical location of individual access points.

The Skyhook website states that information is obtained by deploying hundreds of data specialists who scan and locate access points using proprietary scanning vehicles.  Skyhook deploys approximately two hundred wardrivers to scan and locate access points, and they then append this information to a large reference database.

The problem with the system, other than knowing someone has driven by your house or business and added your AP's information to a large database, is that a third-party can then locate you with only your MAC address.

I recently emailed Skyhook and asked if there is a way for people to locate me through their service.  They responded, "No, in no way can anyone track your location."  The second question I asked was if it is possible to have someone's AP address removed from their database.  They responded, saying that they, "Cannot remove individual access points... every access point by definition broadcasts a radio beacon...  The only way to stop an access point from broadcasting its presence is to unplug it...  We don't actually identify the location of access points, just the signals that they create."

This information is particularly unsettling since Skyhook claims no other way to remove an AP's address from the database besides unplugging the access point.

This article will provide evidence contradicting both answers provided by Skyhook.  It will also explain how someone with malicious intent could possibly discover your location.

Requirements

Scripts

There are two scripts in this system.

skyhack.sh will create a bridge between the Ethernet and wireless card to create an AP environment.  You can also use two wireless cards, but the AP broadcasting must be unmarked by Skyhook, which would require editing the scripts.

delbr0.sh destroys the bridge, which returns your computer to normal.

Step 1: Gaining the MAC Address of a Victim

The process of acquiring a MAC address is beyond the scope of this article, but I will provide some general ideas on how to do it.  Wireless router packaging usually displays the MAC address on the outside of the box, so sales personnel at an electronics store could easily write down the MAC address and keep that information until the product is sold.

This is fairly useless, because the MAC address can be cloned during the setup of a wireless router, which would then change the address, rendering the original information obsolete.  Another way to acquire a MAC address is via social engineering.  This is accomplished by conning an individual into divulging their MAC address.

Google is another source that can be used to obtain MAC addresses.  Some people post their MAC addresses while seeking help in a forum to solve a problem.  Gaining access to a computer through a Trojan horse and running the command arp -a will also allow someone to obtain a MAC address on a Windows machine.

Step 2: Setting Up Your Computer

The basic idea is to make your computer into an AP that spoof's the victims MAC.  The way we do this is to bridge the Ethernet cable and wireless card.  The wireless card will then act as the access point of the spoofed victim.  To run the bridging script, run this command from the console:

# ./skyhack.sh 00:00:00:00:00:00

You need to changed the MAC to the twelve-character MAC address of the victim.  Your connection is now bridged and the router's DHCP will hand out an IP address to your mobile device when connected.

Step 3: Finding the Approximate Location

When you go to your mobile device, you should see the SSID skyhack.  Connect to this skyhack network.

To ensure that your connection is working properly, check that your IP address is not in the 169.254.0.0 address block.  Your web browser should then be used to load a website to guarantee that you are receiving Internet traffic.  If the above has worked, you are now ready to connect to Google Maps and use the "Locate Me" feature.

Make certain there are no other APs around, if there are, be sure that they are not in Skyhook's database, as they can affect your results.  By using the "Locate Me" feature, you should now be able to see the victim's approximate location within a 100-200 meter diameter.

Step 4: Locating Victims' Exact Location

Use Google Maps to give you driving directions to the approximate location given.  To return your computer to normal function run:

# ./delbr0.sh

This removes the bridge between your Ethernet and wireless card.  It also returns your wireless card to managed or default mode.  Now, drive to the approximate location, and scan the local area with your laptop or mobile device for the specific MAC address in question until the location is pinpointed.

Prevention

To prevent these types of security breaches, keep your software patches up-to-date and use virus and malware scanners to prevent intrusion by others who may then acquire the MAC of your router.  Also be wary of technical helpers over the phone or over the Internet who ask for your MAC address.

A more definite way to prevent intrusion is to use the "Clone MAC" feature that can be found on most router configuration pages.  This is primarily used to prevent the ISP from blocking Internet access to your newly acquired hardware, so that only your PC can access the Internet.  This tool can also be used to change the MAC address so that it will point intruders to nowhere or will point them to someplace completely different.  Always check that the newly changed MAC address is not similar to a neighbor's.

With Skyhook claiming it is not possible to remove single APs from their database, this is the best method, as long as you change the MAC often.

This method of locating has been tested with access points around my local area and also with a friend that lives almost 8000 km away.  Please note that this "attack" is only as accurate as Skyhook's database.

As a side note, these types of attacks could be used to inform friends about your home address.  Instead of telling them the address is "2600 Robert Street," you could say, "I am living at 00:00:00:00:00:00."

Notes

The scripts provided in this article will not work out of the box with any wireless card or Ethernet unless it uses ath0 and wifi0 and eth0.  In most other cases, a simple change from ath0 to eth1 or wlan0 is all that is needed.

Using different routers will also require different IP ranges.  For example, D-Link would use 192.168.0.5 instead if 192.168.1.5.

#!/bin/sh 
# skyhack.sh 2008 
wlanconfig ath0 destroy 
ifconfig wifi0 down 
macchanger wifi0 -m $1 
wlanconfig ath0 create wlandev wifi0 wlanmode Master -bssid 
iwconfig ath0 essid skyhack 
iwconfig ath0 channel 6 
ifconfig ath0 inet 192.168.1.5 netmask 255.255.255.0 broadcast 192.168.1.255 
route add default gw 192.168.1.1 
ifconfig eth0 0.0.0.0 down 
ifconfig ath0 0.0.0.0 down 
brctl addbr br0 
brctl addif br0 eth0 
brctl addif br0 ath0 
brctl stp br0 off 
ifconfig br0 192.168.1.5 
ifconfig eth0 up 
ifconfig ath0 up 


#!/bin/sh 
# delbr0.sh part of skyhack 2008 
ifconfig br0 down 
brctl delif br0 eth0 
brctl delif br0 ath0 
brctl delbr br0 
wlanconfig ath0 destroy 
ifconfig wifi0 up 
ifconfig wifi0 down 
wlanconfig ath0 create wlandev wifi0 wlanmode Managed -bssid

Code: skyhack.sh

Code: delbr0.sh
Return to $2600 Index