In a Black Hat security talk entitled "How I Met Your Girlfriend," security researcher Samy Kamkar demonstrated a creepy hack that uses Google Street View data for stalking victims. In a few clicks, he showed how an attacker can track down and find a person's physical location with alarming accuracy. He doesn't need IP address information, thanks to Google's achievement of sending cars through neighborhoods, capturing photos and data, and collecting information on Wi-Fi networks such as MAC addresses.
Best known as the Samy Worm author that struck MySpace in 2005, adding more than 1 million friends to his MySpace account which consequently took down the site, Samy Kamkar has quite a talent for coming up with uber creepy attacks pinpointing a person's location.
When Kamkar originally published this hack as a proof-of-concept attack, he told DarkReading, "The interesting bit is I'm not piggybacking off of the browser's geolocation feature. I simply reimplemented the feature as a server-side tool. This way if I can obtain the user's router's MAC address in any way, regardless of browser, nationality, or age, I can typically determine their location and show up at their place with pizza and beer later that night."
Then Kamkar moved on to finding and meeting your girlfriend. In a demonstration of the attack which he called XXXSS, Kamkar showed just how simple stalking can be. The first step is to lure the victim to click the attacker's link. Once the victim lands on the baited website, Kamkar showed how to trick and manipulate Google into revealing her location.
This hack might be used for stalking or for targeting and attacking specific individuals. From proof-of-concept to his 'How I Met Your Girlfriend' presentation, Kamkar shows how easily a person could meet a guy, find out about his girlfriend, social engineer her to click a link, track her down, knock on her door, deliver pizza and beer. Discovering, meeting, and then stealing your girlfriend out from under you might be one of the less harmful scenarios.
"This is geo-location gone terrible," Samy Kamkar said during his presentation. "Privacy is dead, people. I'm sorry."
I contacted Samy and asked him what he advised for people who are concerned about privacy and security. In other words, what does he do to protect his privacy? Samy replied via email, "To better protect yourself, make sure you're using up to date firmware on your router, that you've changed any default passwords on your router or firewall, and if possible, use additional software such as NoScript to protect your browser from malicious code."
Here's a video of Samy's How I Met Your Girlfriend presentation. He also has slides.