Hack pinpoints where you live: How I met your girlfriend


In a Black Hat security talk entitled "How I Met Your Girlfriend," security researcher Samy Kamkar demonstrated a creepy hack that uses Google Street View data for stalking victims. In a few clicks, he showed how an attacker can track down and find a person's physical location with alarming accuracy. He doesn't need IP address information, thanks to Google's achievement of sending cars through neighborhoods, capturing photos and data, and collecting information on Wi-Fi networks such as MAC addresses.

Best known as the Samy Worm author that struck MySpace in 2005, adding more than 1 million friends to his MySpace account which consequently took down the site, Samy Kamkar has quite a talent for coming up with uber creepy attacks pinpointing a person's location.

When Kamkar originally published this hack as a proof-of-concept attack, he told DarkReading, "The interesting bit is I'm not piggybacking off of the browser's geolocation feature. I simply reimplemented the feature as a server-side tool. This way if I can obtain the user's router's MAC address in any way, regardless of browser, nationality, or age, I can typically determine their location and show up at their place with pizza and beer later that night."

Then Kamkar moved on to finding and meeting your girlfriend. In a demonstration of the attack which he called XXXSS, Kamkar showed just how simple stalking can be. The first step is to lure the victim to click the attacker's link. Once the victim lands on the baited website, Kamkar showed how to trick and manipulate Google into revealing her location.

After she visited the malicious site, he could impersonate her by making his PC seem like her PC requesting the information. Using JavaScript to remotely scan for her router type and her MAC address, he then utilized Google Street View data to discover the location of her router. He was accurate within 30 feet.

According the Dan Goodin, "If JavaScript is unpalatable for some reason, there are other ways to do this. A few things have to happen for the attack to work. First, the router needs to be set to use the default administrative password, or it needs to be a model that doesn't require credentials to access its system information page. And the router's MAC address must already have been recorded by Google's ubiquitous fleet of Street View cars, which roam the earth snapping pictures and sniffing select Wi-Fi data."

This hack might be used for stalking or for targeting and attacking specific individuals. From proof-of-concept to his 'How I Met Your Girlfriend' presentation, Kamkar shows how easily a person could meet a guy, find out about his girlfriend, social engineer her to click a link, track her down, knock on her door, deliver pizza and beer. Discovering, meeting, and then stealing your girlfriend out from under you might be one of the less harmful scenarios.

"This is geo-location gone terrible," Samy Kamkar said during his presentation. "Privacy is dead, people. I'm sorry."

I contacted Samy and asked him what he advised for people who are concerned about privacy and security. In other words, what does he do to protect his privacy? Samy replied via email, "To better protect yourself, make sure you're using up to date firmware on your router, that you've changed any default passwords on your router or firewall, and if possible, use additional software such as NoScript to protect your browser from malicious code."

Here's  a video of Samy's How I Met Your Girlfriend presentation. He also has slides.

Copyright © 2010 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon