33 comments

[ 3.2 ms ] story [ 84.3 ms ] thread
How does google know where MAC addresses are? I thought that they were non-routable, so they are limited to the extremely local connection. Presumably the range from your computer to the termination of the cable modem on the other end.
It's the MAC or your wireless router. They collected them with their street view cars.

There was a big, overblown privacy scare some months ago because it was discovered that the cars also accidentally saved some stray unencrypted packets of traffic as they cruised around.

Actually, there are third-party services that have made a business of collecting locations of Wi-Fi routers and I believe Google subscribes to them.
I didn't know you could (legally) earn money for wardriving.
It's just 21st century map-making. Instead of plotting the location of physical landmarks, you'd be plotting electromagnetic landmarks.

I'm sure pioneer map-makers got in trouble for plotting perfectly visible stuff that was located on private property.

Yes, it's significant to note that Google (à la Street View scanning) is not the only party that's made a concerted effort to collect them. Whether Google's purchased (or absorbed) such data from others, I don't know.

I speculate that further routes for collection may be available. E.g. a user uses a wi-fi connection with a device that has geo-location turned on, and "Bob's your uncle".

I think that the google street view cars also log the wifi networks they find.
It relies on the fact that the router web admin page is unsecured and someone hasn't changed the default password. I'm pretty certain this could also work on linksys:linksys or admin:password default login routers.

So if you don't want to be hacked, change your password.

you don't even need the password. Some routers display it on the admin page before login in (dd-wrt does this).
That behavior can easily be toggled on/off in the Administration->Management section for your DD-WRT router. Take a look at "Info Site Password Protection" and "Info Site MAC Masking" on that page.
At least for me, dd-wrt only displays it for connections coming from "inside".

For connections coming from outside it forwards it to the DMZ computer, or blocks it.

If someone is able to determine the MAC address of your router by you simply visiting a page, you've got bigger problems.
What kind of bigger problems?
Typically this means there's either a serious XSS flaw or a default password on your router. Someone could, for example, change your DNS settings and start intercepting your traffic.
One word... JavaScript
In Java, getHardwareAddress() returns your MAC.
If your browser runs Java code without a warning you have a lot more problems than someone knowing your MAC... Also that would still not be your router's MAC.
By default, my AT&T home router doesn't ask for credentials until I ask to change something. Our office router is completely authenticated with HTTP Basic. Different routers, different results, but there are an awful lot of routers that assume that if you can hit the router's internal address, it must be safe for you to get information about the router.
Where "anyone" == "anyone who didn't change the password of their touter"
Or anyone who is authenticated and cookied.
Does anyone stay logged into their router when they're not using it? And don't most sessions expire fairly quickly, anyways?

Besides that, this appears to only work with wireless routers, based on how google is locating them.

No, he uses an example XSS exploit to view Verizon FIOS router pages, but there are lots of ways to get MAC addresses.
My Belkin router spews both of its MAC addresses onto the screen to anybody who hits the admin website, before authentication.

Getting to my router with an attack is a little less trivial since it is no longer on 192.168.1.1. Also I'm not sure if there's an XSS attack that an unauthenticated user can fire, as any attempt to do anything is just giving me a login box which itself doesn't have an XSS. But this is my 90 second security analysis, if I tried harder I'm sure there's something nasty somewhere.

Hasn't picked up on any of the router MAC addresses I gave it. Guess it's not reached Ireland yet…
Seems to think I'm on Santa Monica Blvd, but I'm in Boston and this computer has never been to California.
Looks like is the way it says "I have no clue of where are you". Santa Monica Boulevard is like... 10.000 kilometers from here.
After a quick read of the page it sounds like it only works for browsers authenticated to a specific Verizon FIOS router.
His particular demo only works with a specific Verizon router, but the notional attack works against any wireless router that has any XSS flaw --- ie, any wireless router.

There are really just two simple ideas here (taking a couple simple ideas and plugging them together in some totally unexpected way being a Samy Kamkar trademark):

* Any website can usually use reflected XSS to interact with a browser's upstream wireless router, because wireless routers suck, and because they assume that the "inside" network is safe.

* There are databases that translate wireless MAC into location (like Skyhook).

Tomato firmware (and DD-WRT I think) allows you to randomize your MAC address, which I do weekly.
Didn't find anything for my MAC address :(
Most of the comcast cable modems I've had in the past years let you see the mac address if you navigate to 192.168.100.1 without any password, so xss that loaded that page would work.