Geolocation threats rise following demonstration of router hacking that can pinpoint a person's home

Personal privacy could now be considered as dead following the demonstration of extraction of geolocation information from a web browser without using IP geolocation data.

Presenting last week at the Black Hat Conference in Las Vegas, Nevada, Samy Kamkar demonstrated how he is able to convince a target to visit a malicious website which uses JavaScript to extract the router's Media Access Control (MAC) address and report the unique identifier. This address is then used with Google location services and the hacker has a map showing the victim's location within a few hundred feet.

He commented that people do not change their router credentials, and if a user visits a malicious website that creates a form and you can now login to someone's router. “Their browser is compelling this exploit for you, but this is not a geolocation XXXSS attack. Depending on the router you may not need to login at all,” he said.

Kamkar has previously served three years' probation, ending in January this year, for developing the Samy cross-site scripting worm that propagated across the social networking site MySpace.

Mac security firm Intego said that since Google's photo cars recorded MAC addresses, and this information is publicly available, the MAC address can be correlated with the location where it was detected. In many cases, this can be very precise, especially if you 'are in a sparsely populated area.

Graham Cluley, senior technology consultant at Sophos told SC Magazine that social networking is now becoming more geographically specific, with Four Square tipped to be the next website to rise in popularity. He said: “It is now about the ‘World Where Web' and about location, we have seen documented cases where people have posted a status update and been robbed and also been the victim of physical violence. It is one of the growth areas and it is beginning to gain in momentum.”

Sign up to our newsletters