August 4, 2010 by Jay Smith
Samy Kamkar, a security expert who has been working on hunting out shortcomings in routers, has demonstrated how online attackers can find out someone’s personal address through the net. According to Kamkar, all it takes for someone to be caught out is a single visit to a website which has been tampered with, and hackers can find out the unique key identification number of someone’s router.
From there, it is relatively straightforward for the hacker to do a quick search and find out exactly where the router is situated. Kamkar, who actually developed the attack, explained how the shortcomings in most routers allow the hacker to exploit it. In a demonstration, the security expert hunted down a router and found its location with an accuracy of nine metres.
Most people use the internet through a router, and the average router only has one computer connected to it. This means that in normal circumstances, only the connected machine can interrogate the router for ID information. Kamkar, however, has found a way of emulating the connected machine and obtaining the ID under false pretences.
The MAC address which he sources from the router is then used to search for the location of the PC which is viewing pages online, by interrogating a Google database. The technology exploits Google’s Street View service, piggybacking on the information which is available to support GPS co-ordinates.
A senior researcher at F Secure commented: “This is very interesting research. The thought that someone, somewhere on the net can find where you are is pretty creepy. Scenarios where an attack like this would be used would be stalking or targeted attacks against an individual. The fact that databases like Google Streetview’s Mac-to-Location database or the Skyhook database can be used in these attacks just underlines how much responsibility companies that collect such data have to safeguard it correctly.”
Related posts:
