IPV6 + MAC addresses + Geolocation = Privacy fail

admin — Fri, 29 Oct 2010 20:08:02 +0000

Update: You can probably scratch this whole idea – see the comments for details.

First, a little background on geolocation for those who haven’t heard of this before:

Google has been collecting wifi data while doing streetview. One of the things they collect is MAC addresses of wireless networks.
Google, using the above MAC addresses and GPS data, is now offering a geolocation service. You just send in the MAC addresses of any wireless networks in range, and Google will helpfully tell you where you are.
While a browser is supposed to prompt a user before sending the MAC addresses off to Google, it is certainly possible for anyone to submit any MAC address they know of to Google. Sam Kamkar has a proof of concept for this.

The summary of the above is this: If you have a MAC address, google will tell you where it has seen that MAC address.

Now for the kicker. IPV6 autoconfig, by default, loads the mac address into the last 64 bits of the IP address. (Not directly – technically the bytes FFFE are added to the middle, and 1 bit is flipped, but this is all easily reversed. Suffice it to say obtaining a MAC address from this sort of IP address is trivial). See where this is going yet? If you want to know where an IPv6 address is located in the real world, just traceroute to the device, pull the MAC address from the device immediately prior to your target, and see if Google has a record of it. If your target is behind NAT, you can skip even this simple step. This attack is probably mostly theoretical right now since the vast majority of wireless networks are still IPv4, but if IPv6 ever does take off, this will become a real worry.

Credit where credit is due: I got this idea while watching the video of Samy Kamkar’s presentation entitled “How I met your girlfriend“. Samy goes from end to end, showing how to get a person’s real life location. He only talks about IPv4, so for the last steps he convinces the target to click a link, exploits their home router, and pulls the MAC address from there using the default credentials. I basically take this attack and consider it in the IPv6 world, where none of the technical wizardry is necessary and the attack difficulty is significantly lower.

new web app scanner

admin — Mon, 22 Mar 2010 16:30:48 +0000

A friend of mine dropped me a note to point out that Google has released an open source web application security scanner called skipfish. I haven’t used it yet (installing as I type), and will hopefully have some thought on it soon.

captcha on demand

admin — Mon, 29 Jun 2009 18:42:08 +0000

With the death of Michael Jackson last week, Google saw an unprecedented level of Michael Jackson related searches. The most impressive thing about Google’s response is that they apparently deploy captcha tests on demand only when they think there is an automated attack going on. As someone who hates having to type in those letters printing in the most unreadable manner possible, I think this is a great step up.

Angels of security » google

IPV6 + MAC addresses + Geolocation = Privacy fail

new web app scanner

captcha on demand