View
10.970
Download
3
Category
Preview:
DESCRIPTION
Social networks have jumped onto the geolocation bandwagon with location-based tweets, status updates, check-ins, mayorships, and more. This doesn’t take into account EXIF, QR codes, and advancements in HTML 5 geo implementations, which are being built into these location-based services. This is often implemented and enabled without the user even knowing it. In fact, geolocation is one of the hottest technologies being used in everything from web browsers to mobile devices. As social networks throw our location coordinates around like candy, its only natural that bad things will happen and abuse will become more popular. This presentation will cover how social networks and other websites are currently using location-based services, what they plan on doing with it, and a discussion on the current privacy and security issues. We will also discuss the latest geolocation hacking techniques and will release custom code that can abuse all of the features being discussed. Tom Eston is a Senior Security Consultant for SecureState. Tom focuses his research on the security of social media. Tom is also the founder of SocialMediaSecurity.com and co-host of the Security Justice and Social Media Security podcasts. Kevin Johnson is a security researcher with Secure Ideas. He has many years of experience performing security services for Fortune 100 companies, and leads a large number of open source security projects including BASE and SamuraiWTF. Kevin is also an instructor for SANS. Presented at Notacon 8 in Cleveland Ohio.
Citation preview
GONE
• Senior Security Consultant, SecureState • Founder of SocialMediaSecurity.com • Facebook Privacy & Security Guide • Blogger • Co-host of Security Justice, Social Media
Security Podcasts
• Security Consultant, Secure Ideas • Author Sec542 from SANS • Instructor of the SamuraiWTF class • SANS Internet Storm Center Handler • Project lead for: – SamuraiWTF – Yokoso! – Laudanum – WeaponizedFlash
• Location Based Services are exactly that • Services that provide your location to others – Be them friends or companies that want to know
• These services can be built into our devices and software or programs we sign up for – Can tell where we are or where we aren’t
Chart: Gigaom.com
The market for location-based services on mobile phones will be worth about ���
$3 billion in 2013…���
-Frost and Sullivan (Market Research Firm)
• The original way of performing geo-location checks
• Determined through ISP lookups and whois records
• Prone to misleading results – Due to ISP location being reported
• Popular with Banners/Adult Advertising
• Researchers have found new ways to get closer results via IP address
• Typical results used to get you within 200 kilometers (>me based)
• Now within a few hundred meters! • Creates new ways for adver>sers and the government to track you J
• Using proxy’s seem to help…but who controls these?
• GPS in the mobile device was ���revolutionary – Users have embraced it
• We have our phone with us everywhere • Ability to use web based tech with the mobile
GPS has changed the way we use phones! – Mash-ups for the win!
• GPS • WiFi • Bluetooth • RFID • 3G/EDGE, CDMA, GSM
• We pack our phones with latest wireless tech…
• IP address • RFID • WiFi and Bluetooth MAC addresses • GSM/CDMA cell IDs • Manual user input
• Service Examples: – Google Location Services • Cell Tower • Wifi based
– Skyhook/Loki • Wifi based
• Many new providers of Geolocation data • Skyhook • SimpleGeo (working on Geofences)
• Yes, its scary and has been around for a few years
• Your phone determines if you are in a location or not
• iOS4 already supports background geo • SimpleGeo can do this in 6 lines of code • 30 lines to support background geo tracking on
iOS4
“So you basically just say, ‘Track User’ and we handle that in our API along with record history.’” ���“I can then come back and say, ‘Show me the last 10 places the user was‘,” Stump continues... ���“Creepy? Sort of. Powerful and easy? Yes.”���
- TechCrunch Interview w/SocialGeo co-founder Joe Stump
• Firefox (> 3.5 uses Google) • Opera (nightly build uses
Skyhook) • Safari (uses Skyhook in
iPhone/iPad) • Chrome (uses Google) • Internet Explorer 9 ���
(HTML5-based)
Geolocation is not standardized…yet.
• Follow the Geolocation developer mailing list...it’s fun!
– http://www.w3.org/2008/geolocation/
• How will developers use this? • W3C Geolocation API • Code is easy to manipulate for evil
things
• Now available in Safari, Opera and Chrome
• The “Evercookie” (Samy Kamkar) • Store and track your locations as well
FourSquare/Gowalla
• These games are supposed to be fun, right?
• Opt in by default • Built into the API • Forgotten by many users…
• We <3 Google • Tracks your location history • How many use the same password for all sites?
• 600 Million Users all sharing locations…
• Kevin loves this
• Barcode Hero? ���Yeah seriously…
QR Codes
Rebecca Rolled?
• Geolocation DoS • Randomly generate SSIDs • Fake SSID flood • Hardware jamming
• 2008 Research by Students from ETH Zurich
• AP Impersonation • WLAN Jamming
• SkyHook DoS
• [Disclaimer] These are illegal!
• Easy to buy overseas
• hIp://ilektrojohn.github.com/creepy/ • Geolocation stalking tool! • Works on Windows and Linux
• Sniff and Spoof (Man-in-the-Middle Attacks) • Or…just use FireSheep and hijack the
account for location data • Fun at conferences and hotels ;-)
• Proxies • Tor (still slow) • Moxie Marlinspike’s GoogleSharing
creates interesting possibilities
• Blackberry • iPhone • Android
• Fake Location App (iPhone/Android) • Geolocater Firefox Plugin • Manually manipulate Firefox, use
touch.facebook.com
• FourSquare “gaming the system”
• Lots of scripts, programs to do this…even a Metasploit module! (thanks to CG)
• Pulls location information without the user knowing
• Hooked through Skyhook • Developer gets your location • Great for stalking app users…
• Plug-ins for BeEF to retrieve HTML5 Geolocation – Designed for PHP version of BeEF
• Allows the attacker to track the victims • Scope testing for pen-testers
• Enhances upon the BeEF framework – Part of the HTML5
plug-ins
• Determines if the payload is supported
• Retrieves the location for the controller
• Geolocation can be problematic – Current browsers respond erratically • Often just the first time its called
– Support is getting better everyday
Ruby BeEF • Geoloca>on plug in is part of the Ruby version of BeEF
• Supports most browsers – IE is s>ll problema>c – Kevin and Frank are working on an update
• Displays coordinates in the results
• Inadvertent Location Sharing – Many mobile apps enable this by default!
• Cyberstalking
• Physical Security
• You automatically allow your location shared with applications you use!
• Apple’s 159+ page Terms of Service state…������“By using any loca-on-‐based services on your iPhone, you agree and consent to Apple’s and its partners’ and licensees' transmission, collec-on, maintenance, processing, and use of your loca-on data to provide such products and services.”
• What does your phone or browser leave behind?
• Can you be tracked? • How many of us sell our phones on eBay/
Craigslist?
• Anonymize your location • Allow access to delete/remove location
data • Ability to turn off location based services • What are the W3C devs doing?
- Image from Broadstuff.com
• Getting more popular for promotions/prizes (Starbucks)
• How do you verify check-in? • Lot’s of *fun* ways to abuse the system • Two-factor geo check-in’s?
• Ensure “full disclosure” of how you use location based data
• Implement PETs • Demand more/get involved with W3C
• To share or not to share? • Share with only a select group? Example:
create a list in Facebook, share only with them
• Think before sharing your location
• Read the TOS, privacy policy of apps and services
• SocialMediaSecurity.com • Kevin will be submitting BeEF patches • Follow us: @agent0x0 @secureideas • Friend Kevin on Facebook. Really.
GONE
Recommended