GONE
• Senior Security Consultant, SecureState • Founder of SocialMediaSecurity.com • Facebook Privacy & Security Guide • Blogger • Co-host of Security Justice, Social Media
Security Podcasts
• Security Consultant, Secure Ideas • Author Sec542 from SANS • Instructor of the SamuraiWTF class • SANS Internet Storm Center Handler • Project lead for: – SamuraiWTF – Yokoso! – Laudanum – WeaponizedFlash
• Location Based Services are exactly that • Services that provide your location to others – Be them friends or companies that want to know
• These services can be built into our devices and software or programs we sign up for – Can tell where we are or where we aren’t
Chart: Gigaom.com
The market for location-based services on mobile phones will be worth about ���
$3 billion in 2013…���
-Frost and Sullivan (Market Research Firm)
• The original way of performing geo-location checks
• Determined through ISP lookups and whois records
• Prone to misleading results – Due to ISP location being reported
• Popular with Banners/Adult Advertising
• Researchers have found new ways to get closer results via IP address
• Typical results used to get you within 200 kilometers (>me based)
• Now within a few hundred meters! • Creates new ways for adver>sers and the government to track you J
• Using proxy’s seem to help…but who controls these?
• GPS in the mobile device was ���revolutionary – Users have embraced it
• We have our phone with us everywhere • Ability to use web based tech with the mobile
GPS has changed the way we use phones! – Mash-ups for the win!
• GPS • WiFi • Bluetooth • RFID • 3G/EDGE, CDMA, GSM
• We pack our phones with latest wireless tech…
• IP address • RFID • WiFi and Bluetooth MAC addresses • GSM/CDMA cell IDs • Manual user input
• Service Examples: – Google Location Services • Cell Tower • Wifi based
– Skyhook/Loki • Wifi based
• Many new providers of Geolocation data • Skyhook • SimpleGeo (working on Geofences)
• Yes, its scary and has been around for a few years
• Your phone determines if you are in a location or not
• iOS4 already supports background geo • SimpleGeo can do this in 6 lines of code • 30 lines to support background geo tracking on
iOS4
“So you basically just say, ‘Track User’ and we handle that in our API along with record history.’” ���“I can then come back and say, ‘Show me the last 10 places the user was‘,” Stump continues... ���“Creepy? Sort of. Powerful and easy? Yes.”���
- TechCrunch Interview w/SocialGeo co-founder Joe Stump
• Firefox (> 3.5 uses Google) • Opera (nightly build uses
Skyhook) • Safari (uses Skyhook in
iPhone/iPad) • Chrome (uses Google) • Internet Explorer 9 ���
(HTML5-based)
Geolocation is not standardized…yet.
• Follow the Geolocation developer mailing list...it’s fun!
– http://www.w3.org/2008/geolocation/
• How will developers use this? • W3C Geolocation API • Code is easy to manipulate for evil
things
• Now available in Safari, Opera and Chrome
• The “Evercookie” (Samy Kamkar) • Store and track your locations as well
FourSquare/Gowalla
• These games are supposed to be fun, right?
• Opt in by default • Built into the API • Forgotten by many users…
• We <3 Google • Tracks your location history • How many use the same password for all sites?
• 600 Million Users all sharing locations…
• Kevin loves this
• Barcode Hero? ���Yeah seriously…
QR Codes
Rebecca Rolled?
• Geolocation DoS • Randomly generate SSIDs • Fake SSID flood • Hardware jamming
• 2008 Research by Students from ETH Zurich
• AP Impersonation • WLAN Jamming
• SkyHook DoS
• [Disclaimer] These are illegal!
• Easy to buy overseas
• hIp://ilektrojohn.github.com/creepy/ • Geolocation stalking tool! • Works on Windows and Linux
• Sniff and Spoof (Man-in-the-Middle Attacks) • Or…just use FireSheep and hijack the
account for location data • Fun at conferences and hotels ;-)
• Proxies • Tor (still slow) • Moxie Marlinspike’s GoogleSharing
creates interesting possibilities
• Blackberry • iPhone • Android
• Fake Location App (iPhone/Android) • Geolocater Firefox Plugin • Manually manipulate Firefox, use
touch.facebook.com
• FourSquare “gaming the system”
• Lots of scripts, programs to do this…even a Metasploit module! (thanks to CG)
• Pulls location information without the user knowing
• Hooked through Skyhook • Developer gets your location • Great for stalking app users…
• Plug-ins for BeEF to retrieve HTML5 Geolocation – Designed for PHP version of BeEF
• Allows the attacker to track the victims • Scope testing for pen-testers
• Enhances upon the BeEF framework – Part of the HTML5
plug-ins
• Determines if the payload is supported
• Retrieves the location for the controller
• Geolocation can be problematic – Current browsers respond erratically • Often just the first time its called
– Support is getting better everyday
Ruby BeEF • Geoloca>on plug in is part of the Ruby version of BeEF
• Supports most browsers – IE is s>ll problema>c – Kevin and Frank are working on an update
• Displays coordinates in the results
• Inadvertent Location Sharing – Many mobile apps enable this by default!
• Cyberstalking
• Physical Security
• You automatically allow your location shared with applications you use!
• Apple’s 159+ page Terms of Service state…������“By using any loca-on-‐based services on your iPhone, you agree and consent to Apple’s and its partners’ and licensees' transmission, collec-on, maintenance, processing, and use of your loca-on data to provide such products and services.”
• What does your phone or browser leave behind?
• Can you be tracked? • How many of us sell our phones on eBay/
Craigslist?
• Anonymize your location • Allow access to delete/remove location
data • Ability to turn off location based services • What are the W3C devs doing?
- Image from Broadstuff.com
• Getting more popular for promotions/prizes (Starbucks)
• How do you verify check-in? • Lot’s of *fun* ways to abuse the system • Two-factor geo check-in’s?
• Ensure “full disclosure” of how you use location based data
• Implement PETs • Demand more/get involved with W3C
• To share or not to share? • Share with only a select group? Example:
create a list in Facebook, share only with them
• Think before sharing your location
• Read the TOS, privacy policy of apps and services
• SocialMediaSecurity.com • Kevin will be submitting BeEF patches • Follow us: @agent0x0 @secureideas • Friend Kevin on Facebook. Really.
GONE
Recommended