mrtopf's page two

Raw scribbling for posts on http://mrtopf.de/blog

« Back to blog

Viewed
times
About Me

Podcaster, Python programmer, Open Source and Open Standards advocate, Data Portability Board Member, co-founder of http://comlounge.net

 

26C3: Location tracking does scale up

Dsc05715

Speaker: L. Aaron Kaplan (kaplan@cert.at)

Announcement: http://events.ccc.de/congress/2009/Fahrplan/events/3600.en.html

This is not about:

  • RFID hacking
  • GSM hacking
  • GIS tricks
  • sputnik
  • not about paranoia

It's not about hacking but social tricks.

This is about:

  • Navigation & Triangulation - it works very well
  • Pointing out where there new dragons might hide
He wants to start a discussion if we want to accept this dragon.

Radio Waves


Radio waves don't stop at the window (except in Microwaves).

  • If we were able to see not just visible lights we would also understand the surrounding Wi-Fi networks implicitly. But as we don't see it it's not natural to us, e.g. to understand that they don't stop at the door.
  • We would not be afraid of living below GSM towers (but rather of living opposite of them)
  • We would implicitly understand triangulation and distance measurement

Distance Calculations


(compare Radar "ping")
  • distance = delay * speed of light
  • current 33Ghz CPU -> 1 tick == 0.3ms
  • 1ns = 30 cm
triangulation
  • 3+ stations. Result: area
  • delay. SNR (power (r) = 1/r^2)

Apple's locationd


Tip: Use LittleSnitch on Mac
Reported locationd which is a new service from Apple used to set the timezones.
The problem: It uses lat/long for that and the database is very accurate (based on SSIDs). The data comes from an external (third party) data source.
You can turn it off in the Security Pane on the mac. On by default.

Android, too!

It's not just Apple, it's also used on devices with Android. It also includes GSM information in the information to Google. That way Google also knows which SSID is where in the world with which signal strengths. This is a smart way of crowdsourcing. We are acting as a distributed sensor device.

Skyhook Wireless


The company behind that. Founded in 2003.. Services the Loaction Based Services market

They believe that soon all mobile applications will be tied to locations. This market is about to explode.

63 million mobile phone users upgraded to smartphones from feature phones in 2008, from approx. 15 million upgrades in 2005.

Skyhook is in

  • iPhone
  • iPod Touch
  • G1 Android
  • Mac OS X Snow Leopard
  • Undercover iPhone (for stolen iPhones)
  • Loki (can be integrated into web page and makes your web server location aware)
  • Layar (augmented reality
  • CyberAngel Wi-Trac (practical service in case it gets stolen.)
  • Eye-Fi camera (uses this service to locate the picture you just took)
Skyhook uses many sources:

SSID databases
GPS signals
Cellular networks

client collects all that data with XPS client and asks the server where the device is located. (demo video on http://skyhookwireless.com)

The database was bootstrapped by people driving around in major metro areas scanning for SSIDs etc. All major cities are very well covered, in the US it's mainly the east and west coast.

Maxmind


A GeoIP database where you can ask for the geo location of an IP address. They manage to have a decent database with 83% accuracy. at least precise to city level. Used e.g. for fraud detection in online shops. Use is for free. You can download a CSV file. The free version is nearly as accurate as the for-pay version. They have 4.9 million network prefixes stored.

To his knowledge Skyhook used Maxmind to bootstrap their database.

Do we have a privacy problem?

This question should not be answered in a simple answer in "Yes, it's very bad!". We have to look a little deeper.

  • How does it work correctly?
  • USPN 7,493,127
  • API is documented. MITM SSL possible
  • Server does not know who you are. Skyhook tries to respect privacy
  • But you can still track one single ID where it's travelling.
  • Is this personal data? Remember that  a public IP address in Germany is personal data
  • But mobile me has a privacy problem because there it's tied to a username and password (means on iPhones)
  • easily installed on your GF/BF iPhone. There can be privacy attacks that way

API

structures: IPLocation, ILocation, StreetAddress

fucntions: Location request, Periodic Loaction Request and Authentication function based on realm and username

So? Who cares?

People in Alexa do not care about it. At the 26C3 people do. But there are good services around it.

join authentication cookie with other personal data is too easy
What is if Skyhook loses their data?
Or what if there is some inside job
It's also about exporting data from the EU to the US
Shouldn't we be asked before? It's massive crowdsourcing based on "our" data.

What is that data good for in the evil case?

  • Selling traffic streams => geo marketing
  • Send cruise missiles to that location
  • Can be used for terrorist attacks
Is it ok that this data can be sold without us being asked? Because it is sold already.

Where is this all leading to?

  • picture "milky (real world) data space"
  • zigbee/sensors/more ISM stuff, internet of things -> more precision

Countermeasures


  • Is using the same BSSIDs good?
  • One could somehow confuse DBs
  • But there are also useful things you can do with it
  • Thus what is needed is a political/society debate about it
  • Should it be forbidden completely?
  • modify it? (0-knowledge proof)
  • public data -> openstreetmap for geolocation? As they are broadcasted anyway aren't BSSIDs not public information anyway and shouldn't they be then exposed to everybody.
Democracy needs transparency!

Discussion

  • Firefox has a location based services inside
  • web pages can use it
  • A Google database is used. Who sees where you go? Go figure?
  • Interesting how quick this got through W3C.
  • Revoking your permission to use geo location is far too complicated in Firefox

  • Did you ask the openstreemap guys?
  • Might be great to have a layer for that in openstreetmap
  • There is some proposal about this but nobody is working on it
  • Somebody is also working on collecting the ids of GSM base stations
Public databases also have problems like it might be too easy to get to that data. The question really is how this is modelled.

Example is also Iran where the network carries know exactly where the demonstrators are based on their GSM phones. Comment from audience: Revolutionary Guard in Iran just bought the biggest telco there.

This live report might not be correct, please comment in case you have some modifications to add!

Posted