Social networks have jumped onto the geolocation bandwagon with location-based tweets, status updates, check-ins, mayorships, and more. This doesn’t take into account EXIF, QR codes, and advancements in HTML 5 geo implementations, which are being built into these location-based services. This is often implemented and enabled without the user even knowing it. In fact, geolocation is one of the hottest technologies being used in everything from web browsers to mobile devices. As social networks throw our location coordinates around like candy, its only natural that bad things will happen and abuse will become more popular. This presentation will cover how social networks and other websites are currently using location-based services, what they plan on doing with it, and a discussion on the current privacy and security issues. We will also discuss the latest geolocation hacking techniques and will release custom code that can abuse all of the features being discussed. Tom Eston is a Senior Security Consultant for SecureState. Tom focuses his research on the security of social media. Tom is also the founder of SocialMediaSecurity.com and co-host of the Security Justice and Social Media Security podcasts. Kevin Johnson is a security researcher with Secure Ideas. He has many years of experience performing security services for Fortune 100 companies, and leads a large number of open source security projects including BASE and SamuraiWTF. Kevin is also an instructor for SANS. Presented at Notacon 8 in Cleveland Ohio.

1. GONE

2. • Senior Security Consultant, SecureState
• Founder of SocialMediaSecurity.com
• Facebook Privacy & Security Guide
• Blogger
• Co-host of Security Justice, Social Media
Security Podcasts

3. • Security Consultant, Secure Ideas
• Author Sec542 from SANS
• Instructor of the SamuraiWTF class
• SANS Internet Storm Center Handler
• Project lead for:
– SamuraiWTF
– Yokoso!
– Laudanum
– WeaponizedFlash

4. • Location Based Services are exactly that
• Services that provide your location to others
– Be them friends or companies that want to know
• These services can be built into our devices
and software or programs we sign up for
– Can tell where we are or where we aren’t

5. Chart: Gigaom.com

6. The market for location-based
services on mobile phones will
be worth about
$3 billion in 2013…
-Frost and Sullivan (Market Research Firm)

8. • The original way of performing geo-location
checks
• Determined through ISP lookups and whois
records
• Prone to misleading results
– Due to ISP location being reported
• Popular with Banners/Adult Advertising

10. • Researchers
have
found
new
ways
to
get
closer
results
via
IP
address
• Typical
results
used
to
get
you
within
200
kilometers
(me
based)
• Now
within
a
few
hundred
meters!
• Creates
new
ways
for
adversers
and
the
government
to
track
you
J
• Using
proxy’s
seem
to
help…but
who
controls
these?

11. • GPS in the mobile device was
revolutionary
– Users have embraced it
• We have our phone with us everywhere
• Ability to use web based tech with the mobile
GPS has changed the way we use phones!
– Mash-ups for the win!

12. • GPS
• WiFi
• Bluetooth
• RFID
• 3G/EDGE, CDMA, GSM
• We pack our phones with
latest wireless tech…

15. • IP address
• RFID
• WiFi and Bluetooth MAC addresses
• GSM/CDMA cell IDs
• Manual user input

16. • Service Examples:
– Google Location Services
• Cell Tower
• Wifi based
– Skyhook/Loki
• Wifi based

17. • Many new providers of Geolocation data
• Skyhook
• SimpleGeo (working on Geofences)

18. • Yes, its scary and has been around for a few
years
• Your phone determines if you are in a location
or not
• iOS4 already supports background geo
• SimpleGeo can do this in 6 lines of code
• 30 lines to support background geo tracking on
iOS4

19. “So you basically just say, Track User and we handle
that in our API along with record history.
I can then come back and say, Show me the last 10
places the user was , Stump continues...
Creepy? Sort of. Powerful and easy? Yes.
- TechCrunch Interview w/SocialGeo co-founder Joe Stump

21. • Firefox ( 3.5 uses Google)
• Opera (nightly build uses
Skyhook)
• Safari (uses Skyhook in
iPhone/iPad)
• Chrome (uses Google)
• Internet Explorer 9
(HTML5-based)

22. Geolocation is not standardized…yet.
• Follow the Geolocation developer mailing
list...it s fun!
– http://www.w3.org/2008/geolocation/

23. • How will developers use this?
• W3C Geolocation API
• Code is easy to manipulate for evil
things

24. • Now available in Safari, Opera and
Chrome
• The Evercookie (Samy Kamkar)
• Store and track your locations as well

26. FourSquare/Gowalla
• These games are supposed to be fun,
right?

27. • Opt in by default
• Built into the API
• Forgotten by
many users…

28. • We 3 Google
• Tracks your location history
• How many use the same password for all sites?

30. • 600 Million Users all
sharing locations…
• Kevin loves this

32. • Barcode Hero?
Yeah seriously…

33. QR Codes

34. Rebecca
Rolled?

36. • Geolocation DoS
• Randomly generate SSIDs
• Fake SSID flood
• Hardware jamming

37. • 2008 Research by
Students from ETH
Zurich
• AP Impersonation
• WLAN Jamming
• SkyHook DoS

38. • [Disclaimer] These are
illegal!
• Easy to buy overseas

42. • hIp://ilektrojohn.github.com/creepy/
• Geolocation stalking tool!
• Works on Windows and Linux

43. • Sniff and Spoof (Man-in-the-Middle Attacks)
• Or…just use FireSheep and hijack the
account for location data
• Fun at conferences and hotels ;-)

45. • Proxies
• Tor (still slow)
• Moxie Marlinspike s GoogleSharing
creates interesting possibilities

48. • Blackberry
• iPhone
• Android

49. • Fake Location App (iPhone/Android)
• Geolocater Firefox Plugin
• Manually manipulate Firefox, use
touch.facebook.com

51. • FourSquare gaming
the system
• Lots of scripts,
programs to do
this…even a
Metasploit module!
(thanks to CG)

53. • Pulls location information without the user
knowing
• Hooked through Skyhook
• Developer gets your location
• Great for stalking app users…

55. • Plug-ins for BeEF to retrieve HTML5
Geolocation
– Designed for PHP version of BeEF
• Allows the attacker to track the victims
• Scope testing for pen-testers

56. • Enhances upon the
BeEF framework
– Part of the HTML5
plug-ins
• Determines if the
payload is supported
• Retrieves the location
for the controller

57. • Geolocation can be problematic
– Current browsers respond erratically
• Often just the first time its called
– Support is getting better everyday

58. Ruby BeEF
• Geolocaon
plug
in
is
part
of
the
Ruby
version
of
BeEF
• Supports
most
browsers
– IE
is
sll
problemac
– Kevin
and
Frank
are
working
on
an
update
• Displays
coordinates
in
the
results

60. • Inadvertent Location Sharing
– Many mobile apps enable this by default!
• Cyberstalking
• Physical Security

61. • You automatically allow your location shared with
applications you use!
• Apple s 159+ page Terms of Service state…
By
using
any
loca-on-­‐based
services
on
your
iPhone,
you
agree
and
consent
to
Apple s
and
its
partners
and
licensees'
transmission,
collec-on,
maintenance,
processing,
and
use
of
your
loca-on
data
to
provide
such
products
and
services.

62. • What does your phone or browser leave
behind?
• Can you be tracked?
• How many of us sell our phones on eBay/
Craigslist?

64. • Anonymize your location
• Allow access to delete/remove location
data
• Ability to turn off location based services
• What are the W3C devs doing?

66. - Image from Broadstuff.com

67. • Getting more popular for promotions/
prizes (Starbucks)
• How do you verify check-in?
• Lot s of *fun* ways to abuse the system
• Two-factor geo check-in s?

68. • Ensure full disclosure of how you use
location based data
• Implement PETs
• Demand more/get involved with W3C

69. • To share or not to share?
• Share with only a select group? Example:
create a list in Facebook, share only with
them
• Think before sharing your location
• Read the TOS, privacy policy of apps and
services

70. • SocialMediaSecurity.com
• Kevin will be submitting BeEF patches
• Follow us: @agent0x0 @secureideas
• Friend Kevin on Facebook. Really.

71. GONE