Google Gears WiFi Geolocation API query

EDB-ID:

15881

CVE:

N/A


Platform:

CGI

Published:

2010-12-31

Have you ever wondered if you could do house-by-house geolocation with
google gears geolocation API? Yes you (and advertisers) can!

Google is unlikely to fix this, since this is the same API mobile
handsets use to locate themselves w/o GPS. Throttling is unlikely
since handsets are usually NATted, so it *always* looks to google like
there's several hundred requests a second from a single IP for this
API. Currently google doesn't require authentication to use this API,
but with the support of logging in to google accounts in google maps
mobile(think google latitude), that may change.

I've tested this on kismet output, and it works beautifully. In fact I
don't see a reason to drain my battery with GPS anymore. There are a
few caveats, though:

1) The location is only updated when a google streetview car goes by,
so people who move frequently won't be located properly.
2) If google doesn't know where you are, they tell you you're in the
wrong place - like Iran, or Romania. This might be a MAC collision,
with the transaction getting raced on the various backend db servers
at google.
2a) Except sometimes they return the last known address for an IP. EG,
if you make two queries to this API and the first one is successfully
located, but the second query isn't, the second query can respond with
the information from the first query. This behavior is inconsistent.
3) Sometimes google doesn't return the address information, responding
only with long/lat. This isn't such a big deal since the address is
only approximate, anyways, but it's worth mentioning. This behavior is
inconsistent.
4) The GPS coordinates should only be considered ballpark, as the
streetview car may not enter subdivisions. Accuracy should still be
considerably better than current GeoIP geolocation until mitigation
efforts take off.


Mitigations include:

1) Wrapping your home in Mylar and grounding it.
2) Moving frequently
3) Changing your BSSID frequently, or spoofing your AP's BSSID. For
example, 00-DE-AD-BE-EF-42. Creativity is bad here, since if you're
unique it's likely google will find you. If you google a bit, it's
trivial to find people posting their own BSSIDs on support forums.



#!/bin/bash

if [ $# != 1 ]; then
echo "# Google Gears WiFi Geolocation API query by ShadowHat=esYou"
echo "# Shadow@SquatThis.net"
echo "#"
echo "# Use: $0 MAC "
echo "# $0 00-C0-26-A9-42-F7"
echo "#"
exit;
fi;

curl http://www.google.com/loc/json -H "Pragma: no-cache" -H "Cache-control: no-cache" -d "{ \"version\": \"1.1.0\", \"host\":
\"maps.google.com\", \"request_address\": true, \"address_language\":
\"en_GB\", \"wifi_towers\": [ { \"mac_address\": \"$1\",
\"signal_strength\": 8, \"age\": 0 } ] }"
echo ""