GONE

•  Senior Security Consultant, SecureState •  Founder of SocialMediaSecurity.com •  Facebook Privacy & Security Guide •  Blogger •  Co-host of Security Justice, Social Media

Security Podcasts

•  Security Consultant, Secure Ideas •  Author Sec542 from SANS •  Instructor of the SamuraiWTF class •  SANS Internet Storm Center Handler •  Project lead for: –  SamuraiWTF – Yokoso! –  Laudanum – WeaponizedFlash

•  Location Based Services are exactly that •  Services that provide your location to others – Be them friends or companies that want to know

•  These services can be built into our devices and software or programs we sign up for – Can tell where we are or where we aren’t

Chart: Gigaom.com

The market for location-based services on mobile phones will be worth about ���

$3 billion in 2013…���

-Frost and Sullivan (Market Research Firm)

•  The original way of performing geo-location checks

•  Determined through ISP lookups and whois records

•  Prone to misleading results – Due to ISP location being reported

•  Popular with Banners/Adult Advertising

•  Researchers  have  found  new  ways  to  get  closer  results  via  IP  address  

•  Typical  results  used  to  get  you  within  200  kilometers  (>me  based)  

•  Now  within  a  few  hundred  meters!  •  Creates  new  ways  for  adver>sers  and  the  government  to  track  you  J  

•  Using  proxy’s  seem  to  help…but  who  controls  these?  

•  GPS in the mobile device was ���revolutionary – Users have embraced it

•  We have our phone with us everywhere •  Ability to use web based tech with the mobile

GPS has changed the way we use phones! – Mash-ups for the win!

•  GPS •  WiFi •  Bluetooth •  RFID •  3G/EDGE, CDMA, GSM

•  We pack our phones with latest wireless tech…

•  IP address •  RFID •  WiFi and Bluetooth MAC addresses •  GSM/CDMA cell IDs •  Manual user input

•  Service Examples: – Google Location Services •  Cell Tower •  Wifi based

– Skyhook/Loki •  Wifi based

•  Many new providers of Geolocation data •  Skyhook •  SimpleGeo (working on Geofences)

•  Yes, its scary and has been around for a few years

•  Your phone determines if you are in a location or not

•  iOS4 already supports background geo •  SimpleGeo can do this in 6 lines of code •  30 lines to support background geo tracking on

iOS4

“So you basically just say, ‘Track User’ and we handle that in our API along with record history.’” ���“I can then come back and say, ‘Show me the last 10 places the user was‘,” Stump continues... ���“Creepy? Sort of. Powerful and easy? Yes.”���

- TechCrunch Interview w/SocialGeo co-founder Joe Stump

•  Firefox (> 3.5 uses Google) •  Opera (nightly build uses

Skyhook) •  Safari (uses Skyhook in

iPhone/iPad) •  Chrome (uses Google) •  Internet Explorer 9 ���

(HTML5-based)

Geolocation is not standardized…yet.

•  Follow the Geolocation developer mailing list...it’s fun!

– http://www.w3.org/2008/geolocation/

•  How will developers use this? •  W3C Geolocation API •  Code is easy to manipulate for evil

things

•  Now available in Safari, Opera and Chrome

•  The “Evercookie” (Samy Kamkar) •  Store and track your locations as well

FourSquare/Gowalla

•  These games are supposed to be fun, right?

•  Opt in by default •  Built into the API •  Forgotten by many users…

•  We <3 Google •  Tracks your location history •  How many use the same password for all sites?

•  600 Million Users all sharing locations…

•  Kevin loves this

•  Barcode Hero? ���Yeah seriously…

QR Codes

Rebecca  Rolled?  

•  Geolocation DoS •  Randomly generate SSIDs •  Fake SSID flood •  Hardware jamming

•  2008 Research by Students from ETH Zurich

•  AP Impersonation •  WLAN Jamming

•  SkyHook DoS

•  [Disclaimer] These are illegal!

•  Easy to buy overseas

•  hIp://ilektrojohn.github.com/creepy/  •  Geolocation stalking tool! •  Works on Windows and Linux

•  Sniff and Spoof (Man-in-the-Middle Attacks) •  Or…just use FireSheep and hijack the

account for location data •  Fun at conferences and hotels ;-)

•  Proxies •  Tor (still slow) •  Moxie Marlinspike’s GoogleSharing

creates interesting possibilities

•  Blackberry •  iPhone •  Android

•  Fake Location App (iPhone/Android) •  Geolocater Firefox Plugin •  Manually manipulate Firefox, use

touch.facebook.com

•  FourSquare “gaming the system”

•  Lots of scripts, programs to do this…even a Metasploit module! (thanks to CG)

•  Pulls location information without the user knowing

•  Hooked through Skyhook •  Developer gets your location •  Great for stalking app users…

•  Plug-ins for BeEF to retrieve HTML5 Geolocation – Designed for PHP version of BeEF

•  Allows the attacker to track the victims •  Scope testing for pen-testers

•  Enhances upon the BeEF framework – Part of the HTML5

plug-ins

•  Determines if the payload is supported

•  Retrieves the location for the controller

•  Geolocation can be problematic – Current browsers respond erratically •  Often just the first time its called

– Support is getting better everyday

Ruby BeEF •  Geoloca>on  plug  in  is  part  of  the  Ruby  version  of  BeEF  

•  Supports  most  browsers  –  IE  is  s>ll  problema>c  – Kevin  and  Frank  are  working  on  an  update  

•  Displays  coordinates  in  the  results  

•  Inadvertent Location Sharing – Many mobile apps enable this by default!

•  Cyberstalking

•  Physical Security

•  You automatically allow your location shared with applications you use!

•  Apple’s 159+ page Terms of Service state…������“By  using  any  loca-on-­‐based  services  on  your  iPhone,  you  agree  and  consent  to  Apple’s  and  its  partners’  and  licensees'  transmission,  collec-on,  maintenance,  processing,  and  use  of  your  loca-on  data  to  provide  such  products  and  services.”  

•  What does your phone or browser leave behind?

•  Can you be tracked? •  How many of us sell our phones on eBay/

Craigslist?

•  Anonymize your location •  Allow access to delete/remove location

data •  Ability to turn off location based services •  What are the W3C devs doing?

- Image from Broadstuff.com

•  Getting more popular for promotions/prizes (Starbucks)

•  How do you verify check-in? •  Lot’s of *fun* ways to abuse the system •  Two-factor geo check-in’s?

•  Ensure “full disclosure” of how you use location based data

•  Implement PETs •  Demand more/get involved with W3C

•  To share or not to share? •  Share with only a select group? Example:

create a list in Facebook, share only with them

•  Think before sharing your location

•  Read the TOS, privacy policy of apps and services

•  SocialMediaSecurity.com •  Kevin will be submitting BeEF patches •  Follow us: @agent0x0 @secureideas •  Friend Kevin on Facebook. Really.

GONE