1. GONE

2. • Senior Security Consultant, SecureState
• Founder of SocialMediaSecurity.com
• Facebook Privacy & Security Guide
• Blogger
• Co-host of Security Justice, Social Media
Security Podcasts

3. • Security Consultant, Secure Ideas
• Author Sec542 from SANS
• Instructor of the SamuraiWTF class
• SANS Internet Storm Center Handler
• Project lead for:
– SamuraiWTF
– Yokoso!
– Laudanum
– WeaponizedFlash

4. • Location Based Services are exactly that
• Services that provide your location to others
– Be them friends or companies that want to know
• These services can be built into our devices
and software or programs we sign up for
– Can tell where we are or where we aren’t

5. Chart: Gigaom.com

6. The market for location-based
services on mobile phones will
be worth about
$3 billion in 2013…
-Frost and Sullivan (Market Research Firm)

8. • The original way of performing geo-location
checks
• Determined through ISP lookups and whois
records
• Prone to misleading results
– Due to ISP location being reported
• Popular with Banners/Adult Advertising

10. • Researchers
have
found
new
ways
to
get
closer
results
via
IP
address
• Typical
results
used
to
get
you
within
200
kilometers
(me
based)
• Now
within
a
few
hundred
meters!
• Creates
new
ways
for
adversers
and
the
government
to
track
you
J
• Using
proxy’s
seem
to
help…but
who
controls
these?

11. • GPS in the mobile device was
revolutionary
– Users have embraced it
• We have our phone with us everywhere
• Ability to use web based tech with the mobile
GPS has changed the way we use phones!
– Mash-ups for the win!

12. • GPS
• WiFi
• Bluetooth
• RFID
• 3G/EDGE, CDMA, GSM
• We pack our phones with
latest wireless tech…

15. • IP address
• RFID
• WiFi and Bluetooth MAC addresses
• GSM/CDMA cell IDs
• Manual user input

16. • Service Examples:
– Google Location Services
• Cell Tower
• Wifi based
– Skyhook/Loki
• Wifi based

17. • Many new providers of Geolocation data
• Skyhook
• SimpleGeo (working on Geofences)

18. • Yes, its scary and has been around for a few
years
• Your phone determines if you are in a location
or not
• iOS4 already supports background geo
• SimpleGeo can do this in 6 lines of code
• 30 lines to support background geo tracking on
iOS4

19. “So you basically just say, Track User and we handle
that in our API along with record history.
I can then come back and say, Show me the last 10
places the user was , Stump continues...
Creepy? Sort of. Powerful and easy? Yes.
- TechCrunch Interview w/SocialGeo co-founder Joe Stump

21. • Firefox ( 3.5 uses Google)
• Opera (nightly build uses
Skyhook)
• Safari (uses Skyhook in
iPhone/iPad)
• Chrome (uses Google)
• Internet Explorer 9
(HTML5-based)

22. Geolocation is not standardized…yet.
• Follow the Geolocation developer mailing
list...it s fun!
– http://www.w3.org/2008/geolocation/

23. • How will developers use this?
• W3C Geolocation API
• Code is easy to manipulate for evil
things

24. • Now available in Safari, Opera and
Chrome
• The Evercookie (Samy Kamkar)
• Store and track your locations as well

26. FourSquare/Gowalla
• These games are supposed to be fun,
right?

27. • Opt in by default
• Built into the API
• Forgotten by
many users…

28. • We 3 Google
• Tracks your location history
• How many use the same password for all sites?

30. • 600 Million Users all
sharing locations…
• Kevin loves this

32. • Barcode Hero?
Yeah seriously…

33. QR Codes

34. Rebecca
Rolled?

36. • Geolocation DoS
• Randomly generate SSIDs
• Fake SSID flood
• Hardware jamming

37. • 2008 Research by
Students from ETH
Zurich
• AP Impersonation
• WLAN Jamming
• SkyHook DoS

38. • [Disclaimer] These are
illegal!
• Easy to buy overseas

42. • hIp://ilektrojohn.github.com/creepy/
• Geolocation stalking tool!
• Works on Windows and Linux

43. • Sniff and Spoof (Man-in-the-Middle Attacks)
• Or…just use FireSheep and hijack the
account for location data
• Fun at conferences and hotels ;-)

45. • Proxies
• Tor (still slow)
• Moxie Marlinspike s GoogleSharing
creates interesting possibilities

48. • Blackberry
• iPhone
• Android

49. • Fake Location App (iPhone/Android)
• Geolocater Firefox Plugin
• Manually manipulate Firefox, use
touch.facebook.com

51. • FourSquare gaming
the system
• Lots of scripts,
programs to do
this…even a
Metasploit module!
(thanks to CG)

53. • Pulls location information without the user
knowing
• Hooked through Skyhook
• Developer gets your location
• Great for stalking app users…

55. • Plug-ins for BeEF to retrieve HTML5
Geolocation
– Designed for PHP version of BeEF
• Allows the attacker to track the victims
• Scope testing for pen-testers

56. • Enhances upon the
BeEF framework
– Part of the HTML5
plug-ins
• Determines if the
payload is supported
• Retrieves the location
for the controller

57. • Geolocation can be problematic
– Current browsers respond erratically
• Often just the first time its called
– Support is getting better everyday

58. Ruby BeEF
• Geolocaon
plug
in
is
part
of
the
Ruby
version
of
BeEF
• Supports
most
browsers
– IE
is
sll
problemac
– Kevin
and
Frank
are
working
on
an
update
• Displays
coordinates
in
the
results

60. • Inadvertent Location Sharing
– Many mobile apps enable this by default!
• Cyberstalking
• Physical Security

61. • You automatically allow your location shared with
applications you use!
• Apple s 159+ page Terms of Service state…
By
using
any
loca-on-­‐based
services
on
your
iPhone,
you
agree
and
consent
to
Apple s
and
its
partners
and
licensees'
transmission,
collec-on,
maintenance,
processing,
and
use
of
your
loca-on
data
to
provide
such
products
and
services.

62. • What does your phone or browser leave
behind?
• Can you be tracked?
• How many of us sell our phones on eBay/
Craigslist?

64. • Anonymize your location
• Allow access to delete/remove location
data
• Ability to turn off location based services
• What are the W3C devs doing?

66. - Image from Broadstuff.com

67. • Getting more popular for promotions/
prizes (Starbucks)
• How do you verify check-in?
• Lot s of *fun* ways to abuse the system
• Two-factor geo check-in s?

68. • Ensure full disclosure of how you use
location based data
• Implement PETs
• Demand more/get involved with W3C

69. • To share or not to share?
• Share with only a select group? Example:
create a list in Facebook, share only with
them
• Think before sharing your location
• Read the TOS, privacy policy of apps and
services

70. • SocialMediaSecurity.com
• Kevin will be submitting BeEF patches
• Follow us: @agent0x0 @secureideas
• Friend Kevin on Facebook. Really.

71. GONE