There were similar privacy concerns when it was found that Microsoft were able to generate unique identifying fingerprints of PC's, which they used for license tracking.
This just proves that the debate then was moot since MAC addresses would become universal unique identifiers. Now everything from phones, routers, computers and laptops all have unique IDs.
To make the situation worse and unlike the Intel debate, the growth of WiFi means that these unique ID's are actually being broadcast for anybody to pick up and read.
RFID will only make this situation worse. There was so much of a fuss about the Intel ID's back in 99 that I can only think that people care less about their privacy today.
Samy is smart. Been friends with him for about 15 years. One of the smartest hackers I know. Built most of Fonality's backend, too. Also won "Caesars Challenge" in Vegas when he was like 14 years old.
Very clever. What if you used the same attack to modify the router's iptables and open a port to the outside world. Upload some patched firmware and you now have the worlds largest botnet.
At the point you can make modifications to the user's local router, it's a much better malicious hack to just change the DNS of every bank's website to go to your data capture, man in the middle version.
Not clear how to do the equivalent in Chrome yet. What's alarming is, in my brief search, there does not seem to be an easy way to retroactively go back and delete permissions formerly/accidentally granted.
Same thing with html5 storage (offtopic but related). There is likewise no way I know of to browse what exactly is stored in html5 storage via the browser (preferences or otherwise).
Not to downplay a rather interesting vulnerability, but why does it matter if someone figures out where you are?
As much as I love my own real (not internet) privacy, I don't depend on people not knowing where I am. The success of sites such as Foursquare lead me to believe a large amount of people feel the same way.
I don't think that he obtained control of the router, the article only states that he managed to get the router's mac address and the crossed referenced this with Google's wifi database(I assume). He can't modify the router just get a routing table from the compute somehow. At least that's what I understand from this extremely sparse in detail article.
He does have control of the router's settings (possibly even the ability to update the firmware with a malicious replacement?). Most routers let you set the DNS server addresses to be provided via DHCP. If you control DNS, you control which addresses domains resolve to. No need to control the routing table.
SSL helps mitigate the damage to some extent, but only if the site uses SSL.
Wait where does it state he he gained access to router? You can get the mac address of your router with sending a http request to it. Mine states it on the homepage. Doesn't mean you can change anything on there. What I'd like to know is how he manages to send this request, javascript origination policy should be blocking this.
EDIT: I was referring to the original article, schneier has a point, if the users has the default password set then yes he can login, but how is that even possible on most browsers today which prevents you from sending ajax request to anything but the original server?
EDIT2: Just tried it and got a error from chrome:
400 Bad Request
Cross Site Action detected!
You need to watch the video again. Starting at 1:20 he mentions logging in using the default admin credentials.
He's using an XSS vulnerability in the router admin interface to execute JavaScript on the router's pages, so he can use JavaScript to do pretty much anything the user can do.
But even without an XSS exploit you can make cross-___domain POSTs using forms, and GETs using IMG or SCRIPT tags. You just can't get the response, so it's not suitable for this attack where you need to get the MAC address out.
The "Drive-by Pharming" mentioned in the link I posted used the latter technique, because all it needs to do is POST some form that tells the router to update the DNS settings, it doesn't need the response.
He actually mentioned that technique in the video, but sort of glossed over it (right before "now, this isn't necessary in our geolocation XXXSS attack")
The hack relies on a specific XSS vulnerability in the Verizon FiOS router. It requires that you're already logged into your router or that you're using default username/password.
Yes, when the attacker has control of the router, the user is a helpless victim. The next step will probably be a man in the middle attack for online banking.
Maybe, even if the user changed the default password, he probably stored the new credentials in the browser.
Maybe I missed something, but is this really how Firefox's ___location services work? By phoning google with the MAC address? I understood google was logging them, but didn't know they were _using_ them...
The ___location services are pretty creepy actually. I gave a site access and it knew my exact address. I will not be giving another site access, until I can specify that it should only provide my city.
That doesn't necessarily solve the problem. The attack needs to login to some routers to extract the MAC address, but others provide it willingly without login (I believe DD-WRT does this on the default logged-out status page, for example, although I can't check at the moment).
Or even better, change the default IP address for the admin login. This attack relies on a bunch of hidden iframes loading IPs that are common default addresses of the admin login page.
Twice I've had routers notify me that 192.168.0.1 is in use by another network service and automatically remap its own services to 10.0.0.x. One of these times was due to a DSL modem's web administration being on 192.168.0.1.
The attack/code he showed cannot, but what you can do it write different iframes. Here is an example:
a+'.'+b+'.'+c+'.'+d
where a=192 b=168 c=0-255 b=0-255
Of course this could be any private network address range[1]. Next you would use document.write or .innertext to make these iframes. Personally I wouldn't stop at the first one. I would log all the frames that loaded into an array and from there test them further. I would also get the users IP address and tack on :80, :8080, :21, ect and see what I am presented with- web torrent frontends, ftp servers, ect.
http://www.schneier.com/essay-187.html
There were similar privacy concerns when it was found that Microsoft were able to generate unique identifying fingerprints of PC's, which they used for license tracking.
This just proves that the debate then was moot since MAC addresses would become universal unique identifiers. Now everything from phones, routers, computers and laptops all have unique IDs.
To make the situation worse and unlike the Intel debate, the growth of WiFi means that these unique ID's are actually being broadcast for anybody to pick up and read.
RFID will only make this situation worse. There was so much of a fuss about the Intel ID's back in 99 that I can only think that people care less about their privacy today.