Tuesday, 5 October 2010

Using a MAC address to find your physical location (via Google Location Services)

If you see Samy's presentation "How I meet your Girlfriend" you will be shown a very good example of what I think is a "perfect storm". Amongst the multiple examples he give, he shows how from a MAC address (which he gets via a router XSS) he is able to discover the girlfriend's address.

And how does Samy does it? He uses Google's Location Services REST API, which returns a nice populated JSON response, filled with location information (longitude, latitude, address, accuracy, etc...), when provided a valid/known-to-Google MAC address. Google knows about MAC addresses from the data feeds provided either by Google's Street View cars or by passing-by pedestrians using Android phones.

After seeing a couple times Samy's presentation I was curious to see if it really worked that way, and unfortunately (for privacy) it does.

For more details on how this works see the O2 Platform script that I wrote in a couple hours yesterday which will find your local router and show you your current location. This wiki page has more technical details and screeshoots: Tool_-_Find_Physical_Location_via_MAC_Address_(using_Google's_APIs).h2 

Here are a couple screenshots of the script in action: