The web attack that leads hackers straight to your home

Mike Halsey MVP
Aug 3, 2010
Updated • Dec 30, 2012

Is it possible, is there such a thing as an attack that can tell a hacker where you live?  The BBC has revealed that a specially booby-trapped website can tell a hacker where you are to only a few meters.

The attack was dreamt up by security expert Sam Kamkar who demonstrated at the Black Hat hackers conference a website exploiting common shortcomings in a router to reveal it's real-world location.

He tricked the router into believing the request for it's ID information was coming from the connected PC, not from the Internet.  He then used the revealed MAC address with a geo-location feature in Firefox to interrogate the database Google gathered when it made its Street View photographs.

The data, which was controversially gathered, linked the MAC addresses of routers to GPS co-ordinates.  "This is geo-location gone terrible," said Mr Kamkar during his presentation. "Privacy is dead people. I'm sorry."

Mikko Hyponnen, senior researcher at F-Secure called the demonstration "very interesting" adding that such a technique could be used for "stalking or targeted attacks against an individual".

"The fact that databases like Google Streetview's Mac-to-Location database or the Skyhook database can be used in these attacks just underlines how much responsibility companies that collect such data have to safeguard it correctly." said Mr Hypponen

In 2005, Mr Kamkar created a work that helped him gain more than 1 million MySpace friends in a single day.

To protect against this kind of attack, it is important to properly secure the wireless router and connection so that data can't just be retrieved and linked to the user. Users who do not make use of location-based features in their browsers may also want to consider turning them off as it makes no sense keeping them turned on if they are not used.

Firefox will display a notification to users when a website or service wants to retrieve the user's location. They then have options to allow or deny the request.



Previous Post: «
Next Post: «


  1. Turko said on August 5, 2010 at 1:03 am

    I disabled geo-lactation in Firefox a while back. It would be nice to know if this is in fact the way to defeat such an attack. Also, I’m sure Tomato and other open source router firmware are now aware of this and will be taking steps aswell.
    “Privacy is gone…” not entirely, it’s just an ogoing battle.

  2. mrburn said on August 4, 2010 at 7:49 am

    The developers atually is “HACKERS”..for business..

  3. BalaC said on August 4, 2010 at 6:07 am

    Its always the hackers who make the developers to think and act.

  4. P.K.ARUN said on August 3, 2010 at 9:36 pm

    Nothing is impossible, Now a days hackers are more talented compared to developers :)

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.