(The attack in question has been demo’ed only on Android handsets, but it’s not clear it’s limited to that platform.)
In order for phones to do their assisted-GPS/SkyHook/whatever magic, they have to ping a server for help. If you’re on the same WiFi as a phone that sends such a request, you can hijack and redirect it. That means you can see where the phone is, and you can tell the phone to always use your server in the future. If that phone next finds itself in Timbuktu, it’ll still route all it’s “help me figure out where I am” requests through your server. Which means you now know where it is until it dies. (which, hopefully, as soon as the owner figures out the best way to preserve privacy with a smarphone is by dropping it in a toilet.) And this could apply to every Android phone that connects to your malicious WiFi network.
Of course, since the phones are routing a bunch of obscure requests over your server, you can probably exploit them in other ways too.
(I’m vaguely reminded of a certain antenna-studded shopping cart that showed up in various parts of the Boston area a while back… with a decent omnidirectional antenna, a malicious person could snag a lot of phones looking for WiFi.)
Chip killing: Success! At least in theory. Finished the HV probe for my ‘scope, so now I have real data instead of “did the LED die or not.” Overall the results fit the theoretical predictions nicely:
* The highest voltage areas were outside the stun-gun probe gap area, but in line with the probes. * Changing the stun-gun arc length did indeed affect measured voltage.
* And, surprisingly, I got the best results by connecting one of the probes directly to the banana (a wire jabbed into it) with an alligator clip lead. This suggests that the voltage intensity around the one probe varies with the inverse of the probe-to-banana impedance of the other probe. If the second probe has a great connection, all the change-in-voltage-per-change-in-distance is concentrated at the first.
Also, it’s easy to reduce the arc-per-second rate of the stun gun (useful for making more repeatable measurements) by putting a 10 ohm resistor in series with one of the batteries.
“Smartphones do not use GPS satellites alone to determine their location, because doing so accurately requires complex calculations based on signals collected from four orbiting satellites, a process that takes as long as 12 minutes. Instead, they use assisted GPS (A-GPS), in which a cellular network supplies an approximate location to simplify and speed up the necessary GPS calculations. A-GPS also allows a device to ask the mobile network to do the work and send back the exact location fix once it’s finished.
Weimann discovered that the messages that pass between a phone and its network during this process aren’t exchanged over a secure connection, but rather over a non-secure Internet link. That makes it possible to trick a phone into swapping A-GPS messages with an attacker instead, Weimann realized, and to have that attacker know the result of every location fix wherever the phone goes.
Using this method, a malicious Wi-Fi network could instruct phones to relay back all future requests for A-GPS help and to report all location fixes, even after the phone goes out of range. “If you just turn it on once and connect to that one network, you can be tracked any time you try to do a GPS lock,” said Weimann. “This is rather nasty.”
Weimann demonstrated the vulnerability on a variety of Android handsets and said that handset manufacturers haven’t bothered to implement technologies that could prevent such attacks. The problem is solvable, though, and Weimann said it will likely be addressed in future versions of software from mobile-device manufacturers. “I wouldn’t count on it until you buy the next-gen device.””