Schneier on Security

A blog covering security and security technology.

« Me on Airport Security | Main | David Kahn Donates his Cryptography Collection to the National Cryptologic Museum »

November 23, 2010

Spoofing Geolocation

How to spoof your location on Facebook with your BlackBerry.

Posted on November 23, 2010 at 1:08 PM • 19 Comments

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

Davi Ottenheimer • November 23, 2010 1:34 PM

That's only one step removed from just typing your "spoof" location into the comment field.

Since this method is input a location into your phone's GPS simulator instead, I guess some people might see the output as more trusted.

But that begs the question why your "friends" need updates to be more trusted than if you type location in yourself.

Ping-Che Chen • November 23, 2010 1:58 PM

Of course, you can "spoof" your location long before this. Simply give your phone to another person to take it to the intended location. It's not very difficult.

I think the intention of these location services is never to "proof" the user's actual location since it's almost impossible. They are simply information services: which makes it easier for users to tell their friend where they are.

Dominik • November 23, 2010 2:11 PM

Why would you even consider uploading your location to facebook in the first place?

Nick P • November 23, 2010 2:35 PM

Its even easier than that...
1. Use Firefox
2. Install the Geolocator add-on
3. Pick anywhere in the world via the add-on
4. Go to a location aware site and check-in

marius • November 23, 2010 3:27 PM

Well, I believe the point of places in Facebook is pure entertainment. It is for all of them who loves telling everyone what they have for supper every night. Why not tell everyone they are at the mall?

And that's why the point of spoofing your location is equally "useless" in any real setting. Use it on april 1st to fool people into thinking you won the lottery and went to ****. As soon as a crime is committed there is more reliant ways of finding your location.

Chris • November 23, 2010 3:44 PM

Good god people, it's for giggles, not Serious Location Spoofing Business.

I look forward to checking in to FourSquare from Vostok Station tonight.

PaulM • November 23, 2010 4:36 PM

This capability is built into every android phone on the market. You can access it using the android dev tools, or on an unlocked developer phone, from the location settings menu.

Mark • November 23, 2010 11:00 PM

Not a really new thing. Sometime ago, I used to tweet from the NSA HQ...

Winter • November 24, 2010 1:00 AM

There are travel agencies for "business" people who will organize fake trips. I read about it in the newspapers (so it must be true ;-)

You go to them telling when you are to be at what place.

They deliver used travel documents, subway and museum tickets, sale slips, and souvenirs. They even take pictures with your camera. And they brief you on the weather and news. All to show your family you were actually there.

In the mean time, you are with your date somewhere else.

To be complete, your Geolocation must match. So this IS useful. In a way.

a. • November 24, 2010 1:28 AM

You can also check in anyone with you to any place in Facebook or they can check you in.

Clutch • November 24, 2010 1:35 AM

This is similar to APRS within the amateur radio community. Anyone can send an arbitrary GPS location to the database.

As long as you can control the passage of the (a)GPS to the application, this sort of thing will occur, from telematics to FaceSpace.

OTOH, as was previously noted, updating my FB status from McMurdo Station while pinging a tower in Camden, NJ is pretty easy to spot.

Clutch • November 24, 2010 1:47 AM

Check out FakeLocation for the iPhone.

Paeniteo • November 24, 2010 1:51 AM

@Nick P: "2. Install the Geolocator add-on"

Could you be a bit more precise, please?
I could only find one "Geolocation" add-on that however appears to be incompatible with Fx 3.6...

alfora • November 24, 2010 2:14 AM

"Update: I may have just killed Foursquare… whoops."

ROFL

Clutch • November 24, 2010 3:25 AM

Please, let's not turn this into a firmware war. It can be done with anything. From Mag-Lite battery packs to iPhone4, you can make it send whatever lat/lon you feel like.

"Thirty-four degrees, ten minutes, fifteen seconds North; one hundred eighteen degrees, nine minutes, three seconds West."

blue • November 24, 2010 5:04 AM

Secure the device as much as you like, if it uses GPS you can still spoof it.

(disclosure: I work for this company)
http://labsat.co.uk/

RH • November 24, 2010 4:11 PM

Cool idea but... what about leaving your phone at home? Or are we now impotent without google maps and live feeds of meaningless information?

ShadowHatesYou • November 24, 2010 6:29 PM

There's another way to do this on any phone: Abuse the use of google's
services. Pretty much all geolocation on phones is done either via
GPS(which can be disabled in security settings, or in the case of
verizon blackberries is unavailable to non-verizon approved
applications such as Google Maps), or failing that the use of the
google gears geolocation API. The google gears geolocation API uses
the MAC addresses of wifi access points to determine your location,
and pretty much every application I've looked at that does geolocation
falls back to this one single API, with documentation available at
http://code.google.com/apis/gears/...

The following bash script will look up the GPS coordinates for a given
AP, as detected by the google street view car:
http://squatthis.net/papers/whereisap.sh

This API presents 2 painfully obvious problems:

1) Anyone can spoof a MAC address with an access point, so the use of
MACs for geolocation provides an unreliable reference that can be
cheated easily, without purchasing any special equipment what-so-ever.
All you need to lie to a device is a wireless router, or failing that
a wifi card that supports traffic injection. Place your wifi card
right next to the phone and start injecting beacon frames(which can be
generated via packetforge-ng), and all of a sudden your phone thinks
it's somewhere it's not. My blackberry exhibits this behavior, and
doesn't care about the other wifi signals in the area.

2) When a computer system is compromised, or a java applet is allowed
to run(The MAC address can be obtained by doing either an arp -a, or
using the java equivilent to obtain the default gateway's MAC
address.), a computer can be geolocated to a *very* specific area,
with the nearest address provided like so:

shadow@tourian:~/www/papers> ./whereisap.sh 00-C0-26-A9-42-F7
{"location":{"latitude":36.1741596,"longitude":-86.7514764,"address":{"country":"United
States","country_code":"US","region":"Tennessee","county":"Davidson","city":"Nashville","street":"Fatherland
St","street_number":"1004","postal_code":"37206"},"accuracy":73.0},"access_token":"2:j6Ln5E70bAfWUr5w:2rS_7lt-3gWX-xY7"}

How long until we start seeing *incredibly* geolocation-assited
targetted ads? There's no throttling applied to these API queries(as
most mobile devices are NATed), so there's really no stopping
advertisers from embedding applets and sending the MAC back to the
server.

Steve • February 5, 2012 7:07 PM

What's Shakin does a nice job of geo location spoofing: http://whatshakin.net/

Post a comment

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

Subscribe via Kindle

Blog Menu

Search

Powered by DuckDuckGo

Blog Home Page
100 Latest Comments

Archives by Date

2013 J F M A M
2012 J F M A M J J A S O N D
2011 J F M A M J J A S O N D
2010 J F M A M J J A S O N D
2009 J F M A M J J A S O N D
2008 J F M A M J J A S O N D
2007 J F M A M J J A S O N D
2006 J F M A M J J A S O N D
2005 J F M A M J J A S O N D
2004 J F M A M J J A S O N D