Davi OttenheimerNovember 23, 2010 1:34 PM

That's only one step removed from just typing your "spoof" location into the comment field.

Since this method is input a location into your phone's GPS simulator instead, I guess some people might see the output as more trusted.

But that begs the question why your "friends" need updates to be more trusted than if you type location in yourself.

Ping-Che ChenNovember 23, 2010 1:58 PM

Of course, you can "spoof" your location long before this. Simply give your phone to another person to take it to the intended location. It's not very difficult.

I think the intention of these location services is never to "proof" the user's actual location since it's almost impossible. They are simply information services: which makes it easier for users to tell their friend where they are.

Nick PNovember 23, 2010 2:35 PM

Its even easier than that...
1. Use Firefox
2. Install the Geolocator add-on
3. Pick anywhere in the world via the add-on
4. Go to a location aware site and check-in

mariusNovember 23, 2010 3:27 PM

Well, I believe the point of places in Facebook is pure entertainment. It is for all of them who loves telling everyone what they have for supper every night. Why not tell everyone they are at the mall?

And that's why the point of spoofing your location is equally "useless" in any real setting. Use it on april 1st to fool people into thinking you won the lottery and went to ****. As soon as a crime is committed there is more reliant ways of finding your location.

ChrisNovember 23, 2010 3:44 PM

Good god people, it's for giggles, not Serious Location Spoofing Business.

I look forward to checking in to FourSquare from Vostok Station tonight.

PaulMNovember 23, 2010 4:36 PM

This capability is built into every android phone on the market. You can access it using the android dev tools, or on an unlocked developer phone, from the location settings menu.

WinterNovember 24, 2010 1:00 AM

There are travel agencies for "business" people who will organize fake trips. I read about it in the newspapers (so it must be true ;-)

You go to them telling when you are to be at what place.

They deliver used travel documents, subway and museum tickets, sale slips, and souvenirs. They even take pictures with your camera. And they brief you on the weather and news. All to show your family you were actually there.

In the mean time, you are with your date somewhere else.

To be complete, your Geolocation must match. So this IS useful. In a way.

ClutchNovember 24, 2010 1:35 AM

This is similar to APRS within the amateur radio community. Anyone can send an arbitrary GPS location to the database.

As long as you can control the passage of the (a)GPS to the application, this sort of thing will occur, from telematics to FaceSpace.

OTOH, as was previously noted, updating my FB status from McMurdo Station while pinging a tower in Camden, NJ is pretty easy to spot.

PaeniteoNovember 24, 2010 1:51 AM

@Nick P: "2. Install the Geolocator add-on"

Could you be a bit more precise, please?
I could only find one "Geolocation" add-on that however appears to be incompatible with Fx 3.6...

ClutchNovember 24, 2010 3:25 AM

Please, let's not turn this into a firmware war. It can be done with anything. From Mag-Lite battery packs to iPhone4, you can make it send whatever lat/lon you feel like.

"Thirty-four degrees, ten minutes, fifteen seconds North; one hundred eighteen degrees, nine minutes, three seconds West."

RHNovember 24, 2010 4:11 PM

Cool idea but... what about leaving your phone at home? Or are we now impotent without google maps and live feeds of meaningless information?

ShadowHatesYouNovember 24, 2010 6:29 PM

There's another way to do this on any phone: Abuse the use of google's
services. Pretty much all geolocation on phones is done either via
GPS(which can be disabled in security settings, or in the case of
verizon blackberries is unavailable to non-verizon approved
applications such as Google Maps), or failing that the use of the
google gears geolocation API. The google gears geolocation API uses
the MAC addresses of wifi access points to determine your location,
and pretty much every application I've looked at that does geolocation
falls back to this one single API, with documentation available at

The following bash script will look up the GPS coordinates for a given
AP, as detected by the google street view car:

This API presents 2 painfully obvious problems:

1) Anyone can spoof a MAC address with an access point, so the use of
MACs for geolocation provides an unreliable reference that can be
cheated easily, without purchasing any special equipment what-so-ever.
All you need to lie to a device is a wireless router, or failing that
a wifi card that supports traffic injection. Place your wifi card
right next to the phone and start injecting beacon frames(which can be
generated via packetforge-ng), and all of a sudden your phone thinks
it's somewhere it's not. My blackberry exhibits this behavior, and
doesn't care about the other wifi signals in the area.

2) When a computer system is compromised, or a java applet is allowed
to run(The MAC address can be obtained by doing either an arp -a, or
using the java equivilent to obtain the default gateway's MAC
address.), a computer can be geolocated to a *very* specific area,
with the nearest address provided like so:

shadow@tourian:~/www/papers> ./ 00-C0-26-A9-42-F7

How long until we start seeing *incredibly* geolocation-assited
targetted ads? There's no throttling applied to these API queries(as
most mobile devices are NATed), so there's really no stopping
advertisers from embedding applets and sending the MAC back to the

King ConerSeptember 23, 2016 10:07 AM

None of these things really hide geolocation - it's trivial to look up the associated IP address in a public (or private) geo database. It seems a better spoof is is to use a VPN, Tor, or a proxy prior to visiting any sites.

Somewhere like FaceBook will still be able to tell who you are if you log in to a real account connected to real identity. They even permanently store the IP address you registered from.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.