Heres a scenario – you go to a website and they have a signed java applet in their page. This applet could be any signed applet – from a chat application to a speedtest app through to a game. By the simple act of running that applet, you could be giving the website you are visiting your exact location – all thanks to the google location database and your Wifi router.
Google’s wifi based location database is built up from two sources – android handsets that report back their location & MAC address of any nearby Wifi and the google streetview cars (though as I understand it the streetview cars no longer harvest Wifi data). So how difficult is it to leverage this information and circumvent your personal security? Shockingly easily actually.
As many of you have likely experienced, when ‘signed’ Java applets run you get a nice pop up page from Java saying ‘do you wish to run this signed applet’ (or similar). How many people just click OK to this and get on with using the applet? quite a few. Even if the applet is self signed, how many users who are less tech savvy will know the difference between a self signed certificate and an official certificate?
Here’s a rundown of how an unscrupulous site operator could harvest your location
- Site has ‘signed’ java applet that asks your permission to run
- You run the applet as you are expecting the site to do something and the applet appears to be signed by them or a trusted CA
- The applet does what you think its going to do and you carry on using it
- Without you knowing, the signed applet performs a system call to determine the IP address of your networks ‘default gateway’
- The signed applet then performs another system call, this time checking your local ‘ARP cache’ for the MAC address of your default gateway
- Using that MAC address, the signed applet then makes a ‘JSON’ call to Google’s location database
- If Google has that MAC address in its database, it returns near on your exact location. If it does not have your MAC address in its database, it returns an approximate location based on GeoIP
- The signed applet then sends those co-ordinates over AJAX, JSON (or similar) back to the site operators
- The site operators now have your location (or GeoIP location if google did not know your MAC)
Naturally, this is going to work better if you are on a Wifi network, though it does also work on wired networks as long as your ‘default gateway’ is also your wireless router (techy note: this is because a lot of wireless router/gateway combos use the same MAC address on both Wifi and wired as a ‘bridge’)
So you probably noticed the Java applet request when you visited this page. If you clicked ‘yes’ to run it, you should see a box below with ‘show me on a map’ (Of course, im not a java coder and the app can be temperamental!). If you did not click yes to the java applet warning when you landed on this page, then you wont see anything where the applet should be. You may also need to enable java if you did not get a security pop up warning!
Assuming all went well and you clicked yes, you should see a button at the bottom of this post saying ‘show me on a map’. Clicking it will open a popup window to google maps which will have the location it thinks you are at. Sadly, it still does not work on Macs, purely as I have not had a Mac to play with – though I would imagine the concept is sound on a mac (as under the hood thats BSD) but who knows. Perhaps someone can enlighten me? Id also like to clarify that i do nothing with the data the app gathers – it does not ‘talk back’ to my site, it does not record your location data, it just uses the data it gathers to show you a ‘one time’ map using google maps. Though my point is site operators or java applet makers could very very easily make a similar application talk back to them. This needn’t be a java applet – the concept works equally as well in regular java code that runs as a standalone package on your system.
While I know this app does not work on some platforms, I have tried the app on various platforms with ‘default’ Os, Browser and Java security settings. Here are the results:
- Ubuntu 10.04 & Firefox 3.6.16 (openJDK and icedtea plugin) – works
- Ubuntu 10.04 & Seamonkey 2.0.11 (openJDK and icedtea plugin) – works
- Ubuntu 10.04 & Google chrome 11.0.696.50 (Sun Java 1.6.0_20 libnpjp2.so plugin) – works
- Win Vista Home SP2 & IE 8.0.6001.19048 – works
- Win Vista Home SP2 & 3.6.16 – works
- Win 7 Starter & Firefox 3.6.16 – works
- Win 7 Starter & IE 8.0.7600.16385ic – works
While the code may be clunky and isn’t very useful on its own, what im trying to prove here is the concept of how your location can be harvested remotely by any site where you run a signed Java applet. Sometimes its not going to get your exact location, this can be down to various factors – for example your ‘default gateway’ MAC not being in google’s database.
You should see the applet here. It may be grey for a bit until it performs its system calls and works out your router MAC. Again, this is likely going to work way way better if you are on Wifi or your wired and Wireless networks share the same default gateway MAC address.
Hopefully you see ‘show me on a map’ in the box above and it gives you an accurate location.
I hope you found this information useful and helps you better secure your privacy in future.