Following the recent article on El Reg by Dan Goodin, I have updated the location applet I wrote back in Feb 2010

Heres a scenario – you go to a website and they have a signed java applet in their page. This applet could be any signed applet – from a chat application to a speedtest app through to a game. By the simple act of running that applet, you could be giving the website you are visiting your exact location – all thanks to the google location database and your Wifi router.

Google’s wifi based location database is built up from two sources – android handsets that report back their location & MAC address of any nearby Wifi and the google streetview cars (though as I understand it the streetview cars no longer harvest Wifi data). So how difficult is it to leverage this information and circumvent your personal security? Shockingly easily actually.

As many of you have likely experienced, when ‘signed’ Java applets run you get a nice pop up page from Java saying ‘do you wish to run this signed applet’ (or similar). How many people just click OK to this and get on with using the applet? quite a few. Even if the applet is self signed, how many users who are less tech savvy will know the difference between a self signed certificate and an official certificate?

The Concept
Here’s a rundown of how an unscrupulous site operator could harvest your location

  • Site has ‘signed’ java applet that asks your permission to run
  • You run the applet as you are expecting the site to do something and the applet appears to be signed by them or a trusted CA
  • The applet does what you think its going to do and you carry on using it
  • Without you knowing, the signed applet performs a system call to determine the IP address of your networks ‘default gateway’
  • The signed applet then performs another system call, this time checking your local ‘ARP cache’ for the MAC address of your default gateway
  • Using that MAC address, the signed applet then makes a ‘JSON’ call to Google’s location database
  • If Google has that MAC address in its database, it returns near on your exact location. If it does not have your MAC address in its database, it returns an approximate location based on GeoIP
  • The signed applet then sends those co-ordinates over AJAX, JSON (or similar) back to the site operators
  • The site operators now have your location (or GeoIP location if google did not know your MAC)

Naturally, this is going to work better if you are on a Wifi network, though it does also work on wired networks as long as your ‘default gateway’ is also your wireless router (techy note: this is because a lot of wireless router/gateway combos use the same MAC address on both Wifi and wired as a ‘bridge’)

So you probably noticed the Java applet request when you visited this page. If you clicked ‘yes’ to run it, you should see a box below with ‘show me on a map’ (Of course, im not a java coder and the app can be temperamental!). If you did not click yes to the java applet warning when you landed on this page, then you wont see anything where the applet should be. You may also need to enable java if you did not get a security pop up warning!

Assuming all went well and you clicked yes, you should see a button at the bottom of this post saying ‘show me on a map’. Clicking it will open a popup window to google maps which will have the location it thinks you are at. Sadly, it still does not work on Macs, purely as I have not had a Mac to play with – though I would imagine the concept is sound on a mac (as under the hood thats BSD) but who knows. Perhaps someone can enlighten me? Id also like to clarify that i do nothing with the data the app gathers – it does not ‘talk back’ to my site, it does not record your location data, it just uses the data it gathers to show you a ‘one time’ map using google maps. Though my point is site operators or java applet makers could very very easily make a similar application talk back to them. This needn’t be a java applet – the concept works equally as well in regular java code that runs as a standalone package on your system.

Testing
While I know this app does not work on some platforms, I have tried the app on various platforms with ‘default’ Os, Browser and Java security settings. Here are the results:

  • Ubuntu 10.04 & Firefox 3.6.16 (openJDK and icedtea plugin) – works
  • Ubuntu 10.04 & Seamonkey 2.0.11 (openJDK and icedtea plugin) – works
  • Ubuntu 10.04 & Google chrome 11.0.696.50 (Sun Java 1.6.0_20 libnpjp2.so plugin) – works
  • Win Vista Home SP2 & IE 8.0.6001.19048 – works
  • Win Vista Home SP2 & 3.6.16 – works
  • Win 7 Starter & Firefox 3.6.16 – works
  • Win 7 Starter & IE 8.0.7600.16385ic – works

While the code may be clunky and isn’t very useful on its own, what im trying to prove here is the concept of how your location can be harvested remotely by any site where you run a signed Java applet. Sometimes its not going to get your exact location, this can be down to various factors – for example your ‘default gateway’ MAC not being in google’s database.

The Applet
You should see the applet here. It may be grey for a bit until it performs its system calls and works out your router MAC. Again, this is likely going to work way way better if you are on Wifi or your wired and Wireless networks share the same default gateway MAC address.

Hopefully you see ‘show me on a map’ in the box above and it gives you an accurate location.

I hope you found this information useful and helps you better secure your privacy in future.

Cheers,
Simon Plexus

Share this post

3 Comments

  1. dialogue about this post here at this website, I have read all
    that, so now me also commenting here.|
    I am sure this post has touched all the internet visitors, its really really nice
    piece of writing on building up new weblog.|
    Wow, this piece of writing is nice, my sister is analyzing such
    things, thus I am going to tell her.|
    bookmarked!!, I love your web site!|
    Way cool! Some very valid points! I appreciate you

    Michael Kors Chain Ring Large Green Shoulder Bags Outlet

    January 24, 2014 Reply to this comment
  2. It’s awesome for me to have a web page, which is valuable in favor of my know-how. thanks admin

    July 17, 2013 Reply to this comment
  3. The only hurdle to accessing this is of course human limitations
    and the fact that the brain does not function solely as a learning tool for the human being.
    * Team answer sheets – Basically a grid lined A4 type sheet with answer write in numbered boxes and a line on top for the team name.
    The decline of the East side blues scene was disheartening, but, it also gave rise to the need for a fresh start, which came
    in the form of the next blues-only venue, Antone’s, founded by the late Clifford Antone, during the summer of 1975.

    May 6, 2013 Reply to this comment

Leave a Reply