Can your Smart Switch disclose your physical location?
Vivek Ramachandran
Founder, SquareX (Browser Detection-Response) | Founder, Pentester Academy (Acquired) | DEFCON-BlackHat Speaker | Book Author | Angel Investor
I was having a chat with a group of friends who are technical but not from the security domain. We were talking about a variety of things including Internet of Things (IoT) security when an interesting question popped up:
We understand our IoT devices could get hacked but can the attacker ever get to our homes? after all IP address will not disclose the exact location? maybe our City name but not our Street and Address?
Sadly, I had to be the bearer of bad news: your IoT Smart Switch can allow an attacker to physically locate you with the same accuracy as your Uber app or Google Maps does!
How is this possible you ask? Because the same technology is available for purchase to just about anyone online: Google GeoLocation API
The way this works is simple: the Attacker asks your Wi-Fi enabled Smart IoT device to send him the list of Wi-Fi Access Points around it. Your compromised IoT device obliges and sends the Attacker the list with MAC addresses and Signal Strength Info.
The Attacker would then query Google's GeoLocation API with the above data and get back the response: LONGITUDE and LATITUDE of your Home. You are welcome :)
But how did Google manage to gather all this information about you? They used their self-driving cars and your Android devices to build this massive Wi-Fi access point and Cellular tower. You've given your consent when you agreed to one of their Terms of Services or agreed to be part of their "Participate and Make this Service Better" agreement.
CyberSecurist | STEM Advocate | Diversity Champion | CISM | ISO27001 Lead Auditor
5 年Vel Velushomaz
IT Audit Manager at The Greenbrier Companies, Inc.
6 年Vivek: Isn't the most common method to hack a WiFi enabled IoT device, is to be within WiFi range, thus you would already roughly know where the location of the IoT device/home would be? Or are you saying that the IoT device was already compromised/backdoored before it was connected to the home WiFi, and thus be able to beacon back to hacker? Once a network is penetrated, a hacker will normally go after assets of value like data, which may reveal the owner of that data. What additionally does the geographical location of the network, or data asset get you I.e. the house or address? I'm trying to understand a real life scenario?