Linked by Howard Fosdick on Mon 21st Nov 2011 07:48 UTC
Google Last June, CNET disclosed that Google collects and publishes the estimated locations of millions of phones, laptops, and other Wi-Fi devices. All without their owner's knowledge or permission. Google has finally announced how to exclude your home network from this database. Simply append "_nomap" to its name. Details over at CNET. Left unsaid is why the burden is placed on millions of individuals to opt-out, instead of on perpetrator Google.
Order by: Score:
Google's Bad Behavior
by kateline on Mon 21st Nov 2011 08:26 UTC
kateline
Member since:
2011-05-19

Google's business model is based on using other people's information, whether it's intellectual property (like Youtube) or personal information (like in this article). The government really needs to step in and protect us against this corporation. But wait! It probably can't do that, because it wants to use all the data Google collects on us.

Reply Score: 0

UltraZelda64
Member since:
2006-12-05

The one that I've used for years, and add "_nomap" to the end of it, just so Google will not advertise my router? What the f--k, seriously? First of all, I didn't even know Google was advertising my router; and secondly, why the f--k is it doing it without my knowledge anyway? Does Google pay my Internet bill? The electricity to keep it running? Do they own my router? Come on, this is ridiculous. All of a sudden, I'm no longer quite so thrilled about my new phone. This is f--king bullshit.

Google, quit advertising networks that doing belong to you and forcing people to add nonsense to the name of the wireless network connection names. Stay out of my f--king business and my other personally-owned devices.

I've noticed Google has been doing some questionable things lately, but this is truly a new low for them.

Edited 2011-11-21 09:05 UTC

Reply Score: 6

Thom_Holwerda Member since:
2005-06-29

They're not advertising your router - at least, not more so than the phonebook is advertising your address. You broadcast your SSID in much the same way you broadcast your house number. Should people who walk by your house cover their eyes so they don't see your house number? Should people with wifi on their phones who walk by turn wifi off because otherwise they'll pick up your SSID?

I'm not saying you don't have a right to keep it from Google - because you do - but I don't think it is unreasonable to expect some action on your part to keep it as such, the same way it takes action on your part to get a secret phone number (my landline is level 3 or 4 secret). My SSID is not broadcast at all - an even better solution.

Reply Score: 5

benali72 Member since:
2008-05-03

Router defaults are always set to Broadcast SSID. You can not expect the typical user to know that they have to set this OFF or rename their network to avoid Google's prying eyes.

And what about Google's tracking and publication of the location of Wi-Fi-enabled devices, including PCs, iPhones, iPads, and Android phones?

I think UZ64's outrage is justified.

Reply Score: 1

UltraZelda64 Member since:
2006-12-05

They're not advertising your router - at least, not more so than the phonebook is advertising your address. You broadcast your SSID in much the same way you broadcast your house number. Should people who walk by your house cover their eyes so they don't see your house number? Should people with wifi on their phones who walk by turn wifi off because otherwise they'll pick up your SSID?

I'm not saying you don't have a right to keep it from Google - because you do - but I don't think it is unreasonable to expect some action on your part to keep it as such, the same way it takes action on your part to get a secret phone number (my landline is level 3 or 4 secret). My SSID is not broadcast at all - an even better solution.

I don't mind if people in close proximity to where I live can see my wireless connection; it's locked with a long WPA passphrase containing both capital and lower case letters and numbers anyway, and I seriously doubt that anyone within a five-mile radious would know the first thing about breaking into a computer network. Plus, they would have to stay within the router's range to stay connected if they did try to crack into it; they couldn't just do it while driving down the street. That handful of local people on their cell phones walking down the street, who can just as easily see my house address as you pointed out? Well, let them see my SSID; it's highly unlikely they would even try to breach a "locked" access point, and if they did they would give up fast.

The benefits of broadcasting the SSID outweigh the disadvantages here, or so I thought, with it much easier for my friends to find the network and then give me the device to enter the password. It also allows automatic detection and connection when in range. In fact, someone who lives nearby who tries to break into my house would likely be caught by law enforcement much quicker and easier than a traveler from, say, Maine. But I'm not talking about the neighborhood--I'm talking about the whole god damn Internet here.

The problem is, Google is actively PUTTING MY ROUTER'S SSID AND WHEREABOUTS ON THE INTERNET, WITHOUT MY PERMISSION. In other words, *anyone* who wants to can pinpoint it if they really wanted to and try cracking. The whole god damn Internet has free access. And I have to add some stupid "_nomap" bullshit to my own custom SSID just to make it stop? Fuck that. Someone traveling to my state from the other side of the country? No problem, just check Google to see that I have a router set up at this address. Add this new widespread public data a traveling cracker with a GPS for even easier locating of geographical locations and you've got some serious potential for problems. Google is making it easy for a traveling cracker to breach into people's home networks and computer systems. How the hell do you have no problem with this?

I don't mind my SSID being broadcasted locally. You know, as in the relatively short range that Wi-Fi covers; maybe a couple hundred feet, max. This is how it's supposed to work... or so I thought. What I do mind is it being fucking posted, along with its nearly-precise geographical location, on the fucking Internet. It's really fucking pathetic that I have to do this, but I have just disabled broadcasting on my router (running Tomato firmware 1.28). Until now, I have never felt the need to. Oh well--as long as I have an Android phone nearby, broadcasting will now be disabled. That's one hell of a crooked move, Google.

What's nice [sarcasm] about this is that even though my Android phone "knows" about my home router (SSID, passphrase) to automatically connect, it will no longer connect to it to use high-speed Internet access. Yay, Google. Motherfuckers. Now my problem is, trying to get Android to connect to this now non-broadcasting network; since the phone doesn't "see" it it uses the slow cellular network, and I see no screen that will allow me to manually enter the SSID and connect.

And by the way--about your phone book example: I don't have a landline telephone, but I sure as hell don't give my cell phone number out like candy during trick-or-treat either. Very few people know it, and I intend to keep it that way. And you know, some people actually pay extra to NOT have their phone/address posted publicly in the phone book. You know, unlisted. Some people do actually care about privacy and security.

Reply Score: 4

UltraZelda64 Member since:
2006-12-05

Hmm... looks like half the time the automatic censoring doesn't work. Oh well.

Reply Score: 2

Soulbender Member since:
2005-08-18

In other words, *anyone* who wants to can pinpoint it if they really wanted to and try cracking.


The SSID is not needed for attempting to crack it, they'd need the IP address for that and afaik Google does not show the IP address. In fact, knowing the SSID makes no difference for anyone not in your local vicinity and those who are in your vicinity could find it out by themselves.

Someone traveling to my state from the other side of the country? No problem, just check Google to see that I have a router set up at this address.


Yea, cuz that wouldn't show up ANYWAY when he got to where you live. Besides, knowing that there's a router/access-point with a certain SSID in a certain location is useless information for this purpose.

Google is making it easy for a traveling cracker to breach into people's home networks and computer systems.


The information Google provides does in no way make this easier. As long as you're not in the local area the information is meaningless and once you are in the local area the information is already available without Google.

And you know, some people actually pay extra to NOT have their phone/address posted publicly in the phone book. You know, unlisted. Some people do actually care about privacy and security.


Why is that you have to request explicitly to not be listed? Why would you have to pay to not be listed?
This is even more complicated than just adding _nomap and at least Google isn't charging you.

Reply Score: 3

UltraZelda64 Member since:
2006-12-05

The SSID is not needed for attempting to crack it, they'd need the IP address for that and afaik Google does not show the IP address. In fact, knowing the SSID makes no difference for anyone not in your local vicinity and those who are in your vicinity could find it out by themselves.

Let's say I'm an amateur cracker. I would possibly:

1. Look up the now public SSIDs of pretty much any device within whatever distance I felt like traveling.
2. Pull out a GPS and start heading to it.
3. Do an attack on the password/passphrase to try and break in.

Quick and incredibly easy to locate, and a cracker skilled and determined enough can probably break into whatever the he wants with ease, using whatever information he can get. It's the bad guys who will be using this data and will be trying to cause damage, not the local people going on their daily walk in most cases.

Yea, cuz that wouldn't show up ANYWAY when he got to where you live. Besides, knowing that there's a router/access-point with a certain SSID in a certain location is useless information for this purpose.

But would he have *ever* stumbled anywhere near my place and found my router's wireless access point if it wasn't for Google? You don't seem to get the point: Very few people around here know a damn thing about computers and networking in the first place, and they're for the most part no threat. Give some random cracker asshole who lives 100 miles away my router SSID and approximate location (as Google is doing), and if the cracker really wanted to, he could try to break in.

The information Google provides does in no way make this easier. As long as you're not in the local area the information is meaningless and once you are in the local area the information is already available without Google.

How does it not make it easier to find potential targets for attack? If you know there is a router somewhere 25 miles away and accurate to the street, you know there is a potential target for attack. Just pull out your trusty GPS if you need to, take off and crack away once you've reached your destination and are in range.

Why is that you have to request explicitly to not be listed? Why would you have to pay to not be listed?
This is even more complicated than just adding _nomap and at least Google isn't charging you.

It's my router. It's my internal network. I should be able to name it as I damn well please and not have to add shit to it just so Google doesn't advertise my location and to keep my privacy. Is that really so hard to understand? My SSID has been the same for years, I like it, and I should not have to modify it just so Google doesn't publicly list it for everyone else in the world.

Not to mention, even if I did *not* have an Android phone myself, I would still have to take in consideration all the otherwise innocent people walking down the street with Android phones, because their phones will unknowingly be adding every wireless access point they come near... and putting it all up in Google's big online database.

Meanwhile, I'm still trying to work out connecting to my newly-SSID-broadcast-free network with my Android phone manually. What a royal pain in the ass. Thanks, Google.

Reply Score: 2

Soulbender Member since:
2005-08-18

1. Look up the now public SSIDs of pretty much any device within whatever distance I felt like traveling.


Sure, or he could just do that where he is.

2. Pull out a GPS and start heading to it.


Why travel untold miles to some random access point just because it's on Google?

3. Do an attack on the password/passphrase to try and break in. [/q]

So? The fact that an SSID appears in Google does not mean it's open or using WEP or whatever.

Give some random cracker asshole who lives 100 miles away my router SSID and approximate location (as Google is doing), and if the cracker really wanted to, he could try to break in.


Dude, do you seriously think some guy would travel 100's of miles to break into your access point when there's most likely hundreds of access point in his immediate vicinity? Seriously?
You shouldn't worry about some cracker 100 miles away, you should worry about the cracker next door.

But would he have *ever* stumbled anywhere near my place and found my router's wireless access point if it wasn't for Google?


What makes you think he gives a damn about your access point? What makes you think you're a high-profile target? Is the SSID named NORAD? Is your location the White House? Even if the answer is yes your location is already known and an interesting target, regardless of Google.
There's no compelling reason for crackers to randomly travel around the country attacking access-points that happens to occur in Google's data. They could just as easily just drive around at random and get the same result. Also, taken into account that many access points retain the factory SSID knowing that there's an access point in a certain location with SSID "Linksys" isn't really news to anyone.

If you know there is a router somewhere 25 miles away and accurate to the street, you know there is a potential target for attack.


So what? It's easier to just to attack the local access-points.

Reply Score: 3

UltraZelda64 Member since:
2006-12-05

Why travel untold miles to some random access point just because it's on Google?

Maybe the person will be traveling on a trip to the state and will be nearby, and has nothing better to do than to crack in his free time?

Dude, do you seriously think some guy would travel 100's of miles to break into your access point when there's most likely hundreds of access point in his immediate vicinity? Seriously?
You shouldn't worry about some cracker 100 miles away, you should worry about the cracker next door.

Read above. And also, what if I didn't live anywhere near other people? Then it's an open invitation to a lone hotspot to crack in the middle of nowhere, while normally you'd be safe.

What makes you think you're a high-profile target? Is the SSID named NORAD? Is your location the White House?

Did I ever say I was a "high-profile" target? Hell no, so quit putting words in my mouth. Fact is, Google putting the SSID of my router and its geographical location on the big map makes me a potential target to a much larger group of people.

I'm done arguing. My opinion is not going to change, yours is obviously not going to change. I care about privacy and security. I think it's all bullshit, you don't. No point in going on. The end.

Reply Score: 2

UltraZelda64 Member since:
2006-12-05

Bleh. Looks like I'm going to run into problems connecting with some devices (so far, my Android phone for sure). So it looks like the SSID broadcasting will have to remain on at least for the time being. I am attempting to attack this problem by disallowing all devices whose MAC addresses I don't specifically allow to connect to my router. I refuse to add that retarded "_nomap" bullshit to my network's name, so this is all I have left that I can think of to do. Of course, this says nothing of MAC address spoofing.

Reply Score: 2

phoenix Member since:
2005-07-11

"Why travel untold miles to some random access point just because it's on Google?

Maybe the person will be traveling on a trip to the state and will be nearby, and has nothing better to do than to crack in his free time?
"

So ... why look for a list of SSIDs ahead of time, when you can just whip out your scanner while you are actually there, and get a real-time list of SSIDs that are currently online and nearby?

"Dude, do you seriously think some guy would travel 100's of miles to break into your access point when there's most likely hundreds of access point in his immediate vicinity? Seriously?
You shouldn't worry about some cracker 100 miles away, you should worry about the cracker next door.

Read above. And also, what if I didn't live anywhere near other people? Then it's an open invitation to a lone hotspot to crack in the middle of nowhere, while normally you'd be safe.
"

Why would someone go way out into the boonies to try and maybe crack a wireless network at some house that probably has super slow satellite Internet, when they can just whip out their scanner while sitting in their hotel room, or local coffee shop and see what networks are around them? Why pick only 1 network to try, when you could have your pick of the dozens around you?

"What makes you think you're a high-profile target? Is the SSID named NORAD? Is your location the White House?

Did I ever say I was a "high-profile" target? Hell no, so quit putting words in my mouth. Fact is, Google putting the SSID of my router and its geographical location on the big map makes me a potential target to a much larger group of people.
"

Not really. Does having your name, phone number, and address in the local telephone book, which is also available nation-wide via the Internet, make you a bigger target? Not really.

Edited 2011-11-22 18:27 UTC

Reply Score: 3

Alfman Member since:
2011-01-28

UZ64,

I agree with you and everyone else that google's opt out proposal is stupid, but your argument against the database is quite different from everyone else's. It seems like you object to the mere fact of your WiFi's existence being published, regardless of whether it includes your personal MAC addresses?

If so, I think that logic is going way too far. I don't care if anyone knows how many WiFi devices are around my area - it doesn't reveal anything about me. My objection only crops up when equipment can be individually tracked.

Reply Score: 2

B. Janssen Member since:
2006-10-11

The problem is, Google is actively PUTTING MY ROUTER'S SSID AND WHEREABOUTS ON THE INTERNET,


That's the core issue here. Their competitors, e. g. Apple, harvest the same data for obvious reasons but don't make them public. The interesting question is, why does Google feel the need to publish this data?

WITHOUT MY PERMISSION.

That's not the issue, that's just what itches you. Your SSID is public, YOU broadcast it to all the world to know. Deal with it, in the "internet age" the term "local" has lost a good deal of its meaning. Maybe you can now appreciate the trouble some governments have with the internet a little more.

What's nice [sarcasm] about this is that even though my Android phone "knows" about my home router (SSID, passphrase) to automatically connect, it will no longer connect to it to use high-speed Internet access. Yay, Google. Motherfuckers. Now my problem is, trying to get Android to connect to this now non-broadcasting network; since the phone doesn't "see" it it uses the slow cellular network, and I see no screen that will allow me to manually enter the SSID and connect.


Apparently you fail to realize that the database is fed with information coming from YOUR Android phone. Thus, if you connect your Android to your hidden WLAN, Google will know about it and you have gained nothing (but a less effective WLAN).

Reply Score: 3

Alfman Member since:
2011-01-28

UZ64,

The whole ordeal where they were collecting private wifi traffic seems to be rather worse in my opinion.

http://arstechnica.com/tech-policy/news/2010/05/google-says-wifi-da...

Do you suppose people have a right to delete their mac addresses from the database once they see that google put them up?

The database is kind of eerie. If a cracker gets into your system, they might look up your router's mac and then search for it in google's db. This adds a whole new element to computer security threats.

Also, certain IPv6 addressing schemes include the mac address in one's personal IPv6 address. If this ever becomes popular, it would make IPv6->geolocation trivial (assuming google's cars are making their rounds frequently enough).

Edit:

I forgot to add a link:

http://superuser.com/questions/243669/how-to-avoid-exposing-my-mac-...

Edited 2011-11-21 09:38 UTC

Reply Score: 3

Soulbender Member since:
2005-08-18

If a cracker gets into your system, they might look up your router's mac and then search for it in google's db. This adds a whole new element to computer security threats.


Eh, not really. For one, if a cracker has gotten in to your system you have bigger problems than your MAC address being loosely tied to a physical location (that may, or may not, be correct).
Secondly, in order for the MAC address information to be remotely useful to the attacker he'll have first actually break into your system to even get your MAC address. Unless of course he's in your immediate area in which case he can figure this out all by himself without the assistance of Google.
To everyone else all they'll know is that there is an accesspoint named X that MAC address Y has used at some point in time. There's no way to actually relate that MAC address or BSSID to your person.

The dangers of this thing is a bit overstated. It's not like rogue hackers somewhere will magically gain control of your life and threaten world peace by knowing your BSSID and MAC.
We can probably expect this scenario to show up in a cheesy and technically incorrect Hollywood movie any time soon. It will probably star Lorenza Lamas.

Reply Score: 3

Alfman Member since:
2011-01-28

Soulbender,

"The dangers of this thing is a bit overstated. It's not like rogue hackers somewhere will magically gain control of your life and threaten world peace by knowing your BSSID and MAC."

Yes it probably is, but it's still an additional way people become vulnerable online that did not exist prior to google publishing a database of local MAC addresses.

Reply Score: 2

vrwarp Member since:
2010-11-11

Could you propose a better opt-in/opt-out mechanism?

If it were opt-in, what would stop me from opting-in all the networks around where I live?

If it were opt-out, what would stop me from opting-out all the networks around where I live?

While the solution is a kind of clunky, it is the easiest way to guarantee that the owner of the router does *not* want their network being used to provide geolocation.

Of course, you could argue that it should be _map as an opt-in instead of _nomap as an opt-out, but then the service would be dead on arrival.

Reply Score: 1

phoenix Member since:
2005-07-11

The solution is simple: don't publish the database on the public Internet.

Reply Score: 2

vrwarp Member since:
2010-11-11

So you're basically saying, don't run the service for the public to use. It is an exceptionally useful service for really anything that wants to be geolocation aware because under many circumstances geolocation based off of wifi+cell towers is a lot more accurate and faster than gps alone (cities....)

In any case, people seem to be forgetting that you need to submit two nearby SSIDs to get a location. Also, google isn't the only provider of this service. Microsoft has one (public), Apple has one, and there is another company called Skyhook that provides the service commercially.

Reply Score: 2

I don't like to defend Google
by KrustyVader on Mon 21st Nov 2011 09:12 UTC
KrustyVader
Member since:
2006-10-28

Asking google not to map my network is like asking your neighborhood not to listen your music if you play it loud.

I like privacy that's why i try to have everything connected by cable. And for the wireless devices i got my router transmitter at the lowest power possible. This may not be an option for everybody, but it don't like to see my network at 50 meters away from my home.

Reply Score: 3

RE: I don't like to defend Google
by nej_simon on Mon 21st Nov 2011 09:28 UTC in reply to "I don't like to defend Google"
nej_simon Member since:
2011-02-11

... but it don't like to see my network at 50 meters away from my home.


Why don't you just stop broadcasting the SSID?

Reply Score: 1

B. Janssen Member since:
2006-10-11

Ah, yes, disable the BEACON and switch all your stations into PROBE mode, that will certainly increase network security and performance.

Snarkiness aside, if Google is really only picking up BEACON frames and no other traffic they would still have to look at each frame to realize it's not BEACON. All other frames originating from your wireless network, like the thousands of PROBE frames you get if you disable BEACON, also carry the SSID and can just as easily be harvested.

It may be more gratifying (and potentially effective) to change your SSID to "ScrewGoogle". Or "ScrewGoogle_nomap", if you are concerned about this data getting even more public ;) But face it, running a WLAN means being a radio broadcaster. Everybody can listen in and everybody with the simplest equipment can triangulate your position. Don't want that? Don't broadcast.

Reply Score: 4

shotsman Member since:
2005-07-22

I prefer 'BogOffGoogle'

Seriously,
From my home office I can see 26 different WLANS's with a broadcast SSID.

- Most of them are on Channel 9 or 11.(sigh)
- 10 of them are BT Home Hubs
- 12 of them are Virgin
- 1 NETGEAR (this is connected to a Virgin Modem)
- That leaves three lans where the owner has changed the SSID.

There are also a small number of lans that have a hidden SSID. I know this because I installed them.

If I were BT or Sky or Virgin, I'd be thanking Google for drawing a map where not only their kit is installed but that of their major competitors.

How long do we have to wait for a privacy lawsuit then?

Reply Score: 3

JamesBroadhead Member since:
2011-10-04

Shouldn't you be glad that they're all on the same channel, so the other end of the spectrum is free for you? ;)

Reply Score: 2

B. Janssen Member since:
2006-10-11

There are also a small number of lans that have a hidden SSID. I know this because I installed them.


Seriously, you are doing your customers a disservice by disabling BEACON (i. e. SSID broadcast). It slows down the WLAN and increases security not one bit. Any half-arsed wardriver will find your WLAN anyway.

Also, with regards to the Google Maps issue, Google gathers the SSIDs by getting them sent from Android devices. While an Android device may miss a hidden WLAN, it obviously will not miss the WLAN it is connected to. So you can hide your own private WLAN as much as you like, your Android device will send the SSID to Google anyway.

But that's not the core issue either. Mobile devices use this database to locate themselves without GPS (or faster than GPS alone could), which is a useful and energy saving method. The problem only exists because Google, unlike, say Apple, makes the database public. If Google would keep the database under wraps like the other big players (e. g. Apple, MS) only Google could use the data. Bad enough, but that's the trade-off.

Reply Score: 3

What's the problem
by pandronic on Mon 21st Nov 2011 09:12 UTC
pandronic
Member since:
2006-05-18

I don't understand what the fuss is all about ... my Wi-fi network will help a passer-by get a more accurate location if he or she doesn't have GPS enabled on the device. Anyway, any stranger standing next to my house can see that I'm running a Wi-fi network ... it's public information.

It's like you'd get mad that Google indexes your public website. Now with the _nomap suffix you have the equivalent to robots.txt

Paranoia much?

Reply Score: 7

Comment by clhodapp
by clhodapp on Mon 21st Nov 2011 10:05 UTC
clhodapp
Member since:
2009-12-04

_nomap one of the most stupid and pointless things I have heard of. It is simply not reasonable to expect you to encode messages intended for computers in what is supposed to be the friendly name of your network. That said, I don't believe that you have any grounds to be the outraged against having your publicly-broadcasted SSID and MAC address indexed. If you don't want people to know about something, don't have it send out "Here I am" radio messages...

Reply Score: 2

RE: Comment by clhodapp
by Alfman on Mon 21st Nov 2011 10:58 UTC in reply to "Comment by clhodapp"
Alfman Member since:
2011-01-28

clhodapp,

"If you don't want people to know about something, don't have it send out 'Here I am' radio messages..."

I see two issues with this:

1. Just because something is broadcasted over radio doesn't mean it's intended to be public. The mac address is one of those examples, it's how the technology works, people can't just turn it off.


2. There are both legitimate and illegitimate uses of public information.

For example, you may want your phone number in a telephone book for friends to look you up, this is undoubtedly very useful. But while this is technically "public", I don't think it's unreasonable to have laws in place to prohibit unwanted uses of the information - like being automatically registered into telephone solicitation database.


Cell phones have unique radio markers too, would you be ok if a 3rd party corp was willing and able create a large database to track them? Maybe, maybe not. What about tracking vehicle license plates? Again, maybe maybe not. What about face tracking? We're not going to solve these problems on this board, but I do think we should be keen on having a public debate about them.


Regardless of our opinions on whether these should be permitted or not, the resulting privacy concerns are real. If the engineers had known that widespread physical tracking of unique MAC addresses would become reality, they may very well have designed WiFi differently to protect against it.

Reply Score: 2

RE[2]: Comment by clhodapp
by Soulbender on Mon 21st Nov 2011 20:55 UTC in reply to "RE: Comment by clhodapp"
Soulbender Member since:
2005-08-18

If the engineers had known that widespread physical tracking of unique MAC addresses would become reality


In practice MAC addresses are not unique (and don't actually have to be).

And seriously, at least Google is public about collecting this data. It's not exactly rocket science for anyone, private or as a company, to collect this information without telling anyone about it. In fact, i bet there are companies doing exactly this. They might even label themselves "security" companies.

If the engineers had known that widespread physical tracking of unique MAC addresses would become reality, they may very well have designed WiFi differently to protect against it.


Probably not because it would have been impossible or at least not practically feasible. How would your devices locate each other without a unique, visible address?

Reply Score: 2

RE[3]: Comment by clhodapp
by Alfman on Mon 21st Nov 2011 22:32 UTC in reply to "RE[2]: Comment by clhodapp"
Alfman Member since:
2011-01-28

Soulbender,

"In practice MAC addresses are not unique (and don't actually have to be)."

I really would like to know what you mean here, because in practice having duplicate MAC addresses will break things like DHCP and switching hubs which rely on a MAC address's uniqueness.

Sometime adapters make it possible to spoof MAC addresses and do ARP spoofing - which can even have legitimate uses like automatic failover, but then original host will stop receiving packets.

"Probably not because it would have been impossible or at least not practically feasible. How would your devices locate each other without a unique, visible address?"

(Didn't you just say it doesn't need to be unique?)

I'm not here to re-engineer it, but the unique id doesn't need to be static between sessions, it just needs to be unique per AP at any given time.

Reply Score: 2

RE[4]: Comment by clhodapp
by Soulbender on Mon 21st Nov 2011 23:14 UTC in reply to "RE[3]: Comment by clhodapp"
Soulbender Member since:
2005-08-18

I really would like to know what you mean here, because in practice having duplicate MAC addresses will break things like DHCP and switching hubs which rely on a MAC address's uniqueness.


Sure, it causes problem..on the local segment. It wont matter one bit if a company in Stockholm and one in Manila have devices with the same MAC address. A MAC does not need to, and in practice sometimes isn't, globally unique. I know some folks who have managed to end up with two different network cards (from the same manufacturer, of course) with the same MAC address.

(Didn't you just say it doesn't need to be unique?)


Yes, it has to be locally unique but not globally.

I'm not here to re-engineer it, but the unique id doesn't need to be static between sessions


You have a point there, it doesn't have to be the same forever. Of course, the problem is how you define a session. Is it the time between reboots of the AP? Individual TCP/IP sessions? As I said, it might be possible but not practically feasible for various reasons. Plus there's also some, very limited, security in knowing what MAC address your AP and workstations has. That said, MAC address security is an administrative burden for anything but tiny home networks and easy to circumvent.

Reply Score: 2

RE[5]: Comment by clhodapp
by Alfman on Tue 22nd Nov 2011 00:33 UTC in reply to "RE[4]: Comment by clhodapp"
Alfman Member since:
2011-01-28

Soulbender,


"A MAC does not need to, and in practice sometimes isn't, globally unique. I know some folks who have managed to end up with two different network cards (from the same manufacturer, of course) with the same MAC address."

I realize that MAC addresses only matter locally, but hardware MAC addresses are intended to be globally unique and manufacturers are not supposed to reuse them. Can you say which manufacturer is reusing addresses and their reason for doing so?


"You have a point there, it doesn't have to be the same forever. Of course, the problem is how you define a session. Is it the time between reboots of the AP? Individual TCP/IP sessions? As I said, it might be possible but not practically feasible for various reasons."

Why is that a problem? A session could be defined as whatever the standard deemed appropriate - including leaving it configurable in firmware. The higher level protocols don't need to be aware of it, there just needs to be a dynamic mapping between them and raw MAC addresses, which we already have as ARP.

Like I said, I wouldn't want to re-engineer 802.11 now that's it's here and working, at least not without a much more compelling reason. But it seems to me that they could/should have avoided the use of unique static identifiers when it was being worked on.

Reply Score: 2

RE[6]: Comment by clhodapp
by Soulbender on Tue 22nd Nov 2011 00:54 UTC in reply to "RE[5]: Comment by clhodapp"
Soulbender Member since:
2005-08-18

Can you say which manufacturer is reusing addresses and their reason for doing so?


I think it was Netgear but I'm not entirely sure. The reason for re-using them is that the address space allocated to a manufacturer is not infinite. Why not re-use the same MAC's on cards that you send to entirely different geographical regions? The chances of those cards would go to the same owner are rather slim.

But it seems to me that they could/should have avoided the use of unique static identifiers when it was being worked on.


Perhaps but in all honesty I dont see the point in doing so. The scenarios in which knowing the MAC address is serious attack vector are rather limited.
For one, the MAC address in itself carries no useful information. The most you can derive from it is the manufacturer and maybe the model. Secondly, to make any use of it you need to break into it and in order to do that you need to know either it's IP address or be in the local vicinity of the access point. Sure, you can locate access points this way but why bother when you can just walk around at random with equal, or better, results. Let's even go far as to say that you're targeting a specific person. Now, chances are you already know approximately where this person lives so you can just as easily, and more reliably, get the information by going there yourself. In fact, you would have to go there yourself sooner or later to get the IP address so you see,Google's information is redundant and not really useful for the purpose of cracking.

Now, if Google published the IP address of each access -point I would be worried.

Edited 2011-11-22 00:55 UTC

Reply Score: 3

RE[7]: Comment by clhodapp
by Alfman on Tue 22nd Nov 2011 01:38 UTC in reply to "RE[6]: Comment by clhodapp"
Alfman Member since:
2011-01-28

Soulbender,

"I think it was Netgear but I'm not entirely sure. The reason for re-using them is that the address space allocated to a manufacturer is not infinite."

Well they haven't run out yet, any reuse right now would suggest administrative error. Although I'm certainly interesting in reading any sources saying that manufacturers are doing it deliberately.

"Perhaps but in all honesty I dont see the point in doing so. The scenarios in which knowing the MAC address is serious attack vector are rather limited."

I already said some people using self-configuring IPv6 are already leaking a MAC address. But conceptually I don't really care where they learn my mac address - it could be at a conference or school or rest stop, I still don't like the idea that they might then use a database to track where I go.

"For one, the MAC address in itself carries no useful information."

It doesn't have to be "useful information" to track you, it just has to be unique.

"Secondly, to make any use of it you need to break into it and in order to do that you need to know either it's IP address or be in the local vicinity of the access point....Google's information is redundant and not really useful for the purpose of cracking."

It's the tracking of personal equipment that concerns me much more than having my device hacked.

Reply Score: 2

RE[6]: Comment by clhodapp
by phoenix on Tue 22nd Nov 2011 18:45 UTC in reply to "RE[5]: Comment by clhodapp"
phoenix Member since:
2005-07-11

Soulbender,

"A MAC does not need to, and in practice sometimes isn't, globally unique. I know some folks who have managed to end up with two different network cards (from the same manufacturer, of course) with the same MAC address."

I realize that MAC addresses only matter locally, but hardware MAC addresses are intended to be globally unique and manufacturers are not supposed to reuse them. Can you say which manufacturer is reusing addresses and their reason for doing so?


A MAC address is only 48 bits. And the first chunk (first 6 hex digits I believe) describe the manufacturer, leaving only the last 6 hex digits for the unique part for the device (24 bits or 2^24 or 16,777,216 unique addresses).

Considering the number of laptops, smartphones, tablets, motherboards, etc sold since the MAC address was first standardised, and the limited number of NIC chipset manufacturers, it's impossible for companies to not be recycling MAC addresses.

Devices sold in the 80s and devices sold now probably have the same MAC addresses. Fortunately, few devices made in the 80s (ISA NICs for example) are in use today. ;)

Reply Score: 4

RE[4]: Comment by clhodapp
by phoenix on Tue 22nd Nov 2011 18:41 UTC in reply to "RE[3]: Comment by clhodapp"
phoenix Member since:
2005-07-11

Soulbender,

"In practice MAC addresses are not unique (and don't actually have to be)."

I really would like to know what you mean here, because in practice having duplicate MAC addresses will break things like DHCP and switching hubs which rely on a MAC address's uniqueness.


MAC addresses have to be unique only within the same broadcast domain (ie, subnet). MAC addresses do not have to be unique on separate subnets, even if within the same building.

Most consumer wireless routers will automatically clone the MAC address of the computer it's connected to, using that MAC address on it's WAN interface. You then have two devices in the same location with the same MAC address. But, they are on separate subnets, in separate broadcast domains, so it all works.

Reply Score: 2

RE[5]: Comment by clhodapp
by Alfman on Tue 22nd Nov 2011 21:37 UTC in reply to "RE[4]: Comment by clhodapp"
Alfman Member since:
2011-01-28

phoenix,

"MAC addresses have to be unique only within the same broadcast domain (ie, subnet). MAC addresses do not have to be unique on separate subnets, even if within the same building."

Thank you for the response, I already know how they work though. The hardware MAC is designed to be unique globally, even if it's only necessary to be unique locally. It is not a misunderstanding on my part.

To my knowledge we still haven't needed to recycle them in hardware. If you know of a source that talks about manufacturers reusing MACs, I'd love a link.

http://anonsvn.wireshark.org/wireshark/trunk/manuf

There appear to be plenty of unassigned entries left scattered throughout.

Edited 2011-11-22 21:40 UTC

Reply Score: 2

bhtooefr
Member since:
2009-02-19

If you're using wifi with a publicly broadcast SSID, you're transmitting, in the clear, to the public, that your network is called such and such.

I could figure this out by driving past the SSID with a laptop. (Then again, I also don't have a problem with street view - it shows what a normal person could see from the street.)

However, requiring _nomap is a ridiculous way to deal with broadcast SSIDs and making them non-mapped.

Reply Score: 3

... only when they re-scan my area
by JamesBroadhead on Mon 21st Nov 2011 13:42 UTC
JamesBroadhead
Member since:
2011-10-04

So no one has pointed out the even more glaring hole than requiring people to change SSIDs; the database only gets updated whenever Google chooses to re-scan the area.

How often do they do that? Are the details going to remain up until they do? If that's the case, what's their motivation for re-scanning.

If this were a serious suggestion, it would be possible to delete entries immediately via Google Maps. As it is, it's a bit of a joke, and I'd be amazed if a proper engineer at Google put it together as a legitimate method.

Reply Score: 3

B. Janssen Member since:
2006-10-11

So no one has pointed out the even more glaring hole than requiring people to change SSIDs; the database only gets updated whenever Google chooses to re-scan the area.


That's because the database is not working like you seem to think how it is working. The database is frequently updated with information gathered and sent home by mobile Android devices.

Reply Score: 4

ESSID verus BSSID
by Alfman on Mon 21st Nov 2011 19:10 UTC
Alfman
Member since:
2011-01-28

Some people here are saying that the SSID advertisement should be disabled, however this does not technically stop the so called "broadcast" of MAC addresses in every frame over the air (these are called BSSIDs). It's not possible to use WiFi technology without broadcasting a unique BSSID/MAC address over the air.


When google's cars were collecting WiFi data, they captured every frame of WiFi traffic, not just the advertisement beacons.

Does anyone know the scope of WiFi data being submitted through android devices? Is it limited to ESSID beacons?


Edit:

With the correct drivers in promiscuous mode wireshark will show exactly what kind of data goes over the air.

A 802.11 WiFi frame is very similar to ethernet. You can definitely create a map of all WiFi devices regardless of whether they are encrypted/advertised/etc.

Edited 2011-11-21 19:16 UTC

Reply Score: 3