EDIT (Tuesday 2nd August) Microsoft Statement is available from here
EDIT (Sunday 31th July) The flaw is fixed: I had a phone call with some people from Microsoft yesterday (yes on a Saturday) and they told me they fixed the problem. I will update this post with their response as soon as it is out. The demo code does not work anymore.
In our upcoming BlackHat talk, we will show you how the WiFi data stored by Windows can be used to geolocate where your computer has been. While the ability to retrace where a computer has been (and when) certainly carries privacy implications, in this post I want to focus on how we uncovered this data, and the unexpected difficulties we encountered while developing this technique.
How can you retrace where a computer has been?
While analyzing what computer-specific data is recorded by Windows, we found out that for each access point a computer is connected to, Windows records its MAC address and the last time of connection. The physical location of a MAC address can be found by querying a public geolocation API, such as the Google one. My module for OWADE, our forensic tool, queries public geolocation APIs with all the MAC addresses gathered from the Windows WiFi data to create a map of where the computer has been. Since last year, using the Google geolocation API to locate routers via their MAC address has been a pretty hot topic. At the last BlackHat Samy mentioned it in his talk and I did a demo of it in my talk. It has also been discussed that the Google database used to contain client MAC addresses (but no longer does).
Why things are never easy
When I started writing the OWADE’s geolocation module, I thought it would be as easy as querying Google like I did last year. The module worked fine until June when Google changed their API to prevent that kind of probing. Ever since, Google returns a location only if you supply two MAC addresses that are fairly close together (see this article for more detail on this). This smart defense completely thwarted my module and I was back to square one.
After brainstorming for a few days on how to make the module work again, I realized that Google was not the only geolocation API available: Internet Explorer also supports the W3C Geolocation API. Under the hood, Internet Explorer uses the Live Location API. The live API is a straightforward “SOAP” API that returns an XML file with the location of the MAC address. Note that The Microsoft Live API does not require passwords or API keys to work. I created a proof of concept to test if your MAC address is in Microsoft Database that is available here.
A happy ending?
To my surprise, Microsoft’s API did not enforce any query restrictions. You can get the location for a single MAC address and do as many queries as you want. I have contacted Microsoft about this and based on our email exchange it seems that this is not an issue for them. On the one hand, this is good news for me because my geolocation module works again, right on time for BlackHat. On the other hand, I am concerned about the privacy implications of this API existing without restrictions. I would like to see Microsoft implement some sort of query restrictions. Declan McCullagh has written a nice piece about the privacy implications of this lack of restriction for CNET. A big thanks to Nick Doty, Ashkan Soltani, Declan McCullagh, Jason Bau and the OWADE team: Jean Michel Picod, Ivan Fontarensky, and Matthieu Martin for helping out with this research. If you are coming to the BlackHat don’t miss our talk and come to say hi.