How to look up the GPS location of your MAC address or car on the Internet - Page 3

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
Re: How to look up the GPS location of your MAC address or car on the Internet
On Fri, 16 Sep 2016 13:04:00 -0700, Jeff Liebermann wrote:

Quoted text here. Click to load it

Wow. Sorry about that fall. I saw your pictures, and you're in decent shape
for an old guy like me. (You were wearing army stuff from the army-navy
store.)

I hope you heal soon.  

Quoted text here. Click to load it

Jeff - since there is a "soft access point" on both iOS and Android phones,
does that mean that this soft AP SSID/BSSID/SS & GPS location is sent to
Google by all those poorly configured Android devices?

Quoted text here. Click to load it

Jeff - you're apparently talking about the Google vehicle that drives along
all the roads in the United States. I'm *not* talking about that WiFi
collection vehicle.

I'm talking about the fact that almost all Android cellphones are poorly
configured in that *they* are collecting the SSID/BSSID/SS of all access
points, and sending that, plus the current GPS location to Google many
times a day.

It's already discussed on *many* web sites.
Winston supplied three of them already:
http://arstechnica.com/information-technology/2014/11/where-have-you-been-your-smartphones-wi-fi-is-telling-everyone/
http://www.zdnet.com/article/how-google-and-everyone-else-gets-wi-fi-location-data/
http://www.theregister.co.uk/2011/04/22/google_android_privacy_concerns/

So we're *only* talking about what data the poorly configured Android
cellphones provide to Google many times a day for all the iOS and Android
phones it encounters.

Quoted text here. Click to load it

That's for the car.
We're talking about poorly configured Android cellphones collecting this
data.
See the URLs from Winston for details.
They're titled:

2. How Google--and everyone else--gets Wi-Fi location data
3. Google location tracking can invade privacy

Quoted text here. Click to load it

Hi Jeff,

I realize you always try to help, and that you provide details, which is
expensive in costs of energy and time.

I read *everything* you write, but I don't always understand everything you
write.

However, the *only* question that matters is under what circumstances is an
iOS or Android cellphone's SSID/BSSID/SS and GPS location *reported* to
Google databases by poorly configured Android cellphones.

I *think* the answer is that this happens *only* when the iOS or Android
cellphone is configured to act as an *access point*.  

I'm just trying to confirm that setting up an iOS or Android phone as an
access point is the *only* situation where an iOS or Android cellphone is
reported to the Google API that collects the SSID, BSSID, Signal Strength,
and GPS location from a nearby poorly configured Android device.

Re: How to look up the GPS location of your MAC address or car on the Internet
wrote:

Quoted text here. Click to load it

Sorry, but that was over-simplified.  In peer-to-peer wireless
network, every wireless device needs to know the MAC address of every
other wireless device.  However, in infrastructure mode, each device
needs to only know the MAC address of the central access point.  Of
course, the central access point needs to know the MAC address of all
connected wireless devices.

(wrists hurt.  gotta stop now...)
--  
Jeff Liebermann     jeffl@cruzio.com
150 Felker St #D    http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann     AE6KS    831-336-2558

Re: How to look up the GPS location of your MAC address or car on the Internet
On Thu, 15 Sep 2016 08:51:22 -0700, Jeff Liebermann wrote:

Quoted text here. Click to load it

Hi Jeff,

There are two *different* questions, only one of which I am asking.

What I'm probing is a specific flaw in the Google public API database.
I'm probing a flaw where we can *circumvent* the Google (flawed) security,
and by doing so, we can track a mobile phone.

We can already track a non-mobile router, but that isnt' the flaw that I'm
probing. Likewise, the *packet* contains the MAC address of either the 5Ghz
radio or the 2.4GHz radio of the mobile phone, but, I'm not discussing that
packet information *unless* that packet information makes it into the
Google public database.

What I *know* makes it into the Google Public database is the SSID/MAC/SS
of any access point that is both "broadcast" and which doesn't have
"_nomac" at the end of the SSID.

How this makes it into the Google Public Database is also well known, which
is that most Android phones are poorly configured such that *they* send
Google this access point information many times a day in the background.

But, as noted, most SSID access points remain in one place. So, finding the
location of a *static* access point is trivial.

What I'm trying to understand is how to probe the flaw in the Google Public
API that allows one to track *mobile* devices.

Specifically, if I *know* two MAC addresses that are already *in* the
Google Public Database, then I can ask the database if they're currently
next to one another at any given moment.

Given I know the BSSID of, say, the Starbucks in town, all I need to know
is the BSSID of the phone, to know whether the phone is at that Starbucks.

So that's why I ask the question:

QUESTION:
- Under what conditions does a cellphone SSID/MAC/SS get put into the
Google Public API by *other* (poorly configured) Android cellphones?

Re: How to look up the GPS location of your MAC address or car on the Internet
On Wed, 14 Sep 2016 00:27:22 -0000 (UTC), William Unruh wrote:

Quoted text here. Click to load it

Thank you for trying to help answer the question, as I realize answering
such a deeply technical question involves risk - and we need to communicate
so that we don't waste time on completely meaningless tangents.

First off we have to agree on some terms, and which are meaningful for the
purpose of *this* thread:

- SSID: This is *not* very meaningful for the purpose of this thread!
The SSID is only meaningful in that you can "do things" with your SSID
which tell Google to do *other things*, e.g., you can append "_nomac" to
the end of the SSID and Google promises to *drop* your information from its
databases. But since SSIDs are not generally unique, the SSID is not the
focus of *this* discussion.

- BSSID: This *is* the focus of this discussion, where each router has
*multiple* BSSIDs (aka MAC addresses) and where the focus of this
discussion is *only* on the one unique MAC address that is transmitted in
companion with the SSID of an access point!

It's critical that you understand that your statement is patently incorrect
that the router MAC addresses that *Google* is collecting using your
neighbor's Android device are easily cloned.

The MAC addresses that Google is collecting using your neighbor's poorly
configured Android cellphone are *not* easily changed (you have one per
each radio, e.g., 2.4GHz and 5GHz, for example).

These radio access point MAC addresses are NOT easily cloned!
This has been covered in this newsgroup in detail in the past.

However, even if the router's MAC address could be cloned (it can't, at
least not without desoldering and other heroic actions), it *still* would
be collected by your neighbor's poorly configured Android device.

So, it doesn't matter that you can't clone the MAC address that Google is
collecting by using your neighbor's Android device to automatically send
that information to Google periodically during the day.

The fact is that all poorly configured Android devices are automatically
sending Google throughout the day *your* MAC address of your router.

NOTE: While I'm completely aware that turning off SSID broadcast is
possible (and that it's not useful for security), we are assuming for this
purpose that the SSID is broadcast by the router.

Quoted text here. Click to load it

I realize you are trying to help - but I must be blunt, since this *is* the
critical question.

Since this *is* the critical question, a simple "No" is not enough,
especially since your previous statements in this post show that you
misunderstood completely the question and the situation.

I'm sorry if that sounds mean, but, a simple "No" is not believable under
those two circumstances.

The correct answer might still be "No", but you don't understand the
question yet, nor the technical situation, so a "No" all by itself doesn't
help.

My key question is *when* does an Android cellphone broadcast the MAC but
most people get all hung up about MAC addresses - so I'll dumb down the
question to ask "When does an Android cellphone broadcast an SSID?".

Q: Under what conditions does an Android cellphone broadcast an SSID?
NOTE: I don't care about the SSID - I care about the MAC - but people get
hung up about MAC addresses so I'll ask it in the simpler form.

Re: How to look up the GPS location of your MAC address or car on the Internet
Horace Algier wrote:

Quoted text here. Click to load it

Doesn't matter if the hat says "Alice J", "Aardvarks" or "Horace",  
people don't want to go over the same ground again ...


Re: How to look up the GPS location of your MAC address or car on the Internet
mean "Paul M. Cook"... oops I mean "VPN User"... oops I mean "Joe
Clock"... oops I mean "Marob Katon" ...  oops I mean "Chris Rangoon"...
wrote:
Quoted text here. Click to load it

  You don't ask a dumbed down question, but a dumb question and your
'question' isn't a question, but a false statement.

  HTH.

Re: How to look up the GPS location of your MAC address or car on the Internet
On Wed, 14 Sep 2016 08:54:56 +0100, Frank Slootweg  

Quoted text here. Click to load it

It's a xposting troll.

--  
Bah, and indeed, Humbug

Re: How to look up the GPS location of your MAC address or car on the Internet
On 2016-09-13 18:06, Horace Algier wrote:
Quoted text here. Click to load it

That data is broadcast only over wifi to devices in the vicinity that
can listen on WiFi. There is no reason to broadcast this on internet to
a google database; if this is done, you can opt out, and I have not seen
the opt out for this. I have seen the opt out or in for other privacy
data, but not this.

Quoted text here. Click to load it

As far as I know, no. Not to google, that is.
It is of course broadcast over wifi radio to those that intend to connect.
It may be stored in Drive, same as password data, if you opt in to that.
And it is treated as private data, so they say.


Quoted text here. Click to load it

As far as I know, Android phones with GPS on listen to nearby WiFi AP
traffic in order to tabulate where an SSID is located, so that later
devices asking for location can be told where they are by listing what
SSIDs are nearby. For this procedure a mobile AP SSID is plain useless.

--  
Cheers,
       Carlos E.R.

Re: How to look up the GPS location of your MAC address or car on the Internet
On Wed, 14 Sep 2016 00:20:13 +0200, Carlos E. R. wrote:

Quoted text here. Click to load it

Hi Carlos,
Thank you for responding again, as I realize it's risky when deeply
technical subjects are being discussed (where is Jeff Liebermann when we
need him!).

I think that you and I both know a lot and we both know nothing, because I
can see huge technical flaws in your statements (and those of William
Unruh) and you can (and he) can see similarly huge technical flaws in mine.

Yet, we're working torward the same goal, which is how to look up the GPS
*location* of two MAC addresses which we *presume* to be close to each
other. (NOTE: This is not the *intent* of the Google database, so, all the
talk about "the Internet" and "reasons for broadcast", etc., are absolutely
meaningless for *this* purpose.)

For this purpose, we only care about what "is" a fact.

Basically, I can easily see a purported flaw in the system, and that's what
I'm trying to publicly and openly and legally exploit by better
understanding that reputed flaw.

The "flaw" is, that under certain circumstances, a device can be "tracked",
using the Google public API in a valid but unusual way, which is to simply
*query* that database for two known MAC addresses.

Since we're *not* talking about *normal* purposes, but we're talking about
a potential flaw, we should first iron out what we *agree* on as technical
details.
1. GOOGLE DATABASE QUERY BY AN INDIVIDUAL
2. AUTOMATIC BSSID COLLECTION BY GOOGLE
3. MANUALLY OPTING OUT OF THE GOOGLE DATABASE

1. GOOGLE DATABASE QUERY:
I am absolutely positive that only the following data is needed in order to
run a search into the Google public API to find the *location* of a MAC
address for those who own an account on the Google server:
a. The BSSID (aka MAC address) of device 1
b. The BSSID (aka MAC address) of device 2
c. A signal strength of each (which can be bogus)

If you disagree, I will dig up a reference for that datapoint.

2. BSSID COLLECTION BY GOOGLE:
I am absolutely positive that the BSSID of all access points that are
*seen* by almost all Android devices (except mine, because I know about
this and therefore have turned it off) is being *sent* to Google
periodically during the day by (most) Android cellphones. (NOTE: The Google
cars *also* collect similar data; but this discussion has nothing to do
with the Google car collection data, even though that car populates the
same Google database.)

So this means that almost everyone with an Android device, who is near
enough to your home to receive your WiFi signals, is both automagically
*collecting* and automagically *sending* to Google *your* access point
information, under the conditions outlined below.

This includes:
a. Your router's SSID
b. Your router's BSSID (which is your all-important unique MAC address)
NOTE: This is the nearly-impossible-to-change MAC address of your router
(and not the trivially cloned MAC address of your router!).
c. Your router's Signal Strength
d. The current GPS location
etc.

If you disagree, I will dig up a reference for that datapoint.

3. OPTING OUT OF THE GOOGLE DATABASE:
While most of us "think" about SSIDs', and while the *collection* by
Android devices consists of far *more* than *just* the MAC address, this
discussion is limited to just the BSSID (aka MAC address) which is
broadcast by access-point equipment, such as a home router.  

I am absolutely positive that one can not stop someone else's Android
cellphone from collecting your router's broadcast MAC address *except* by
either:
a. Turning off the broadcast (which does not hide it from the packet but
which Google will respect as an indication you don't want to be in their
DB)
b. Appending "_nomap" to your SSID (which google will respect *after* the
fact, e.g., your neighbor's Android phone *collects* your SSID/MAC/SS/etc.,
and your neighbor's Android phone *sends* that SSID/MAC/SS/etc. to Google,
but Google (says they will) remove your SSID from their records upon
receipt.

My main question here is *when* does a mobile device *broadcast* its SSID
(where what really matters is the MAC address!)?

However, before we can get to that critical question, we have to understand
the three technical points above.

Do you agree or disagree with the three technical FACTS as I see them?
1. GOOGLE DATABASE QUERY BY AN INDIVIDUAL
2. AUTOMATIC BSSID COLLECTION BY GOOGLE
3. MANUALLY OPTING OUT OF THE GOOGLE DATABASE

Site Timeline