The Renderlab: Open Letter to Google's Wardrivers And Thier Detractors


5/21/10

So recently Google has gotten into hot water in Germany over thier alleged 'wardriving' and the potential collection of private data from wireless networks in the process.

So far all the media reports, blog posts and debate has been so steeped as rhetoric that no one is working from facts or have taken a step back and actually looked at the situation. It is my hope as a major Wardriver and with my knowledge of the technology involved to provide a voice of reason. What effect that will have, who knows, but hopefully it will mean people will calm down and we can get on with our lives.

I wrote two books on wireless stuff Kismet Hacking and 7 Deadliest Wireless Technology Attacks and contributed work to many others. I am also friends with Dragorn, the author of Kismet, the wireless sniffing tool in use by Google

Background

Google is wardriving with their fleet of streetview vehicles in an effoprt to provide location services, much like Skyhook and other location service providers are in order to build databases of wireless networks and rough GPS locations. With this, a wireless card can be used as a pseudo GPS device in order to determine a users approximate location where GPS may not be available by comparing the networks in the area with previous wardriving data. Wardrivers have been doing something similar for years with wigle.net where we post our data to a common database and can generate queries from over 20 million AP's with GPS co-ordinates.

One implemented version of googles version of this is in google maps where you can click the little round button above the streetview man and if you are using wireless, it will determine your rough location. Kinda handy in some situations if GPS is unavailable

Google has admitted that they use Kismet (the defacto tool for wireless detection, open source, and pretty much the program responsible for my current career) with some pretty common hardware on each of their streetview cars to wardrive and collect logs. Pretty much the same as I've been doing for 8 years. I've already got an email into the head of some of the streetview stuff in Germany to ask him about the specifics of configuration but I don't expect to hear back much.

To me this makes perfect sense since they already have a fleet of cars going around collecting information anyways, why not add 3 lbs of equipment and collect even more.

Analysis

Kismet's usual mode of operation is to passivly listen for packets in the air. Most often they will hop channels, usually once every 5 ms, to catch beacon frames (100/sec) on each channel. It also records any data packets it finds for possible use at de-cloaking 'cloaked' networks (though not a feature google should be worrying about). From this Kismet generates log files of AP information and location in TXT and XML formats, as well as a pcap dump file of the packets seen. While the TXT and XML logs should contain everything google needs, but from the pcap you can re-generate logs, combine, and refine your location data by combining multiple runs and merging data.

Presumably Google is maintaining a database of AP MAC addresses corellated to rough GPS coordinates for those APs. It's assumed that if you have wireless and are online, you can use the database online to figure out roughly where you are. The controversy however seems to be that data packets were collected at the same time and that they were stored.

Presumably at no time was google attempting to crack networks. The only thing they may have done that was a bit sneaky was to decloak networks but that is a passive action where a valid client, as part of the association to the network ends up disclosing the SSID in cleartext, so it's not terribly sneaky.

The main glitch and where Germany is getting thier knickers in a bunch is that google was keeping the pcap files (about 600 gig) and that there could, in theory, be some private information within that database. While it was not Google's intention to record this information or to do anything with it, the fact they have it at all is the main point of annoyance. Any data they have captured was sent over the clear and in todays world, you'd have to be a moron to do anything with an insecure protocol over wireless anyways, so there is some lesson to be learned from that for users.

My guess is that there was some disconnect between the engineering department who designed and built the wardriving gear and the policy people. Ithink that everyones focus was on the data needed for the location service (MAC addresses and GPS co-ordinates) but no one considered the rest of the packets that were collected.

As Dragorn noted in his Blog, all Google needs to change is one line in the config file:

logtypes=pcapdump,gpsxml,netxml,nettxt
Should be changed to:
logtypes=gpsxml,netxml,nettxt

This change will save the log files in GPS, TXT and XML which are summaries of things like the MAC, SSID, security settings (WEP, WPA, etc), but will throw out the PCAP dump which is what would have the potentially private traffic that is getting everyone in a twist.

Conclusion

Google is presumably scrubbing thier database of any data packets and just keeping the summary logs,which is presumably all they need for thier location efforts. I do not believe that Google was mining the data for anything nasty, nor do I believe there was anything particularly malevolent involved. It was an oversight, a disconnect between policy and engineering.

How a company deals with such mistakes shows the true colors of the company. I think everyone is over reacting to this, partially due to the lack of understanding of what is occuring at a technical level and due to some paranoia over the amount of data Google has access to anyways.

Everyone needs to calm down and realize that the data that was collected was accidental and likely not intentional and any thing potentially private was sent on unencrypted networks an unencrypted protocol, something that people should have no right to complain about.


Return to Main