The newest generation of Apple's iPhone and iPod Touch devices support a new self-localization feature that uses known locations of wireless access points (Wi-Fi) as well as the device's own ability to detect access points. By comparing the seen access points in its environment with the entries in a database, the device estimates its own position. This position can then be used to find the device's location on a map, display nearby services such as restaurants and shops, or compute the shortest routes to a target location. This self positioning is based on the Wi-Fi Positioning System (WPS) provided by Skyhook Wireless, Inc. Skyhook provides a database that contains information about access points around the world, collected by the company and partially provided by the users. When a client (e.g., an iPod) wants to find its position, it detects its neighboring access points and sends this information to Skyhook servers, which will then return the access point locations to the client. Based on the received data, the client computes its position.
In this work, we analyze the security of WLAN positioning systems based on public access points. Using the example of the Skyhook positioning system, we demonstrate that these public WLAN positioning systems are vulnerable to location spoofing attacks. Signal replays and jamming allow an attacker to convince a device that it is at a spoofed position which is different from its actual physical position and possibly kilometers away. Our attack consists of two actions (1) impersonation of access points from a remote location and (2) elimination of signals sent by other access points in the area. These two actions create the illusion for localized devices that they are located at positions different from their actual physical positions. Skyhook's WPS system does not rely on fresh and/or authenticated access point signals - it simply requires a device to report Media Access Control (MAC) addresses of the access points that it detects which are compared to signal characteristics recorded before. Since rogue access points can forge their MAC addresses, access point impersonation can be easily done in WPS. Equally, since WLAN signals are easy to jam, signals from legitimate access points can be easily eliminated, thus enabling location spoofing attacks. We note that these attacks apply to all devices using Skyhook's WPS positioning system, including iPod touch, iPhone, Nokia mobile phones (with Symbian OS and WPS applet) and PCs (using Skyhook's Loki plugin).
By demonstrating these attacks, we hope to highlight the limitations of existing WLAN-based localization systems, in terms of the guarantees that they provide and the applications that they can be used for.
To impersonate a large number of wireless base stations at a given location, we used an Asus eeePC configured to impersonate an almost arbitrary number of access points. To find MAC addresses of access points in remote locations, a combination of the WiGLE database, IGiGLE and Google Earth was used. WiGLE is a database containing data about more than 13 million wireless networks collected by individuals. To visualize this data, we used IGiGLE to download networks in a certain area and fed this data into Google Earth to select access points located close to each other.
Figure 1: (left) Equipment used in our experiment. The laptops are used to spoof wireless networks, and the software radios allow us to jam legitimate networks. (right) Location in New York City, USA, (in Google Earth) of the access points we selected to impersonate.
If a device is not in range of any wireless networks known to Skyhook, we can easily spoof its location by access point impersonation and thus can completely control the result of the device localization process. To achieve this, we impersonated several wireless networks from the target location; an example is shown on Figure 2. For this demonstration we spoofed two different locations on an iPod touch, one in an area of Zurich (Switzerland) and one in New York City (USA). In these examples, the device located at ETH Zurich was showing locations in downtown Zurich (1 km away) and New York (6,300 km away). This is shown in Figure 3.
Figure 2: 3 impersonated networks from River Park, New York City. (The network names (SSIDs) are not used by the localization system and were chosen by us.)
Figure 3: Two successfully spoofed locations. (left) The reported location is close Zurich City Hall, about 1 km from the actual location of the iPod (ETH Zurich). (right) A location in New York City, about 6,300 km away from the iPod's actual location (ETH Zurich).
If we compare Figure 3(b) with the location in Figure 1(b), we see that the location returned by the iPod is relatively close to the position obtained from the WiGLE database. Figure 4 shows a comparison of the positions of the impersonated access points and the reported location.
Figure 4: Comparison between the reported position on the iPod and the impersonated access points displayed in Google Earth.
The location spoofing attack works similarly for the iPhone. In iPhone, in addition to the WLAN signals, GSM localization is used to obtain a rough position estimate of the device. If this estimate does not match the position computed by the Skyhook WPS, only the GSM localization is used to determine the position of the device. This means that only iPhone positions in the closer distance of its physical location can be spoofed. With the iPhone, we were thus still able to spoof our test location in Zurich downtown (Figure 5, left), but not the one in New York City. However, if the iPhone has no GSM connection, the spoofing attacks work exactly as described previously for the iPod (Figure 5, right); thus, if the GSM signals are jammed (which is easy to achieve since GSM signals do not overlap with WLAN signals), the iPhone location can be arbitrarily spoofed.
Figure 5: Results of spoofing the New York City location on an iPhone. (left) The iPhone has a GSM signal and GSM localization overrules the NY access points. The position is still in Zurich but much less accurate. (right) The result is in New York City if no GSM signal is available.
To verify our results on a different platform, we also performed the location spoofing attack using the Loki plugin of Skyhook. This plugin is installed into the browser like a toolbar and is able to provide web sites with location information about the user. We installed this toolbar on a laptop and repeated the setup from the above location spoofing attack. The results were identical to the ones reported by the iPod and are shown in Figure 6.
The next attack causes the iPod to report an incorrect location despite the presence of known wireless networks. So far we assumed that no legitimate access points known to Skyhook are visible to the device during the localization process. In many realistic scenarios, legitimate networks will be present, influencing the localization process. To spoof a location in this setting, we eliminate the present legitimate signals by jamming. Simultaneously, we insert signals from impersonated access points. This can easily be done using WLAN jammers emitting uniform noise on those channels where legitimate wireless networks are transmitting their beacons (for this, we used software radio platforms shown on Figure 1). Then, we announce the spoofed networks on free, unjammed channels (up to 13 channels are available in 802.11 in total). Like in the previous attack, this causes the iPod to report an incorrect location, chosen by the attacker (as shown in Figure 7). For locations close to the actual position (e.g. same city), this attack can also be executed on the iPhone as mentioned before. Further distances would also require the jamming of the GSM signal, which can be done using commercially available GSM jammers.
Figure 7:Results of jamming and spoofing attacks on the iPod touch in our office environment. Around 20 legitimate access points were visible which we jammed while inserting our own impersonated networks. (left) The successfully changed location from Zurich to New York City, close to the last position in Figure 3 (in the absence of legitimate networks). (right) Location displayed by the iPod in city downtown (marked by a circle) at about 1 km distance from the iPod's actual position (marked by a pin) at university campus.
The simplest attack on Skyhook WPS is a denial-of-service attack: By impersonating several wireless networks with MAC addresses of existing access points which are located far from each other, the Skyhook localization algorithm fails. This happens because the client has no way of knowing which access points are really present and is therefore unable to return a position. This makes DoS attacks on the localization process very easy. This is shown in Figure 8.
Figure 8: On the left side we show the result of a successful localization at ETH Zurich. The right side displays the error message resulting from the DoS attack on localization.
Questions and contact Prof. Srdjan Capkun (firstname.lastname@example.org).
Copyright System Security Group, ETH Zurich