Stanford researcher exposes Microsoft's Wi-Fi database
To pressure Microsoft to curb access to its geolocation database, researcher creates Web page that lets people send queries based on their--or someone else's--computer's unique Wi-Fi address.
A Stanford University researcher has created a Web page allowing people to query Microsoft's massive database for the locations of their--or someone else's--laptops, cell phones, and other Wi-Fi devices.
The Web page, created this morning by Elie Bursztein, a postdoctoral researcher at the Stanford Security Laboratory, lets people type in the unique 12-character Wi-Fi address of any wireless device. If there's a match, the site displays a map of where Windows Phone 7 devices and Microsoft's fleet of Wi-Fi recording vehicles saw the wireless device last.
A CNET article last night provided details about Microsoft's extensive database at Live.com, which is not protected by the same privacy safeguards that competitors Google and Skyhook Wireless have adopted.
Bursztein says he created the Web page querying Live.com's application programming interface, or API, to highlight how it works and to nudge Microsoft in a more privacy-protective direction. He plans to summarize his findings in a related talk with two other researchers at the Black Hat security conference in Las Vegas next week.
You can typically find your device's unique Wi-Fi address by going to the About screen on an iPhone or a laptop's configuration menu. Anyone within Wi-Fi range--typically a maximum of a few hundred feet--can learn it as well. The potential privacy concerns, of course, arise when you want to look up someone else's address: an ex-spouse, a politician, a celebrity, and so on.
On Bursztein's Web site, typing in the Wi-Fi address "02:1A:11:F2:12:FF," which is used by an Android phone acting as a Wi-Fi hotspot, brings up a latitude of 38.91192 and a longitude of -77.04171. Those coordinates in Washington, D.C., show that nearby buildings include residential apartments and the embassy of Montenegro.
It's not clear if Microsoft has collected the locations of only Wi-Fi devices acting as access points, or whether client devices using the networks have been swept in as well--something Google did using Street View. Microsoft has repeatedly declined to answer that question, which CNET first posed in June.
Reid Kuhn, a program manager in Microsoft's Windows Phone Engineering Team, did confirm that the company uses Windows devices and Street View-like "managed driving" to collect the unique addresses of devices that are acting "as a Wi-Fi access point." That includes mobile devices using tethering to share a wireless link.
Google and Skyhook have taken some privacy steps that Microsoft has not, including using geolocation to filter requests (in Google's case, to find out where a wireless device is, you already have to know its approximate location to about one city block). Another is that Google's database does not appear to include the Wi-Fi addresses of Android devices acting as wireless hotspots.
Until a June 15 CNET article appeared, sparked by the work of security researcher Ashkan Soltani, Google took the same open approach as Microsoft. About a week later, Google curbed access and blocked a similar Web page created by hobbyist hacker Samy Kamkar.
Microsoft's database extends beyond U.S. locations. A CNET test of a range of Wi-Fi addresses used by HTC devices showed that Live.com returned locations linked to street addresses in Leon, Spain; Westminster, London; a suburb of Tokyo; and Cologne, Germany.
Some Wi-Fi addresses appeared to change positions, meaning the Live.com database--located at http://inference.location.live.com--could be used to track the movements of a handheld device. In addition, some Wi-Fi addresses were added to or deleted from the database over the period of a few days.
Here's a list of ways to find your computer's Wi-Fi MAC address.