How I Met Your Router

From Exploit to Physical Location



Introduction

With minimal effort it is now possible to pinpoint the physical location of a wireless router from a MAC address using services such as Google and Skyhook. As an example of such utility, we used a recent information leakage vulnerability in DD-WRT routers. A Shodan search/ export was performed to obtain an initial list of routers running the affected DD-WRT firmware, followed by a simple web request to obtain the router's MAC address. Finally, the MAC information was resolved to the physical location using Google's unofficial Locations API.


The dataset used for this study is available for download on the right side.


Vulnerability

A bug was discovered by Craig Heffner in the DD-WRT firmware that let remote users obtain detailed information about the router. By sending a web request to /Info.live.htm, the attacker is able to obtain information such as the MAC address from the router. No brute-forcing or any sort of special payload needs to be sent since the page doesn't require any authentication by default. The info page was enabled by default and even disabling it didn't prevent attackers from grabbing the webpage. To prevent the information disclosure, the router's information page must be set to 'enabled with password protection.'


The following is a sample output from the /Info.live.htm file:


{lan_mac::00:22:B0:9B:1C:D3} 
{wan_mac::00:22:B0:9B:1C:D4} 
{wl_mac::00:22:B0:9B:1C:D5} 
{lan_ip::192.168.1.1} 
{wl_channel::6} 
{wl_radio::Radio is On} 
{wl_xmit::71 mW} 
{wl_rate::270 Mbps} 
{packet_info::SWRXgoodPacket=0;SWRXerrorPacket=0;SWTXgoodPacket=302;SWTXerror
Packet=17;} 
{wl_mode_short::ap} 
{lan_proto::dhcp} 
{mem_info::,'total:','used:','free:','shared:','buffers:','cached:','Mem:','13316096','11509760','1806
336','0','1556480','4431872','Swap:','0','0','0','MemTotal:','13004','kB','MemFree:','1764','kB','Me
mShared:','0','kB','Buffers:','1520','kB','Cached:','4328','kB','SwapCached:','0','kB','Active:','4136'
,'kB','Inactive:','1724','kB','HighTotal:','0','kB','HighFree:','0','kB','LowTotal:','13004','kB','LowFr
ee:','1764','kB','SwapTotal:','0','kB','SwapFree:','0','kB'} 
{active_wireless::} 
{active_wds::} 
{dhcp_leases:: 'joes-desktop','192.168.1.102','xx:xx:xx:xx:2E:41','1 day 00:00:00','102'} 
{dhcp_leases:: 'marys-laptop','192.168.1.105','xx:xx:xx:xx:55:E2','1 day 00:00:00','105'} 
{uptime:: 01:35:40 up 8 min, load average: 1.60, 0.80, 0.36} 
{ipinfo:: IP: 1.1.1.1} 
{wan_ipaddr::1.1.1.1} 
{gps_text::} 
{gps_lat::} 
{gps_lon::} 
{gps_alt::} 
{gps_sat::}
				

Technology

Overview

There are 2 known APIs for resolving a MAC address to the physical location of a router: Google and Skyhook. The Google API is used by products such as Firefox to determine the location of the user, but it isn't officially documented. Skyhook is a company dedicated to providing geolocation lookups and has an official developer kit. For simplicity reasons we used the unofficial Google Locations API though the same can be achieved with Skyhook.


Code

The following code snippet has been taken from the Shodan API library's Wifi Positioning module.


To use the library in your own code, install the Shodan library:


Here's a brief example of how to use the library once it's installed:



Results

Overview

At the time of the export (April 11, 2011) there were 5688 search results for DD-WRT routers in Shodan (for all ports, including Telnet and HTTPS). Those results were passed on to a script that attempts to grab the /Info.live.htm from those devices, and then look them up using the above code for the Google Locations API.


From the original Shodan export of devices, only 543 returned a proper /Info.live.htm page and were successfully resolved using Google Locations.


Map


A larger view of the map is available here.