Re: How to look up the GPS location of your MAC address or car on the Internet

Thank you for trying to help answer the question, as I realize answering such a deeply technical question involves risk - and we need to communicate so that we don't waste time on completely meaningless tangents.

First off we have to agree on some terms, and which are meaningful for the purpose of *this* thread:

- SSID: This is *not* very meaningful for the purpose of this thread! The SSID is only meaningful in that you can "do things" with your SSID which tell Google to do *other things*, e.g., you can append "_nomac" to the end of the SSID and Google promises to *drop* your information from its databases. But since SSIDs are not generally unique, the SSID is not the focus of *this* discussion.

- BSSID: This *is* the focus of this discussion, where each router has

*multiple* BSSIDs (aka MAC addresses) and where the focus of this discussion is *only* on the one unique MAC address that is transmitted in companion with the SSID of an access point!

It's critical that you understand that your statement is patently incorrect that the router MAC addresses that *Google* is collecting using your neighbor's Android device are easily cloned.

The MAC addresses that Google is collecting using your neighbor's poorly configured Android cellphone are *not* easily changed (you have one per each radio, e.g., 2.4GHz and 5GHz, for example).

These radio access point MAC addresses are NOT easily cloned! This has been covered in this newsgroup in detail in the past.

However, even if the router's MAC address could be cloned (it can't, at least not without desoldering and other heroic actions), it *still* would be collected by your neighbor's poorly configured Android device.

So, it doesn't matter that you can't clone the MAC address that Google is collecting by using your neighbor's Android device to automatically send that information to Google periodically during the day.

The fact is that all poorly configured Android devices are automatically sending Google throughout the day *your* MAC address of your router.

NOTE: While I'm completely aware that turning off SSID broadcast is possible (and that it's not useful for security), we are assuming for this purpose that the SSID is broadcast by the router.

I realize you are trying to help - but I must be blunt, since this *is* the critical question.

Since this *is* the critical question, a simple "No" is not enough, especially since your previous statements in this post show that you misunderstood completely the question and the situation.

I'm sorry if that sounds mean, but, a simple "No" is not believable under those two circumstances.

The correct answer might still be "No", but you don't understand the question yet, nor the technical situation, so a "No" all by itself doesn't help.

My key question is *when* does an Android cellphone broadcast the MAC but most people get all hung up about MAC addresses - so I'll dumb down the question to ask "When does an Android cellphone broadcast an SSID?".

Q: Under what conditions does an Android cellphone broadcast an SSID? NOTE: I don't care about the SSID - I care about the MAC - but people get hung up about MAC addresses so I'll ask it in the simpler form.

Doesn't matter if the hat says "Alice J", "Aardvarks" or "Horace", people don't want to go over the same ground again ...

You don't ask a dumbed down question, but a dumb question and your 'question' isn't a question, but a false statement.

HTH.

Oh, what the hell. I'll give it a try.

In the following I tend to intersperse WAN and LAN as well as BSSID and MAC. The basic underlying concepts work in both environments (with some fudging).

SSID has nothing to do with cellphones. It has to do with wifi only. The same is true for BSSID.

SSID is just a name. There could be thousands of wifi access points around the world with the same SSID.

A wifi access point consists of one or more radios to create a WAN. Each radio is a BSS with a BSSID, which is also known as a MAC. Each network device/radio has (by design, but not always in fact) a unique value for the MAC.

A device wishing to connect to a wifi access point looks for a broadcast wifi packet with a particular SSID in the data field of the packet. The header to the packet contains the BSSID/MAC of the access point in source field. To connect to the access point the device sends a packet back to the sender of the broadcast by putting the access point's BSSID in the destination field of the packet and its own MAC in the source field. The rest of the connection protocol is left as an exercise for the reader.

Until things get handed over to (presumably) DHCP there is no way to communicate other than the use of MAC addresses in the appropriate fields of the LAN packets. Strictly speaking, even after an IP address is assigned to the device, all communications on the LAN/WAN is still through the use of BSSID/MAC. It is only after a packet is recieved by the router that higher levels of network communications kick in and a packet will be repackaged with the necessary outer packet to make its way to the internet.

So, "Q: When does an Android cellphone broadcast an SSID?"

A: Keying on the use of the word "broadcast" and ignoring the use of the word "cellphone" because it doesn't apply, only when it is acting as its own access point/hot-spot for other devices. After all, an SSID is only a name.

And, "Q: When does an Android cellphone broadcast a BSSID?"

A: Again, keying on the use of the word "broadcast" and ignoring the word "cellphone" the answer is the same as for the previous question. However, as mentioned earlier, the MAC/BSSID is used in every packet that is sent back and forth with the access point, but is strictly usable only within the geographic area that the radio signals reach, which is pretty much limited to line of sight communications and for which walls are only semi-transparent at those frequencies.

Now, with all that said, there is in theory nothing to stop any program running as part of the wifi access point or within the connecting device to query its own networking internals to grab its own MAC address or the MAC address of devices it is communicating with and send that info out onto the internet to some recipient along with info from its own GPS, if available.

So, while it is not part of the normal protocols to reveal that information it is not inconceivable that some user level program could be doing the nasty deed.

Furthermore, all of this is at best fleeting information because a network device's MAC address is held in ROM on the device. The network software in a device reads the ROM to get the MAC, but is in no way required to use that address when constructing packets that will go out the device. The device itself *DOES NOT* insert the address into the outgoing packets. That is all handled by software. Therefore it is trivial for the software to use whatever MAC address it wants for its outgoing packets. This is in fact how DECnet used to work, the two high order bytes of the MAC were changed to reflect the fact that a packet was a DECnet packet.

As was said before, just flip a few bits and you could suddenly appear to be on the other side of the planet.

Whew!

Now, what has been left out? Oh yes, the cellphone network. How data is sent over the cellphone network is probably off topic for most of the newsgroups listed above. Therefore, I suggest you redirect your queries/confusions to more appropriate groups.

Bruce .

It's a xposting troll.

--
Bah, and indeed, Humbug

Thanks Bruce. I'm always nice if someone is sincerely trying to answer the question, and, I do realize that most people don't even *understand* the question.

All we care about, for *this* discussion, is the MAC address of the 5GHz and 2.4GHz radios in the iOS or Android cellphones we are trying to track.

That MAC address is also called a BSSID.

Google also logs the SSID, the signal strength, and the GPS location, but they are not of importance for *this* discussion.

Only the MAC address (aka BSSID) is important for *this* discussion.

This is not true that "SSID has nothing to do with cellphones".

As Jeff and I just discussed, if an Android or iOS cellphone acts as an Access Point, then that cellphone will broadcast an SSID.

If that iOS or Android cellphone broadcasts an SSID, it also broadcasts a BSSID, which is unique to that cellphone. In fact, it broadcasts *two* BSSIDs, one for each radio (5Ghz and 2.4Ghz).

It's *those* unique BSSIDs which are captured by poorly configured Android devices and uploaded multiple times a day to the Google Public Database, along with the GPS location of the poorly configured Android device and the SSID and Signal Strength of the access point.

Notice this allows such iOS or Android cellphones to be tracked!

I agree. SSID is "just a name". If the name ends with "_nomac", Google promises to *drop* that SSID from its' public database.

However, you must realize that the Google Public Database contains *more* than the SSID! It contains the *unique* BSSID associated with that SSID, and furthermore, it contains the Signal Strength of that access point at a specific GPS location of the poorly configured Android device that is near that access point.

Anyone who doesn't *understand* that paragraph above can't possibly understand the topic of this thread - so it's critical that the paragraph above be *understood*.

I agree. Specifically, if an iOS or ANdroid cellphone is acting as an access point, then its 5GHz and 2.4Ghz radio will broadcast the following: a. The cellphone AP SSID b. The cellphone AP BSSID

What you must understand to understand the question, is that poorly configured Android devices will *send* to Google not only that information above, but *more* information!

Poorly configured Android devices will send to Google: a. Your cellphone AP SSID b. Your cellphone AP BSSID (aka MAC address) c. Your AP signal strength seen by the poorly configured Android cellphone d. The GPS location of the poorly configured Android cellpone

This part is understood that the BSSID of the 5Ghz and 2.4GHz radios in both iOS and Android devices is sent in the clear in packets whenever those cellphones connect to an access point.

But I'm not talking about that.

I'm only talking about when an iOS or Android cellphone has the following four bits of information *sent* to the Google database by poorly configured Android devices: a. Your cellphone AP SSID b. Your cellphone AP BSSID (aka MAC address) c. Your AP signal strength seen by the poorly configured Android cellphone d. The GPS location of the poorly configured Android cellpone

Yes. You are correct that there are *other* methods, other than the Google Public Database, to obtain MAC addresses of devices.

For example, this web site from wardriving software:

But *this* question is complex enough for most people (almost nobody understood the question) if I simply stick to the Google mechanism.

Lord knows how complex this question gets if I bring in the Wigle wardriving mechanism (which even I don't understand).

Yep. Wardrivign software. Or anything from Marius Milner (e.g., netstumbler).

This is not true. Jeff Liebermann explained in the past why it would take an heroic effort to clone the MAC address of the radio that is sending out the packets.

The cloning is on a different MAC address, which is not the MAC address of concern here.

Too bad, becuase if it were easy to change the Access Point MAC address, then I would change mine daily.

Not true. You're confusing the easily cloned MAC address with the one that would take desoldering to change.

I purposely kept my earlier post at a fairly high level, mostly because from your other posts I was left with the opinion that you weren't handling the information you were presented with very well. I attempted to provide some background for the discussion so that we could at least agree on the meaning of various terms and the concepts that use those terms.

While your reply was cordial, for the most part, you did with me as you have done with others, namely rejected statements which are easily verified as true.

Again, here I was attepting to lay a background.

And here you are trying to bore down to a lower level prematurely, IMHO.

Yes, I'm afraid it is true. To reject it implies that you believe that all cellphones do wifi. I have two on the shelf in this room that do not do and never did do wifi.

This is consistent with what I wrote above and what I wrote below. This action has nothing to do with it being a cellphone but to do with it acting at this point as a wifi device.

Not necessarily. The protocols allow the creation of a BSSID on the fly. It only has to be unique within the (very short) range of the radios in use.

Actually, any wifi device acting as a BSS can identify itself as up to

32 BSSIDs and 1 or more SSIDs per radio. So, yes, a single radio can simultaneously be using 32 different BSSIDs/MACs.

As I said below, poorly configured has nothing to do with it when any user level program running on the BSS or within the cellphone can access the very same wifi information and pass it on to whomever it wishes.

Did I ever say anything to contradict this? I merely pointed out that cellphone configuration, if done "properly" (whatever that means) won't cure the problem when user level code running on the equipment can accomplish the same thing. In fact, it might be through user level code that it is being accomplished right now.

While Google might honor the use of the suffix (for now) it doesn't mean that anybody else will.

That "paragraph above" means absolutely nothing until one understands that even in a "properly configured" phone user level code could be gathering the same information (or more) and sending it to agents unknown.

As stated above, poorly configured is not the problem, and Google might not be the only recipient.

Get off this poorly configured fixation you have. A perfect config- uration with any amount of user-level programs has potentially the same nasty possibilities.

Or maybe even "Angry Birds" does this too!

Actually, you are partially correct. DECnet changes the leading four octets (notice, the proper term is octets, not bytes; I was too casual in the above paragraph) to "AA 00 04 00". The remaining 2 octets make up the node within a DECnet network. How do I know this? I'm an ex-DECie. (Actually, I'm still a DECie but they don't pay me anymore.) If you want a reference on this a brief desctiption may be found at which contains the following:

"The Ethernet implementation was unusual in that the software changed the physical address of the Ethernet interface on the network to AA-00-04-00-xx-yy where xx-yy reflected the DECnet network address of the host. This allowed ARP-less LAN operation because the LAN address could be deduced from the DECnet address."

I've avoided making any references to 802 so far here. And my DECnet references mostly concern(ed) 802.3, 802. all have the same underpinnings. DEC was one of three companies that colaboratively "invented" ethernet (at least the hardware specs, that is). The origin of ethernet comes from the amateur radio two meter band protocols used in Hawaii, which was called "Aloha Net".

Without reference I can not comment on this, but what I'm talking about for MAC has nothing to do with cloning.

Huh?

You might want to look into this then.

That statement is most definately true. I can assure you that when a VAX computer was moved from one location to another nobody went running for a soldering iron.

If changing the MAC address (also called the hardware address) was so difficult, why do you suppose the capability exist in ifconfig(8) to change it?

Bruce .

OK. You found a corner case, where not all cellphones do WiFi. Since I also have iOS equipoment, all my iOS equipment has WiFi also.

While I am sure they exist, I personally have never seen a cellphone that doesn't do WiFi; but I also have a limit on cellphones of 16GB minimum,

1GHz minimum, 1GB RAM minimum, etc., where the cost is never below $200 so, the cellphones "I" have bought *all* have WiFi.

I did goof with the wife's $200 Moto G, which only has 2.4GHz WiFi, since I simply *assumed* that all of the WiFi cellphones had *both* 2.4GHz and 5GHz WiFi ... so I agree with you on the wide range of what Android phones do.

I think here is where we get mired in conflicting details, which are better discussed in person, because the mere fact that the BSSID is encapsulated in the clear in the WiFi packet is *absolutely meaningless* for the purpose of this discussion *if* all those poorly configured Android devices don't

*upload* that BSSID to the Google Public Database.

The *only* BSSID that matters for this discussion is the BSSID which is

*uploaded* to the Google Public Database by all those poorly configured Android devices.

I'm completely and intimately familiar with the fact that the BSSID only has to be unique on the subnet, e.g., you can use DE:AD:BE:EF:CA:FE on your own network and it won't matter, as long as only a single device on your network has that BSSID.

Up until Jeff's later responses, I had thought that the BSSID that matters (which is the one *uploaded* to the Google database by poorly configured Android devices!) was hard to change, and it is, for a typical factory-software router.

But Jeff explained that certain firmware will enable that all-important BSSID (which is the one that is *uploaded* to the Google database by poorly configured Android devices) *can* be changed on a router.

In addition, Jeff noted that, for Android devices which are *rooted*, that all-important BSSID (which is the one *uploaded* to the Google publid database by poorly configured Android devices) *can* be changed.

Unfortunately, a quick search on Google shows a history of Apple *breaking* any jailbroken device's ability to change that specific BSSID with each new OS version - so we can effectively say it can't easily be done on iOS (which is another reason why iOS has less privacy than Android in certain situtations).

Are you saying that you have 32 different access points in "a single radio"?

It's possible - but remember, the *only BSSID that matters* for this conversation is the one that is *uploaded* to the Google Public Database by poorly configured Android devices.

All other BSSIDs are meaningless for the purpose of this discussion.

Given that, are you saying that you have *32* different SSIDs which are being uploaded, as we speak, to the Google Public Database by all poorly configured Android devices in your vicinity?

I see why you are frustrated in this conversation.

Jeff already noted that there are *plenty* of situations where a BSSID is found, in the clear, in the context of WiFi communications.

Since *this* discussion is *only* about exploring privacy flaws in the Google Public Database, the only BSSID that matters for this discussion is the BSSID that is *uploaded* to the Google Public Database by all poorly configured Android devices in your vicinity.

this one doesn't:

Since *this* discussion is *only* about exploring privacy flaws in the Google Public Database, the only BSSID that matters for this discussion is the BSSID that is *uploaded* to the Google Public Database by all poorly configured Android devices in your vicinity.

It's even worse than that.

1. While we all know that *hiding* the SSID is futile, it's actually

*useful* to hide your SSID in that the poorly configured Android devices apparently do *not* upload "hidden" SSIDs to the Google Public Database.

1. However, most of us don't "hide" our SSID from being broadcast (since there is almost zero security value in hiding the SSID broadcast).

2. Hence, our SSIDs are being *uploaded* to the Google Public Database by poorly configured Android devices whether or not we have "_nomac" at the end of the SSID.

1. What's worse, the *unique* BSSID of the radio is also uploaded at the same time (along with the signal strength of the SSID and the current GPS location of the poorly configured Android device).

Therefore, the SSID is the *least* of our privacy worries (unless we're dumb enough to name our SSID after our first and last name or something similarly identifiable).

The privacy concern is the association of the *hard-to-change* unique MAC address with its GPS location.

These two critical pieces of metadata are *uploaded* to the Google Public Database by poorly configured Android devices, whether or not you put "_nomac" on the SSID.

Bruce .... you're trying to argue that the world contains a lot of parameters, and nobody (not even me!) is disagreeing with you.

You may as well tell me that every radio has a MAC address or that every radio has an antenna or that every computer on the net has an IP address or that the BSSID is in every packet, etc.

Nobody is disputing what you're saying - but what you're saying has

*nothing* whatsoever to do with the topic at hand!

The topic at hand is *only* about the BSSIDs that are *uploaded* to the Google Public Database by poorly configured Android devices.

The two related questions are: a. Under what circumstances is your phone's BSSID uploaded to the Google Public Database? b. How would an attacker *exploit* that public database to track the

*location* of the phone?

If you want a *different* topic, then just say so - but *that* is the topic here that "I" am trying to find out more about.

The two related questions are: a. Under what circumstances is your phone's BSSID uploaded to the Google Public Database? b. How would an attacker *exploit* that public database to track the

*location* of the phone?

If you want a *different* topic, then just say so - but *that* is the topic here that "I" am trying to find out more about.

The two related questions are: a. Under what circumstances is your phone's BSSID uploaded to the Google Public Database? b. How would an attacker *exploit* that public database to track the

*location* of the phone?

If you want a *different* topic, then just say so - but *that* is the topic here that "I" am trying to find out more about.