Home » Posts tagged "gps"

利用手機的 sensor 取得 PIN 碼

把 side-channel information 配合上統計方法就可以達到 74% 的正確率:「Phone Hack Uses Sensors To Steal PINs」。

透過 browser 的 javascript 就可以拉出這些資料,然後利用這些資料去猜你的手機 PIN 碼:

Researchers from U.K.-based Newcastle University created a JavaScript app called PINlogger.js that has the ability to access data generated by the phone’s sensors, including GPS, camera, microphone, accelerometer, magnetometer, proximity, gyroscope, pedometer and NFC protocols.

而且當可以多抓到更多資訊時 (像是第二次輸入) 準確度就更高了:

Using a sample set of 50 PINs, researchers found that their script was able to correctly guess a user’s PIN 74 percent of the time on the first try, which increases to 86 and 94 percent success rates on the second and third attempts.

有些瀏覽器有做一些修正,讓 side-channel information 變少,於是難度變高:

As for Firefox, starting from version 46 (released in April 2016), the browser restricts JavaScript access to motion and orientation sensors. Apple’s Security Updates for iOS 9.3 (released in March 2016), suspended the availability of motion and orientation data when the web view is hidden, according to researchers.

Google 則是沒修:

As for Google, it’s unclear what measures have been taken. “Our concern is confirmed by members in the Google Chromium team, who also believe that the issue remains unresolved,” the report stated. Google did not reply to a request to comment for this report.

這攻擊方式頗不賴... @_@

微軟的 Time Service 回應錯誤的時間...

看起來會有不少災情 (像是 SQL Server 遇到使用 server side 的時間的 SQL query):「Windows Time Service is sending out wrong times and that’s a big problem」,報導裡引用了 Reddit 上「PSA: time.windows.com NTP server seems to be sending out wrong time」這邊的討論串。

為了避免這種情況,不同單位會用不同方法解決。像是財力充足的 Google 就自己搞了原子鐘,然後還放 Google Public NTP 出來給大家用。可以不倚靠外部裝置確保自家時間的正確性。

另外是有人用 Raspberry Pi 收 GPS 訊號轉成 NTP service (像是「The Raspberry Pi as a Stratum-1 NTP Server」這邊介紹的方式),不過之前有發生過 GPS 送出來的時間差了 13ms 的事情,也不是完全可靠 (不過相較起來應該還是可以接受):「GPS error caused '12 hours of problems' for companies」。另外可能的方案有 GLONASS (俄羅斯的系統)。

也許之後有機會會需要自己架...

Galileo 系統啟用

由歐盟主導的 Galileo 系統宣布啟用,提供早期服務 (Early Operational Capability):「Galileo navigation satellite system goes live」。預定的 30 顆衛星已經打了 18 顆上去:

At this point, 18 of the planned 30 satellites are already in orbit.

在一般的使用下精確度可以到 4 公尺,相較於 GPS 是 15 公尺高出不少:

Using GPS, private users can navigate with a precision of up to 15 meters (m). Galileo offers a precision of up to 4m for its fully open service.

而商用與軍用可以到公分等級:

Commercial users and official government services can even receive a precision of a few centimeters. This is important, for example, for fully or partially automated planes, cars or ships.

之後應該會有同時支援兩套系統的設備出來... 手機應該也會有?

Facebook 大量蒐集 GPS 定位資訊後用機械學習「猜測」你可能認識的人

Bruce Schneier 這邊看到「Facebook Using Physical Location to Suggest Friends」這則文章,引用自「Facebook is using your phone’s location to suggest new friends—which could be a privacy disaster」這篇報導,報導開頭寫著更新的資訊:

Update (June 28): After twice confirming it used location to suggest new friends, Facebook now says it doesn’t currently use “location data, such as device location and location information you add to your profile, to suggest people you may know.” The company says it ran a brief test using location last year. New story here.

Facebook 第二次確認後發現是標準的「啊!靠腰!是 PR 災難」的處理方式。在第一次跟 Facebook 確認時,Facebook 發言人的正式回覆說明了手機的位置是計算的條件之一:

“People You May Know are people on Facebook that you might know,” a Facebook spokesperson said. “We show you people based on mutual friends, work and education information, networks you’re part of, contacts you’ve imported and many other factors.”

One of those factors is smartphone location. A Facebook spokesperson said though that shared location alone would not result in a friend suggestion, saying that the two parents must have had something else in common, such as overlapping networks.

“Location information by itself doesn’t indicate that two people might be friends,” said the Facebook spokesperson. “That’s why location is only one of the factors we use to suggest people you may know.”

靠背...

結合 Malware 與 Social Engineering 的詐騙

在「Malware scam appears to use GPS data to catch speeding Pennsylvania drivers」這邊看到新的詐騙方式。

手機的 malware app (藏有惡意程式的 app) 會要求 GPS 資料 (現在智慧型手機上 app 的常態),而當 malware app 偵測到你超速時,詐騙集團就會發出假的超速罰單,像是這樣:

From: Speeding Citation
To: (Accurate Email Removed)
Date: 03/11/2016 03:08 PM
Subject: [External] Notification of excess speed
First Name: (Accurate Name removed)
Last Name: (Accurate Name removed)
Notification of excess speed
Route: (Accurate Local Township Road –removed)
Date: 8 March 2016
Time: 7:55 am
Speed Limit: 40
Detected Speed: 52
The Infraction Statement contains an image of your license plate and the citation which must be paid in 5 working days.

文章提用的標語「ACCURATE SPEEDING DATA, FAKE EMAIL」好讚... XD

GPS logger:環天的 DG-100...

24h 上買了這顆「DG-100 GPS 數據紀錄器」,然後在 VirtualBox 裡吃鱉了好幾次,所以還是整理一下,讓之後的人比較好辦事 XD

用過的兩顆 GPS logger 都是用 Prolific 的 PL2303 系列晶片,透過 Serial port 的架構溝通,所以 Ubuntu 下會抓到 /dev/ttyUSB0 這種界面。

由於我的目的比較簡單,只要可以抓 gpx 資訊給我就好,後來在 OpenStreetMap 的 wiki 上找到「Globalsat」的資訊,發現了 GPSBabel 這個軟體可以直接在 Mac OS XLinux 下抓 DG-100 的資料:

gpsbabel -i dg-100,erase=0 -f /dev/ttyUSB0 -o gpx -F "track.gpx"

(話說 GPSBabel 的網站感覺回到十年前...)

看指令,如果指定 erase=1 的話就會清掉記錄?另外在 Mac OS X 下則是指定 /dev/cu.PL2303 開頭的 device。

抓下來以後丟到 Dropbox,然後到世界迷霧裡更新,發現就算是已經跑到爛掉的路線,GPS logger 仍然可以記錄到 iPhone 記錄不到的...

Mozilla 推出的定位服務...

Mozilla 推出定位服務:「Introducing the Mozilla Location Service」,也就是 Mozilla Location Service

行動裝置利用收到的 WiFi 以及基地台訊號資訊定位的服務。這也是 GPS 定位以外最常被用到的方法 (尤其是室內與地下)。

維基百科的「Cell ID」這個條目可以看到很多類似的服務,可以看到兩個比較大的:

不過 Mozilla 的名號使得 Mozilla 推出的這個服務成長的相當迅速:

可以看出來 Mozilla 一宣佈後才一個多禮拜就直接 double,不知道要到什麼程度才會趨緩...

目前雖然比起其他的服務還差了一大截,不過有希望在半年一年內成為權威的 Location Service...

Archives