In the last couple of years, Google and some other Web giants have moved to make many of their services accessible over SSL, and in many cases, made HTTPS connections the default. That’s designed to make eavesdropping on those connections more difficult, but as researchers have shown, it certainly doesn’t make traffic analysis of those connections impossible.
One of the services that Google has made available over HTTPS is Google Maps. Users who are concerned that an attacker could look at their web requests and pinpoint their location can use SSL connections as a way to make that harder. However, researchers at IOActive have found that it’s still a relatively simple matter to figure out what locations users are searching for, and therefore, perhaps where they’re located themselves.
Vincent Berg of IOActive has written a tool that can monitor SSL connections and make some highly educated guesses about the contents of the requests going to Google Maps, specifically looking at what size the PNG files returned by Google Maps are. The tool then attempts to group those images in a specific location, based on the grid and tile system that Google uses to construct its maps.
“I started by running Firefox and Firebug in an effort to make sense of all the JavaScript voodoo going on there. I quickly figured out that Google Maps works by using a grid system in which PNG images (referred to as tiles) are laid out. Latitude and longitude coordinates are converted to x and y values depending on the selected zoom level; this gives a three dimensional coordinate system in which each separate (x, y, z)-triplet represents two PNG images. The first image is called the overlay image and contains the town, river, highway names and so forth; the second image contains the actual satellite data,” Berg wrote in an explanation of the tool’s capabilities.
“Once I had this figured out the approach became simple: scrape a lot of satellite tiles and build a database of the image sizes using the tool GMapCatcher. I then built a tool that uses libpcap to approximate the image sizes by monitoring the SSL encrypted traffic on the wire. The tool tries to match the image sizes to the recorded (x,y,z)-triplets in the database and then tries to cluster the results into a specific region.”
The tool that Berg constructed includes a database of rough profiles of several European cities, such as Paris, Geneva and Brussels. That prevents it from having to hit the Google Maps servers with a huge number of requests. In a video demonstration of the tool’s uses, it’s able to correctly determine the location of two separate searches being done on Google Maps.
The tool’s performance is a good reminder that HTTPS sessions aren’t necessarily as secure as users would like to believe.
” Please note that it is a shoddy proof of concept, but it shows the concept of SSL traffic analysis pretty well. It also might be easier to understand for less technically inclined people, as in “An attacker can still figure out what you’re looking at on Google Maps” (with the addendum that it’s never going to be a 100% perfect and that my shoddy proof of concept has lots of room for improvement),” Berg wrote in his analysis.