Doxing an ISP
Private and Information Security are extremely important to me, so I decided to publish details on how I acquired information on virtually every single customer belonging to a particular Internet Service Provider (ISP) in hopes that others can learn from this and protect their networks.
The internet is comprised of a collection of addresses, known as an IP (Internet Protocol) Address. Most commonly known is IPv4 which is commonly written as four numerical values ranging from 0 to 255 separated by dots. This allows for a grand total of about 4-billion addresses. These IP addresses are used to route information from one location on the internet to another.
ISPs acquire blocks or groups of IP addresses in order to help simplify the routing process. These can be thought of similarly to how ZIP codes or Postal Codes work to group residence and businesses to a single centralized post office. To route a package to a house, internally they forward it to the post office matching the ZIP code, and then that post office handles the final routing to the destination house. ISPs work the same way by having blocks of IP addresses, and when they receive a packet of information, they're responsible for sending it the last-mile to their customer's IP address.
Users, on the other hand, generally deal with domain names when accessing content via the internet. There is a global system in place known as the "Domain Name System" (DNS). Within this system, it translates human readable domain names to IP addresses. This translation process is known as DNS Resolution or DNS Lookup. For example, the domain "example.com" may resolve to 184.108.40.206 as an IP address.
There is also another lesser known piece of the DNS system, known as a Reverse DNS Lookup. With this, you start with the IP address and request that the ISP give you a domain name associated with it. Some ISPs have this configured, some don't. This configuration varies widely from ISP to ISP.
With this particular ISP that I was dealing with, they setup their Reverse DNS names for every IP address to be the hardware MAC address of the device connecting to their network. MAC addresses are similar to IP addresses, but are not designed to be routed on the internet; instead they are only meant for local area networks of a few hundred to a few thousand devices at most.
That xxxxxx040506 part of the domain name is the MAC address in question, with x.x.10.12 being the IP address we're querying (with X's to mask part of it for privacy reasons).
But what can we do with the MAC address, since it cannot be used otherwise on the internet? And what about the ISP having a block of IP addresses?
First, the block. They have what is known as a /16, which means 16-bits of the address are for the network route (like a ZIP code), with the remaining 16-bits for the IP addresses of the customers. This gives us about 65,000 addresses to work with. Even with a single machine on a slow internet connection, checking the Reverse DNS of all 65k addresses only takes a few hours.
Now, the MAC addresses. Most users this day in age will have a wireless router hooked up to their cable or DSL modems. This allows them to have wireless connectivity within their house and also allows for multiple devices to share the single internet connection. Having worked with countless wireless routers over the years, I noticed a very distinct trend with virtually all of them.
Consumer routers technically have three network cards each with their own MAC address internally. There is one MAC address for the WAN (internet), one of the LAN (wired computers), and a third for the WLAN (Wireless LAN / Wi-Fi). Each of these three MAC addresses are usually sequential, but the order varies.
Knowing this information, we can add/subtract 1 or 2 from the WAN MAC address to guess the LAN and WLAN MAC addresses. At this point in time, we don't care about the LAN MAC address, only the WLAN MAC address used for Wi-Fi. Using this technique, we now have 4 possible MAC addresses for every IP address. We now have about 260,000 MAC addresses to test against.
Now that we have our collection of potential WLAN MAC addresses, the "fun" begins.
Google and other companies drive around cities for the purpose of mapping, such as for Google's Street View service. These companies also collect additional data for the purpose of geolocation services. A geolocation service is one that will tell you where a particular thing is located, such as getting driving directions to a nearby restaurant. In order for these services to work, they also have to know where you are at as well to initiate a starting point.
While driving to collect Street View data, Google's cars also map out available Wi-Fi networks that they can see. Other companies are doing this Wi-Fi mapping, too. This information is logged into a database along with GPS coordinates.
When you attempt to get directions to your nearby restaurant, your phone may search to see nearby available Wi-Fi networks and send that information back to the mapping service to figure out your location for the starting point. This is quite handy, especially in areas where GPS may have issues (around tall buildings blocking satellite signals) or on devices that don't even have GPS receivers.
Wi-Fi network names are commonly replicated, so this wouldn't do for these location databases. Instead, they store the WLAN MAC address that is transmitted along with the Wi-Fi network name. These databases are also available through various lookup tools online.
Using our collection of 260,000 MAC addresses against these lookup tools gives us a very clear picture of physical locations with an accuracy of about 100ft for any given IP address from this particular ISP.
There are already GeoIP address databases available publicly online, but they generally have an accuracy of around a mile or more. Using the technique described above, locations are pinpointed to within a few houses. Going to the houses, it would be trivial look at signal strength of the Wi-Fi connection to see which house it is coming from.
We have now gone entirely from IP Address to Physical Address by simply cross-referencing the IP Address to Reverse DNS address, to MAC address, to location database.
While this particular exploit relied upon an uncommon configuration by an ISP that should never have existed in the first place (and has since been fixed after reporting this exploit), there is still the concern that there may be other ways to mass collection MAC addresses which in turn could lead to mass exploitation of physical addresses.
Doxing is a serious concern, which has lead to cases of Swatting in the past and even people being killed. Swatting is the act of calling the police about a false dangerous situation to get the SWAT team to invade someone's home.
The city of Seattle is working to combat Swatting. but this is only the beginning. More has to be done to protect user's privacy online. ISPs share heavily in this responsibility to help protect their own customers. Thankfully, the ISP in question responded quickly and resolved the issue that I presented in this article. There may be other ISPs vulnerable to this same exploit.