Spoofing the iPhone's Wi-Fi Positioning System

From heise.co.uk:

The Wi-Fi Positioning System (WPS) used by Apple's iPhone and iPod Touch and other mobile devices can easily be supplied with false information that makes the mobile think it's somewhere other than its true location. Researchers at the Swiss Federal Institute of Technology Zürich have found that all you need is a laptop, a Wi-Fi access point transmitter and a database of Wi-Fi access point locations.

The MAC address of an active Wi-Fi access point is continuously announced. WPS works by the client detecting the MAC addresses of nearby access points and comparing the cluster of found addresses with a database of clusters referred to geographical locations. The iPhone and iPod Touch apparently make use of the Skyhook Wireless Inc database of Wi-Fi access point locations, as do Nokia Symbian-based phones and PCs equipped with Skyhook's Loki plugin.

Having a GPS-like navigation on the iPhone or iPod Touch using open access points? I always suspected that MAC addresses were used and this confirms it. Compared to cellular tower positioning, there is no authentication and spoofing becomes very easy.

It also reminds me of the Italians who spoofed the RDS TMC signal for GPS systems.

Since we are talking about the iPhone/iPod Touch, here is a way to hack your iPod Touch into a VOIP Phone.

Related articles:

• Webcast: iPhone Forensics Demonstration
• How to watch security conferences on your ipod
• Invasion of the (belgian) iPhone users
• Gathering information about mobile security
• Will mobile devices take over the world?
• iPhone security 101
• Get a VPN client on your Iphone or Ipod Touch