Street View and WiFi

Nik Barron - www.virus.org - 17 May 2010Security

Google have recently admitted to inadvertently collecting snippets of unencrypted WiFi traffic

In a story almost custom made for Internet conspiracy theorists, Google have recently admitted to inadvertently collecting snippets of unencrypted WiFi traffic while surveying with their Google Street View cars.

Google have been collecting information about WiFi network names and unique hardware identifiers (the SSID and MAC address of the access point, for the technically minded) and recording these against GPS co-ordinates. This database will allow location-based services to use WiFi signals to help pinpoint a device's location, particularly useful in areas with poor GPS signals or for devices that lack in-built GPS. Similar technology is already available using mobile phone transmitters and triangulation, which allows non-GPS phones to get a reasonably accurate position fix in applications such as Google Maps.

Some observers have criticized Google's collection of this data, suggesting that it is an invasion of privacy. This is hard to justify, given the almost complete lack of criticism of similar services such as WIGLE and Skyhook, but Google-bashing is rapidly approaching Microsoft-bashing as a spectator sport on the Internet. It is also hard to apply a reasonable expectation of privacy for information that is broadcast automatically and unencrypted (even for encrypted networks, the MAC address and SSID are transmitted in unencrypted form).

Google then revealed that they had inadvertently been collecting packet contents where the network was unencrypted, although these were not used in any Google products. As Google are apparently using the open source Kismet tool to collect WiFi data it seems likely they have just left the default settings in place. To their credit Google have admitted their mistakes and promised to improve the code review process in future to avoid similar problems. It seems perfectly reasonable that this was a genuine mistake, but to Google's opposition it's taken as more evidence of their evil intentions. There are certainly legitimate privacy concerns about Google's activities (see for example Greg Conti's "Googling Security" book), but if this is part of a scheme for world domination, owning up to it is probably not a likely strategy.

Regardless of the rights and wrongs of Google's actions, this latest incident highlights once again the need to properly encrypt any network traffic transmitted over wireless links. While current WPA2 encryption with appropriate key management is not subject to any practical attacks, management of such links can be an additional overhead for system administrators. The use of a VPN tunnel for any WiFi link is a worthwhile alternative, and the Smoothwall range of gateway products provide simple and secure VPN capabilities that can be easily extended to wireless links.

More information:

• Google Blog: Data Collected by Google Cars
• Google Blog: WiFi Data Collection Update