Abstract
Location spoofing attack deceiving a Wi-Fi positioning system has been studied for over a decade. However, it has been challenging to construct a practical spoofing attack in urban areas with dense coverage of legitimate Wi-Fi APs. This paper identifies the vulnerability of the Google Geolocation API, which returns the location of a mobile device based on the information of the Wi-Fi access points that the device can detect. We show that this vulnerability can be exploited by the attacker to reveal the black-box localization algorithms adopted by the Google Wi-Fi positioning system and easily launch the location spoofing attack in dense urban areas with a high success rate. Furthermore, we find that this vulnerability can also lead to severe consequences that hurt user privacy, including the leakage of sensitive information like precise locations, daily activities, and demographics. Ultimately, we discuss the potential countermeasures that may be used to mitigate this vulnerability and location spoofing attack.
Recommended Citation
X. Han et al., "Location Heartbleeding: The Rise Of Wi-Fi Spoofing Attack Via Geolocation API," Proceedings of the ACM Conference on Computer and Communications Security, pp. 1383 - 1397, Association for Computing Machinery, Nov 2022.
The definitive version is available at https://doi.org/10.1145/3548606.3560623
Department(s)
Computer Science
Publication Status
Public Access
Keywords and Phrases
geolocation apis; localization attacks; wi-fi localization
International Standard Book Number (ISBN)
978-145039450-5
International Standard Serial Number (ISSN)
1543-7221
Document Type
Article - Conference proceedings
Document Version
Citation
File Type
text
Language(s)
English
Rights
© 2025 Association for Computing Machinery, All rights reserved.
Publication Date
07 Nov 2022
Comments
National Science Foundation, Grant 1553304