Wednesday, April 2, 2014

Misguided by Google Maps

In late February, a security consultant described a way of gaming Google Map's crowd-sourced "places" system to create fake places, or to give false locations and phone numbers for real places. What's the big deal? Read on...
In late February, a security consultant described a way of gaming Google Map's crowd-sourced "places" system to create fake places, or to give false locations and phone numbers for real places. The researcher showed either real chutzpah, or a serious lack of common sense, in his choice of example: he created Google Maps places for a US Secret Service office and an FBI office. Instead of publishing the legitimate phone numbers for these offices though, he published his own phone number, which he set up to forward the call to the legitimate office while recording the conversation. Within 24 hours he received and recorded 15 calls, including one from a local police officer wanting to discuss a counterfeit money bust.

Wiretapping the FBI and the Secret Service ... talk about irony! In all seriousness though, he highlighted a pretty significant problem, which he documented in detail and then presented to the Secret Service in person. Contrary to the way BusinessWeek and others present this though, I don't see this as a computer security flaw.

If you were to call a telephone company's directory assistance, you would rightly have a pretty high expectation of getting the right number. That makes sense, because the target business is paying someone to provide telephone service, and part of that service includes a directory listing. The provider is responsible for that listing being correct.

With Maps, you are not paying Google for the service, and neither is the business. The data is crowdsourced, much like Wikipedia. Unlike Wikipedia though, there is no system of citation to vouch for the legitimacy of listings. Google benefits from the data they collect from you, and from the others that search for that place of business. Abuse aside, the business benefits from that listing too - and at no cost to them.

This isn't a security flaw on the part of Google. This is a disconnect in expectations between the users and the provider of the service. As Google has grown and gained more and more users, its services have become the de facto authority for information, but in reality this is a case of "you get what you pay for." You are not the customer (and neither is the business). The real customer is the one paying - the advertisers and the users of Google's aggregated data.

How does this fit into being an informed citizen of the digital world? Frankly it boils down to understanding that if you are not the one paying for a service, then you are not the customer. Once you recognize this fact, it is much easier to make informed decisions. Do I use Google Maps? You bet. But would I trust Google Maps in a life-or-death situation? No.

As an aside, if you are a business owner, I would suggest that you create your own Google Maps place before someone else does so for you!

Edit 4/2 pm:

I received an offline inquiry from a reader asking why I would advocate for making Google's property more valuable instead of pursuing legal action. I thought it was a good question to respond to.

I don't presume to say whether Google did or did not do anything wrong. My point is that as a culture, consumers (and businesses) rely on so-called free services without understanding that someone is paying, and _that_ someone is the one that dictates what they get. In the bigger picture, every service could be misused - website domain squatting, Twitter handles, Facebook pages, Google+ profiles, Instagram - there are lots of ways to grab a name or location that might be of value to someone else. Many businesses know that, and often acquire names similar to their own, so prevent an opportunistic person from profiting from typos or deceptively similar names. It just so happens that the use model of a crowdsourced map tool means a falsified name or property could mislead consumers in a more practical way than most services. Hence my recommendation to use a little common sense in deciding how far to trust information given to you depending on the source of that information.

For better or worse, Google Maps is used by millions of people; as a small business owner I have to make a choice between ignoring / challenging the monolith (at the risk that someone else would swoop in and scoop up my business), or being proactive myself.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.