Anyone Can Access Microsoft’s Massive Location Database

Anyone Can Access Microsoft’s Massive Location Database

Microsoft has been going around and building a database of publicly broadcast MAC addresses (along with their corresponding street address) for location services purposes. That might include those of your phones and laptops. Problem is, Microsoft didn’t secure the database.

According to a report from CNET’s Declan McCullagh, Microsoft is gathering data from Windows 7 handsets that connect to Wi-Fi networks, along with cars that go around sniffing out hotspots, and logging it all here. But because they’re being lax in protecting that database, anyone can get access to the data. Cnet entered in various MAC addresses into the database themselves and had very specific location data returned to them.

Here’s how it works: iPhone and Android devices automatically change their Wi-Fi MAC address when acting as an access point. Android devices appear to choose a MAC address beginning with 02:1A.

Google’s database doesn’t include the MAC address 02:1A:11:F2:12:FF. But Microsoft’s does, and reports that it is located in the Embassy of Montenegro on New Hampshire Avenue in Washington, D.C.

Why is this bad? If Microsoft has logged the MAC address of your network (along with its location), anyone who has that MAC address could run it through Microsoft’s database and potentially find out where you live. That’s not good. Furthermore, Microsoft hasn’t said whether or not they collect data on the devices connected to a network. If they log the MAC address your laptop or phone, someone with that info can track your location on Microsoft’s map. That’s really not good.

Cnet also got an official statement on the matter from Microsoft:

Reid Kuhn, a program manger with Microsoft’s Windows Phone Engineering Team, sent CNET this statement: “To provide location-based services, Microsoft collects publicly broadcast cell tower IDs and MAC addresses of Wi-Fi access points via both user devices and managed driving. If a user chooses to use their smartphone or mobile device as a Wi-Fi access point, their MAC address may also be included as a part of our service. However, since mobile devices typically move from one place to another they are not helpful in providing location. Once we determine that a device is not in a fixed location, we remove it from our list of active MAC addresses.”

What’s disconcerting is that there doesn’t appear to be any sort of opt out ability for those who don’t want their MAC address included. If you’re worried about whether or not your information is stored in the database, you can enter the MAC address for any devices you may have at this website created by Stanford researcher Elie Bursztein (if you don’t know your MAC address, CNET suggests this site for finding out how). And while you won’t be able to remove your info, maybe you can yell at Microsoft. [Cnet via Slashdot]