FBI and Secret Service Phone Calls Intercepted by Google Maps Exploit

FBI and Secret Service Phone Calls Intercepted by Google Maps Exploit

Yesterday, when Bryan Seely showed me his various Google Maps exploits, he showed me more than just dick jokes and fake businesses. Using these tricks, Seely was also able to set up a system that could surreptitiously record phone calls to the FBI and Secret Service. And he actually did it.

The premise is simple; instead of creating fake businesses with stupid names, he created fake locations for an FBI office in San Francisco and a Secret Service office in Washington DC, each effectively taking the place of its real life counterpart. These new locations were identical to their real-life counterparts—with one important change. A new phone number.

FBI and Secret Service Phone Calls Intercepted by Google Maps Exploit

I saw this in action. Seely sent me a link to a Google Maps Search query for "federal bureau of investigation near San Francisco, CA." There, I saw two otherwise identical listings, and when I called the one Seely pointed out to me as fake, he was the one who picked up the phone.

At the time of this writing, there are still two FBI offices listed in San Francisco, identical but for two different phone numbers.

Seely told me that the exploit was not actually in action, and that when it was, the Google Maps entry with the wrong phone number would be the one most prominently displayed. From there, Seely explained, it would be trivial to reroute the phone number to the incoming line for the actual FBI office, and either to listen to or even record the calls as they came in. I saw no explicit evidence that Seely had done or could do this part, but Valleywag did.

The effect would basically be a very limited tapped phone. Any scammer with the ability to set this up would be able to intercept calls—but only from people calling in through office's main line, and only people who'd looked up the number to call on Google Maps.

But also the danger of new scams like this is pretty much over. Sources at Google have confirmed that many of the exploits Seely used in the first place have been patched up, so the risk of any new DIY tapping setups by the same method seems slim to none.

However, Seely snuck these last alternate locations—like the FBI office and the Internet Cock Advisory—just before the security holes he was using were closed. And, while Seely has demonstrated that he can still modify that locations he's already made, he can't create new ones with the same tricks. Still, he's been able to prove that this was possible, it's almost impossible to know if any setups like this currently exist, have existed in the past, or have been put to any use. But the danger of new ones through known exploits seems to be over.

Even though the scope of such taps would have been pretty limited and new ones are now impossible, the fact that someone could have effectively tapped a subset of calls to any number government agencies or any other business—through Google Maps, of all places—is pretty scary nonetheless.

Seely has notified the agencies involved and we've reached out to them, as well as to Google, for comment.

Considering that the locations on Google Maps are submitted and verified by users, instead of pulled from official sources, trusting it absolutely for super-secret calls has always been a bad idea. So if you find yourself having to call the FBI to rat out your local mob boss, maybe dig up that number from the official website and then set up a meeting in person. Google Maps is a good reference material, but it never hurts to double check.

It's Ridiculously Easy to Troll Google Maps With Fake Listings

Trust the listings you find on Google Maps? You shouldn't, because it's dumb easy to fake them. That's what Google Maps exploiter… Read…

How a Hacker Intercepted FBI and Secret Service Calls With Google Maps

Earlier this week, Bryan Seely, a network engineer and one-time Marine, played me recordings of two phone calls (embedded below.) The calls were… Read…

7
3
Original post by Eric Limer on Gizmodo

It's Ridiculously Easy to Troll Google Maps With Fake Listings

It's Ridiculously Easy to Troll Google Maps With Fake Listings

Trust the listings you find on Google Maps? You shouldn't, because it's dumb easy to fake them. That's what Google Maps exploiter Bryan Seely demonstrated for me this morning. And while trolling politicians with dick jokes is never not funny, there's also a whole sub-community of scammers turning Google Map's little bugs into cold, hard cash.

Seely wouldn't explain exactly how he manipulates Google's maps with fake listings, but he assured us the process is very simple and hinges on Google's shoddy verification process. He says he can create hundreds of these things without breaking a sweat, and while Google's slowly coming up to speed on closing the holes that let sneaky, fake stuff like this through, it's not doing it quite fast enough. We reached out to Google for comment (Update: a response is now included below), but in the meantime Bryan showed us a special little joke just for Gizmodo: The Internet Cock Advisory Committee. That's the actual Internet Caucus Advisory Committee, but with one tiiiny modification.

It's live at the time of this writing, but probably not for long. While Google hasn't put measures in place to keep this stuff from happening in the first place, it is good at taking obvious jokes down once they're widely known.(Update: Sources at Google now confirm, they patched up several of Seely's favorite exploits) Seely says on average, obvious pranks like this one last less than a day, but he's preserved plenty for posterity.

It's Ridiculously Easy to Troll Google Maps With Fake Listings

It's Ridiculously Easy to Troll Google Maps With Fake Listings

It's Ridiculously Easy to Troll Google Maps With Fake Listings

Subtler fakes, however, and last virtually forever, and silly dick jokes are just the tip of the iceberg when it comes to what you can do with these sorts of exploits.

Seely says that there are legions of scummy scammers using these tricks to make scads of cash by creating fake listing after fake listing for businesses like locksmiths, child care services, or carpet cleaners, and using the fleshed-out fakes to forward calls and other inquiries to different, real (and obviously pretty shady) businesses for a fee. It's polluting Google Maps with hundreds if not thousands of fake locations and businesses. He estimates that there are over 100,000 fake listings for locksmiths alone.

So say I'm a locksmith and I want a little more business. My ranking is too low when you search "locksmith near [my neighborhood]" on Google Maps; no one ever clicks on me. If I find the right scammer, I can boost my presence with a couple more (non-existent) locations. Or even better, I can have a scammer change my competitors' numbers so that the calls forward to me instead. All I have to do is pay a scammer $50 or so per call. But hey, that's just the cost of doing (shady) business.

Even that, though, is not the full extent of what's possible by using these exploits. Seely showed us one example with some really scary implications on a national scale, but he's asked us not to discuss the specifics until he can talk to the people involved. But what we can say is that it's wild, and we'll have more on that when the time comes.

But now that Seely's had his fill of personally messing with Google Maps for nigh on six years, he's moved on to making his adventures public, starting with an interview with Seattle's local Komo News and chatting with us. His hope is that the Google Map's exploitable holes get patched up before anyone can find away to do anything seriously nefarious with them. In the meantime, there are stupid jokes to be had, so don't believe everything you see. Especially if it references a penis.

Update: A Google Spokesperson got back to us with the following statement:

It was brought to our attention that an individual was creating fake business listings in Google Maps. Although these listings do not appear prominently on the map, we take problems like spam very seriously, and appreciate when the community flags issues so we can quickly resolve them.

3