Microsoft Subnet An independent Microsoft community View more

Google Map jacker called a hero by feds he wiretapped

Don't trust Google Maps, warns former map jacker on Reddit IAmA after he was ironically called a 'hero' by the feds he wiretapped.

When you Google a business, do you trust the Google Map listing enough to call the phone number or use it for navigation purposes? You totally shouldn't, according to Bryan Seely. He describes himself as a senior Microsoft Lync engineer, network engineer and security consultant who broke Google Maps and then used that "flaw" to wiretap the Secret Service and FBI. "I've personally worked on and seen over 50,000 fake businesses in the last six years and I know there are numerous other people who do the same thing," Seely told KOMO 4 News. How profitable is Google 'map jacking'? He claimed that people would pay him "$10 to $50 per listing" and he could make 1,000 fake Google Map listings per week.

It is neither a hack nor a vulnerability, but a logic flaw on Google's part; Google calls it "spam." It could potentially be a problem for any site that depends upon crowdsourcing and honest human input; it's the Internet, people lie and some lie for pure profit. Whether it's for profit or not, anyone is capable of creating these Google Map listings. It could be a legitimate business trying to get listed, or it could be criminals creating fake business listings. Yes, Google does require verification, but verifying fake businesses is easy to do. "There is a back door and Google made it themselves," he added. "They just didn't realize that they left that open."

Seely, aka @maptivists, tweeted "Thousands of small business owners are completely bankrupt because of this." He stated, "I'm trying to draw attention to the fact that millions of people in this country are calling businesses that are not really there."

After using the same fake Google Map listings flaw to wiretap both the Secret Service and FBI, it seems like Seely can check off "drawing attention" from his list.  "After Seely's numbers received the calls, they were seamlessly forwarded to the real offices the callers were trying to reach, only now the audio of their conversations with real federal agents was being captured by Seely."

He also told Valleywag:

Who is gonna think twice about what Google publishes on their maps? Everyone trusts Google implicitly and it's completely unwarranted and it's completely unsafe. I could make a duplicate of the White House and take every inbound phone call from the White House. I could do it for every Senator, every Congressman, every mayor, every governor-every Democratic, every Republican candidate. Every office.

During a Reddit IAmA session, Seely tried to get across the idea of what a big deal it is. "15 calls to 2 minor locations is no laughing matter. I could have setup 100 that day all over the country." He added, "I could do the same to banks, credit card companies, congressmen, corporations or embassies. The implications are serious."

Apparently the Secret Service thinks it is serious too and a Special Agent in charge called Seely "a 'hero' for bringing this major security flaw to light." Of course, that was after Seely was patted down, read his Miranda Rights and interrogated for about four hours. Secret Service spokesman Brian Leary told Valleywag:

The incident in question involves an individual posting their own phone number as a Secret Service field office phone number on Google Maps. When unsuspecting citizens utilize this incorrect third party phone number to contact the Secret Service the call is directed through the third party system and recorded. This is not a vulnerability or compromise of our phone system. Virtually any phone number that appears on a crowdsourcing platform could be manipulated in this way.

This incident will be investigated thoroughly and appropriately. The Secret Service encourages the general public to visit our website at www.secretservice.gov to obtain accurate contact information for our field offices.

Google spokeswoman Gina Scigliano said, "It was brought to our attention that an individual was creating fake business listings in Google Maps. Although these listings do not appear prominently on the map, we take problems like spam very seriously, and appreciate when the community flags issues so we can quickly resolve them."

Seely views the statement as disingenuous after Google "willfully ignored" the problem for over five years. "Don't get me wrong, to work at Google you are brilliant. But, they aren't trying to game the system. They aren't trying to solve a puzzle that unlocks MONEY." He added, "The point was that there is so much spam on Google Maps, that real American business owners are being put out of business, and they get 0 help from Google."

I wanted Google to fix the problem. So I sent them everything 1 month before the story aired. They did nothing. So I started spamming Google Maps with funny links.

"Don't trust Google Maps for anything," he advised. "Use Bing or Apple. They have faults, but I'm hoping I can talk to them before exposing their flaws. Bing has problems too, but Google is easily the top as far as search. So, people game them first, it pays out the most." However, Seely is also planning to "show vulnerabilities in Apple Maps, Bing and Yahoo, and even Facebook."

Now that the Secret Service and FBI are involved, maybe Google will "fix" the flaw. But Seely said "he will believe the fixes when he sees them, and so far he hasn't seen any fixes." It remains to be seen if the FBI will issue a statement, remain quiet on the matter, or end up arresting Seely for wiretapping the feds.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

To comment on this article and other Network World content, visit our Facebook page or our Twitter stream.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.