Good article, but you could also just use a VPN to trick it.

No, a VPN would only change the source IP of your request which the author specifically states isn't how this system works: the browser uses its host OS' Location Services to self report its location based on GPS or Wi-Fi AP locations.

That said, I hope the service doesn't implicitly trust data sent by untrusted clients like web browsers, otherwise someone could just use something like this to send it a false location: https://chromewebstore.google.com/detail/spoof-geolocation/i...

▲

oceanplexian 8 hours ago | parent | next [-]

Even if the browser was super locked down you could trivially spoof a few SSIDs broadcast from the desired area in theory..

▲

DrawTR 8 hours ago | parent [-]

The SSID (name, like the article mentions) is different than the bSSID (mac address of the access point), so I don't think it would be that easy to spoof.

▲

kbaker 2 hours ago | parent | next [-]

That would be a fun project. Capture some WiFi geolocation data and rebroadcast it later with an ESP32 that switches its BSSID/SSID/frequency/transmit power to match an existing fingerprint.

And then see if you can be magically transported somewhere else.

▲

1bpp 8 hours ago | parent | prev [-]

Shouldn't be any harder than the name.

▲

DrawTR 7 hours ago | parent [-]

Do most consumer APs/routers allow you to just change the MAC address on the fly? I don't think the ones I've owned have ever allowed that. But that would certainly be interesting to try (if you were somewhere without any other address interference that would tip it off)

	▲	stackskipton 2 hours ago \| parent \| next [-]
		Some will let you change it but it's almost always static since changing AP MAC Address will cause network disruptions for all connected clients. Sure, some hacker somewhere will screw with these databases by rotating their AP MAC Address regularly but 99.9% are not going to touch it and 99.9% is good enough for location databases.
	▲	Aachen 6 hours ago \| parent \| prev [-]
		Pretty sure the laptop I had from like 2012 until 2018 could do that. Haven't tried anymore since (haven't played around with deauths) but I thought this was common functionality Consumer router firmware UIs, typically owned by ISPs, I'd not expect that yeah. Some don't even let you pick a WiFi band anymore and require other changes to be submitted through an ISP portal on the web somewhere (thinking of Belgium here, not sure which ISP it was)

▲

ralsei 8 hours ago | parent | prev [-]

Ohh. Yeah I suppose that's what I meant. I thought a VPN also spoofed the location

▲

bitwize 8 hours ago | parent | prev [-]

A device can triangulate its own location locally, given the WiFi hotspots around it, and transmit that information via a JavaScript API. A VPN won't flummox this mechanism.

	▲	Aachen 6 hours ago \| parent \| next [-]
		> A device can triangulate its own location Trilaterate (or multilaterate). Angulation uses angle, like a directional antenna, constructive/destructive interference for beamforming (this is how airplane landing systems work if I'm understanding it correctly), or optics like our two eyes, to find the angles to a target from known positions in order to determine its position in space Trilateration is based on distances from known locations, determined either by signal delay (GNSS does that; newer cell towers also but call it "timing advance") or signal strength (used with both WiFis and cell towers) > locally, given the WiFi hotspots You'll also need a local database with the hotspots' positions (usually those aren't actually measured but estimated from observations at different locations). I'm not aware of a device that ships with this, nor popular software that uses it as its primary method, as such databases are many gigabytes. Thus this is typically not local; you're sharing your data (thus location) with the server which then kindly tells you where it thinks you are
	▲	IshKebab 7 hours ago \| parent \| prev [-]
		Some simple Tampermonkey patching would though.