Earlier this week, Bryan Seely, a network engineer and one-time Marine, played me recordings of two phone calls (embedded below.) The calls were placed by unwitting citizens to the FBI office in San Francisco and to the Secret Service in Washington, D.C. Neither the callers nor the FBI or Secret Service personnel who answered the phone realized that Seely was secretly recording them. He used Google Maps to do it.
Yesterday, Gizmodo reported on how easy it was for Seely to spam Google Maps with fake listings. Seely has revealed to Valleywag a more troubling way to exploit the Google's laissez-faire attitude toward verification—loopholes the international search megalith has known about for at least four years.
The callers that Seely recorded thought they were speaking directly to the government agencies because they looked up the telephone number on Google Maps. What they didn't know was that Seely had set up fake listings for the San Francisco FBI office and Secret Service in Washington, D.C., displaying numbers that went to a phone account he set up rather than the federal offices. After Seely's numbers received the calls, they were seamlessly forwarded to the real offices the callers were trying to reach, only now the audio of their conversations with real federal agents was being captured by Seely.
Seely told Valleywag:
Who is gonna think twice about what Google publishes on their maps? Everyone trusts Google implicitly and it's completely unwarranted and it's completely unsafe. I could make a duplicate of the White House and take every inbound phone call from the White House. I could do it for every Senator, every Congressman, every mayor, every governor—every Democratic, every Republican candidate. Every office.
Seely, who has worked for tech companies like Microsoft and Avanade, used to get paid to spam Google Maps. He claims that he faked the government listings, picking numbers with his own 425 area code so they would stand out, because Google ignored his pleas to fix long-standing flaws in the system. Seely said he wasn't taken seriously until yesterday afternoon, when he walked into the Secret Service office near his home in Seattle. While he was there, Seely says he got a notification on his phone that a call had just been intercepted: It was a Washington, D.C., police officer calling the Secret Service about an active investigation.
After that, Seely says, he got patted down, read his Miranda rights, and put in an interrogation room. Email correspondence with the Secret Service indicates that the special agent in charge called him a "hero" for bringing this major security flaw to light. They let him go after a few hours.
Seely says the fake federal listings, which were both ranked second every time I checked Google Maps, were up for four days. He took them down himself when the Secret Service asked. (I took the screenshots above early Wednesday morning.) He picked that particular FBI office because, he says, he had recently watched The Rock, in which Nicolas Cage's character worked for the FBI in San Francisco.
Google told me they were looking into the matter; I will update the post if I hear back. Google told Gizmodo yesterday that it had already made some patches. The FBI has not yet responded to calls or emails. Secret Service spokesman Brian Leary gave Valleywag the following statement:
The incident in question involves an individual posting their own phone number as a Secret Service field office phone number on Google Maps. When unsuspecting citizens utilize this incorrect third party phone number to contact the Secret Service the call is directed through the third party system and recorded. This is not a vulnerability or compromise of our phone system. Virtually any phone number that appears on a crowdsourcing platform could be manipulated in this way.
This incident will be investigated thoroughly and appropriately. The Secret Service encourages the general public to visit our website at www.secretservice.gov to obtain accurate contact information for our field offices.
The audio recordings posted below are relatively innocuous. A man calls the FBI to ask about a phishing email that says he won the lottery; a woman calls the Secret Service to ask for the mailing address of the inspector general. But the implications are chilling. Said Seely:
This is what I do when I'm bored. I just uncovered a national security issue while I was at McDonald's. My internet at the house just got installed [last Saturday] so all these hacks and everything I figured out, was on wifi at McDonald's while my 5-year-old was playing with other little kids.
Shaking your head at Google's "evil" ways has become about as perfunctory as using Google products. But that apathy comes with a price. For a $400 billion behemoth, it's as easy to turn a blind eye to long-running international map scams as it easy to bury your competitor's (better) product.
Like most geeks who know how to game a system, Seely suffers from a smidge of megalomania. This all could have been avoided, he taunts, if Google made closing its loopholes a priority—or given him a job. Instead, he was forced to get creative, flaunting fake listings. He started a Twitter account called Maptivists and posted some of the goofier exploits.
That got Seely on the evening news in Seattle and the attention of experts in maps, local search, and SEO, as well a call with Dan Pritchett, a director of engineering at Google. The corporation reached out through Mike Blumenthal, a prominent maps blogger, who said Google wanted to talk, but first Seely had to cut out the pranks. Pritchett then only agreed to talk if the call was never mentioned. When they spoke, Seely said, Prichett was concerned:
But he's treating me like shit during the entire phone call and I had sent them an email two months prior telling them how to fix this stuff and I was tired of seeing all the spam... So I then started thinking [Monday night] because I was really kind of mad at the guys from Google and I was trying to figure out alright what can I do to show them that this isn't just a spam problem...
Rather than work with Seely and ask him how he did it, Google just tried to "reverse engineer the ones I left out in the open for them," he said. But the government listings were different:
I made these ones carefully, I made these ones special. I have a feeling I know how they search, with their own backend tools, I have a feeling I know how they're searching for spam and how to get around it, because they didn't catch these.
To build his sham government locations, Seely started with Google's Map Maker tool (for roads and such) and then switched to Google Places, which is purely for businesses and just updated its "quality guidelines," to tweak the listings in the final stage. He began with a brand new IP addresses and new Gmail accounts. Then, Google gives you two options, Seely explained:
...type in this code and you can get verified to prove you're human so that it doesn't look like an automated machine. I just opt out of that and go directly to phone verification because the way that these people build these computer systems is assuming that no one wants to do more work—assuming everyone wants the easy way out. So if you choose the easy way then we don't trust you, if you choose the harder way and verify by phone immediately, 'Oh you must be a person and you must be legit.'
As one expert told Komo News, which first picked up Seely's pranks: "It's definitely not a hack, it's not a vulnerability, it's a flaw in how the logic is set up."
Seely used a software called Dynamic Interactive to generate the phone numbers and record the calls. He got fed up with Google after a few weeks, but others have been trying to pressure the company about this issue for years. Dan Austin, who does some consulting for Blumenthal, told Valleywag:
What Bryan is also talking about is that some categories are considered 'benign', like Parking Lot, or Federal Government Office. Some categories are heavily spammed, like Locksmith and Key Duplication Service. So some will trigger postcard and/or manual verification, and some will get phone verification and/or automatic approval. A good spammer, through trial and error, knows which gets flagged and which doesn't.
Google is going to say, 'This is a minor problem. We didn't know about this.' But it's complete bullshit.
Austin should know. In 2012, at the request of Google, he began consulting with Mark Ewing, a product manager at Google for local data quality and James Therrien, who works with the Google Geo community since 2012, based on email correspondence he shared with Valleywag.
Why not fix the problem? Austin says there's a cottage industry around flooding Google Maps with fake listings for businesses like locksmiths, the most notoriously abused sector, and then forwarding the calls from unsuspecting Google users to call centers. The centers either dispatch workers who only accept cash and charge more or, in some cases, they sell the leads back to the actual local businesses being squeezed out. "They make way too much money on AdWords to give a shit about small businesses," said Seely, noting one spammer who made $10 million a year.
To contact the author of this post, please email firstname.lastname@example.org.