A team of researchers from Princeton has demonstrated that they can track the location of smartphone users even when location services like GPS and WiFi are turned off.
The recent military security breach involving the Strava mobile fitness app proved the persistent vulnerabilities of location-based services on mobile devices. However, turning off a smartphone’s WiFi and GPS still doesn’t completely protect a mobile device user from getting hacked, according to new research.
A team at Princeton University has demonstrated the ability to track a mobile device and find users’ locations even when GPS and WiFi settings are disabled, they said.
Using an attack they created called PinMe, the team—comprised of Princeton professors Prateek Mittal and Niraj Jha and graduate students Arsalan Mosenia and Xiaoliang Dai—exploited what they refer to as “non-sensory/sensory data” collected without a user’s permission and stored on the smartphone.
Non-sensory refers to measurements collected by components like the phone’s gyroscope, accelerometer, barometer and magnetometer measurements, and non-sensory information refers to data such as time zone and elevation maps, Mosenia told Security Ledger.
“Our attack was inspired by the observation that today’s smartphones are equipped with several low-power high-precision sensors that enable them to continuously collect several types of environment-related data–acceleration, air pressure, heading, light intensity–without the user’s permission,” he said.
Using this information, the team was able to estimate users’ locations even without the use of GPS, they said. The researchers also are members of the Institute of Electrical and Electronics Engineers (IEEE) and published a paper on their research in the IEEE Transactions on Multi-Scale Computing Systems journal.
Data provides GPS-accurate location
PinMe uses two approaches to find out the location of smartphone users. One is malicious: running a third-party app in the background to continuously capture data without arousing suspicion, Mosenia told us.The other accesses a trusted application server that allows mobile devices to upload data to the cloud. That data that can be post-processed to infer critical information about the user, he said.
Researchers collected unique “data chunks” from user phones while they engaged in activities such as driving, traveling on a train, flying on a plane and walking. Users were located in Princeton, N.J., and Baltimore and carried one of the phones on which the team tested PinMe—either a Samsung Galaxy S4 i9500, an iPhone 6 or an iPhone 6S.
The results of the research show the ability to accurately track user location trajectories in a way that was “comparable to GPS”—and in at least one case, more accurately–using the data sources accessed by PinMe, according to the paper.
The team’s findings come at an critical time for mobile data security. Potentially billions of sensor-rich devices are poised to become connected to the Internet of Things, creating entire new streams of data from individuals and their environment. The recent controversy over the Strava fitness social-networking app, which inadvertently revealed the location of military installations in a “heatmap” of workouts posted by millions of Strava users. Later a group of security researchers went one step further and tricked Strava into also revealing the names of the military personnel using the app.
Researchers also reported recently that a GPS service by the China-based firm ThinkRace is exposing sensitive data in scores of GPS services–affecting hundreds of thousands of devices–more than two years after the hole was discovered and reported to the firm.
Location privacy at risk
All of this shows how vulnerable mobile device users are when it comes to location privacy, which can lead to some unfortunate or even downright dangerous situations, Mosenia said.
“Launching an attack against location privacy can lead to several consequences, including, unwanted advertisement, spams, or scams, uncomfortable feeling of being monitored, unwanted disclosure of personal activities, and even actual physical harm,” he said. “For example, it may be embarrassing for a user if his/her relatives find out that he/she went to certain places, e.g., an HIV clinic or an abortion clinic.”
Most of these consequences “are a direct result of manual inspection of leaked location-related information,” he said. However, with researchers already investigating the feasibility of extracting other valuable information from the user’s location-related information, it’s even more critical to secure devices against such attacks, Mosenia said.
PinMe’s implications are even more troubling for location privacy in the IoT world, however. Security researchers have recommended users in sensitive locations turn off services like WiFi and GPS to avoid being tracked, seemingly solving the security threat.
However, the ability to find them even without the enablement of such services “suggests that the threat of unintended information leakage on the location of smartphone owners is far beyond what is currently thought possible,” the Princeton team wrote in the paper. Stakeholders now must think about how to more broadly and proactively protect mobile devices far beyond the scope of both the security now available and the solutions currently on the table, they said.
The researchers aren’t the first to note that the wealth of sensor data collected by smartphones can be used to identify individuals. At the 2017 RSA Conference in San Francisco, awards for the hottest new startup went to the firmUnifyID, a Francisco based start-up that promises to replace user names and passwords with an ”implicit identity” that combines biometrics with other unique identifiers, from behaviors to impossible-to-fake signatures rooted in the devices an individual uses. Together, says UnifyID CEO and founder John Whaley, the data can create an identifier that is independent of any technology platform and based on who they are, not a piece of hardware or data they possess.