Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Friday February 09 2018, @08:12PM   Printer-friendly
from the you-can-run-but-you-can't-hide dept.

Submitted via IRC for TheMightyBuzzard

As it turns out, turning off location services (e.g., GPS) on your smartphone doesn't mean an attacker can't use the device to pinpoint your location.

A group of Princeton University researchers has devised of a novel user-location mechanism that exploits non-sensory and sensory data stored on the smartphone (the environment's air pressure, the device's heading, timezone, network status, IP address, etc.) and publicly-available information to estimate the user's location.

The non-sensory and sensory data needed is stored on users' smartphones and can be easily accessed by any app without the user's approval, which means that the data can be captured through a malicious app or harvested from databases of many legitimate fitness monitoring apps.

Source: https://www.helpnetsecurity.com/2018/02/07/location-tracking-no-gps/


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Insightful) by Anonymous Coward on Friday February 09 2018, @08:29PM (11 children)

    by Anonymous Coward on Friday February 09 2018, @08:29PM (#635695)

    Knowing which WiFi APs are available nearby is usually enough to get your location to about 50m accuracy.

    Try it for yourself - use a computer without GPS but with WiFi enabled and let your browser report your location to this page: https://edsu.github.io/creepy-polaroid/ [github.io]

    The machine does not have to be associated with any AP, it just needs to be able to see some WiFi APs. If a WiFi AP is visible it usually means you're within 50-100m of that AP.

    Google has built up a DB of WiFi AP and GSM tower locations partly with their streetview vehicles and it's probably updated regularly by zillions of android devices with GPS + WiFi + GSM towers. The default "high accuracy" setting likely reports WiFi info to Google.

    Starting Score:    0  points
    Moderation   +4  
       Insightful=3, Informative=1, Total=4
    Extra 'Insightful' Modifier   0  

    Total Score:   4  
  • (Score: 3, Interesting) by requerdanos on Friday February 09 2018, @08:32PM (6 children)

    by requerdanos (5997) Subscriber Badge on Friday February 09 2018, @08:32PM (#635697) Journal

    Knowing which WiFi APs are available nearby is usually enough to get your location

    This is true, handy, cool, and creepy, but it's a relatively recent development.

    It used to be that we were all near the access point "linksys" no matter where we were. Ah, the good old days of locational obscurity.

    • (Score: 0) by Anonymous Coward on Friday February 09 2018, @08:44PM (1 child)

      by Anonymous Coward on Friday February 09 2018, @08:44PM (#635704)

      Times sure have changed now we are all near the access point "xfinitywifi" no matter where we are. Ah the good new days of today when ubiquitous xfinitywifi actually works, instead of the bad old days of unconfigured "linksys" that might not even have been plugged into the internet.

      • (Score: 2) by DannyB on Friday February 09 2018, @08:58PM

        by DannyB (5839) Subscriber Badge on Friday February 09 2018, @08:58PM (#635714) Journal

        Probably numerically fewer people are near the access point "we can hear you having sex".

        --
        People today are educated enough to repeat what they are taught but not to question what they are taught.
    • (Score: 4, Interesting) by frojack on Friday February 09 2018, @08:48PM (1 child)

      by frojack (1554) on Friday February 09 2018, @08:48PM (#635706) Journal

      Recent? No.

      Its been available for as long as cell phones had wifi. Skyhook [skyhookwireless.com] is an actual thing and has been around much longer than smart phones.

      And the resolution is far far more granular than 50 meters, because signal strength from a dozen APs can be compared on the phone or ex-filtrated and you can usually arrive at a two meter circle. The phone itself know what room you are in, especially if your phone can see more than one AP. And if the phone can see, so can Apple and Google, and any rogue app.

      This story rides on the back of the fitness app revealing concentrations of soldiers revelation of a few days ago. Stop sending this stuff to the cloud people!

      --
      No, you are mistaken. I've always had this sig.
      • (Score: 3, Insightful) by EETech1 on Saturday February 10 2018, @05:36AM

        by EETech1 (957) on Saturday February 10 2018, @05:36AM (#635886)

        That's one of the great hypocrisies of locate my phone, if you leave location off, you can't locate your missing phone, even though they know exactly where it is!

        Just like telling Google don't track my location and search history, all it does is make maps less convenient to use... If I open maps, look something up STAR it, and then close the maps app, only to open it again 30 minutes later to find the same location, it intentionally avoids giving me the same location again, only because I told them to not track my location and search history.

        I always keep track of how many characters I have to type before Google knows what I want, and I know for a fact that it takes more the second time I search for something. Because of a setting that says please don't monitor this about me...

        But they still do!

        I'm being punished for taking advantage of a false sense of privacy!

    • (Score: 1, Insightful) by Anonymous Coward on Friday February 09 2018, @08:53PM

      by Anonymous Coward on Friday February 09 2018, @08:53PM (#635708)

      Those APs might all be called linksys but most of them had different MAC addresses.

      Speaking of recent developments nowadays many GSM/etc cells are smaller. So the telcos and "friends" have more and more accurate info on where your phones are. It's not like most people turn off their phones for hours or carry them permanently in airplane mode.

      So this fancy barometer stuff isn't necessary for 99% of the scenarios. Only in a few scenarios does your malicious app get installed on a phone that never has any cellular or WiFi access and it also doesn't matter that the app can't communicate via cellular network or WiFi.

    • (Score: 0) by Anonymous Coward on Friday February 09 2018, @09:26PM

      by Anonymous Coward on Friday February 09 2018, @09:26PM (#635725)

      Would not the database be keyed by the AP's hardware MAC address?

      "A MAC Address is a unique identifier used to mark a specific piece of hardware. With wireless access points (APs), this is always transmitted as the base station identifier (BSSID), alongside the name of the access point (ESSID). Using your computer's network settings manager you can view an AP's BSSID and in turn discover its MAC address."

      Source: https://yourbusiness.azcentral.com/mac-address-access-point-19756.html [azcentral.com]

  • (Score: 0) by Anonymous Coward on Friday February 09 2018, @08:34PM (2 children)

    by Anonymous Coward on Friday February 09 2018, @08:34PM (#635699)

    I have hundreds of WiFi APs and I change the SSIDs and MAC addresses constantly to fuck with Google. Eat my junk data, scum suckers.

    • (Score: 2) by frojack on Friday February 09 2018, @08:59PM (1 child)

      by frojack (1554) on Friday February 09 2018, @08:59PM (#635715) Journal

      Yeah, guess what, fool:

      Your upstream never changes, and all it takes ONE MAC address being disappearing and another reappearing to figure this out. You have no control of the mac immediatly up stream of yours, and no control of the finger printing already performed on the computers behind your APs, nor do you have control of every app on every device reporting its MAC to the mother ship.

      --
      No, you are mistaken. I've always had this sig.
      • (Score: 1, Touché) by Anonymous Coward on Friday February 09 2018, @09:15PM

        by Anonymous Coward on Friday February 09 2018, @09:15PM (#635722)

        Yeah, guess what, fool:

        Your upstream never changes, and all it takes ONE MAC address being disappearing and another reappearing to figure this out. You have no control of the mac immediatly up stream of yours, and no control of the finger printing already performed on the computers behind your APs, nor do you have control of every app on every device reporting its MAC to the mother ship.

        Are you sure you know how the data link layer works?

  • (Score: 0) by Anonymous Coward on Friday February 09 2018, @08:44PM

    by Anonymous Coward on Friday February 09 2018, @08:44PM (#635703)

    Oh and most people don't carry around phones that have their cellphone function disabled most of the time. So the telco can know where the phone is. Sometimes very accurately if it's associated to a pico-cell or femto cell.

    Some elevators don't drop calls ( https://www.fcc.gov/help/public-safety-tech-topic-23-femtocells [fcc.gov] ). So if you and your phone are in one of those elevators in theory someone could know you're in that elevator and thus know pretty accurately where you are.

    I use Tasker and the GSM tower info is good enough for my phone to know whether it's home or at my workplace or other places without needing WiFi or GPS enabled. Tasker's accuracy is lower for cell-tower stuff since it doesn't use signal strength info. But the telco or similar might be able to.