Boffins crack smartphone location tracking – even if you've turned off the GPS Religiously turning off location services may not save you from having your smartphone tracked: a group of IEEE researchers have demonstrated it's possible to track mobes even when GPS and Wi-Fi are turned off. And, as a kicker: at least some of this data can be collected without permission, because smartphone makers don't …
Which is
a) Quite clever
b) Very f**king scary
c) Only possible because of the clumsy security control on most phones. Phones IP address is not sensitive. WTF? I mean WTF?
And yes I think every service on a "smart" phone should be user level controllable regarding what apps can access it. If you want it to be available to "all" then fine, but the default should be "none."
Personally I'd prefer a "spoof" mode where apps that insist they can't run without access to your address book (why?) should be set to use the phones default app(s) which should then generate a limited amount of plausible BS.
Gosh, it's almost like if you let a piece of software collect lots of unnecessary data and then upload it to some random place on the Internet, that someone could use this against you in some way.
Seriously... fine-grained permission control. Why are air pressure and heading not protected by a permission? Because there's no "you must ask for permission" blanket default before a "you must grant permission" user-authorised exclusion when that data is requested.
And users are stupid and don't understand that a walking app doesn't need to know your air pressure.
Honestly, any combination of more than 2 or 3 permissions is a warning sign, and things like "requires Internet access" isn't fine-grained enough. MAKE APP MAKERS SPECIFY TARGET DOMAIN NAMES.
PC's are rapidly moving towards web-services contained within the browser DOM model on the local PC, apps are the equivalent of installing a Flash plugin. It's a backwards step.
Sorry, but you get the bare minimum of permissions to do the task at hand, the default should be "no" for everything, and users should be able to say "Pretend I've given it the permission, but just send it fake data" (e.g. The flashlight app wants webcam access? Sure. Send it some white noise.). But, to be honest, rather than propagate the Vista UAC debacle into every mobile phone on the planet, let's just stop making programs that require those permissions and refuse them at the app-store. Literally force the writers to publish something like an SELinux capability report, down to port numbers, domain names, and format of information sent, individual permissions for everything (there should be no "you need to ask for camera access to turn on the flashlight" as is/was common), which is then audited for necessity, and any warning that pops up EVER on any phone that it's breaching those capabilities result in its being blacklisted as an app.
Without it? You're in a blank sandbox filled with false info no matter what you request.
"And users are stupid and don't understand that a walking app doesn't need to know your air pressure."
If it's just a simple step counter app then OK, no need for any sensor access beyond the accelerometer. But if the app is trying not just to count steps but also estimate calories burned as a result, then knowing if those steps resulted in you gaining, losing or maintaining elevation means the resultant estimation will be somewhat less inaccurate than a simple "1 calorie = x steps" conversion.
Not that I disagree with the more general observation that users can and do completely ignore some utterly insane permission requests from apps, or that the current permissions model is a bit broken, but to suggest people are stupid if they allow an app to request a permission which isn't obviously out of scope for that type of app... bit harsh methinks.
The impression that I got from the article is that users are never ASKED to authorize sharing of barometric data because handset/app makers don't consider that personally identifiable information. Hell, they may not even specifically intend to collect it, but simply don't NOT collect it along with temperature and other environmental data.
So "clueless users" criticisms might be misdirected, in this case.
Or, am I missing something...?
"But if the app is trying not just to count steps but also estimate calories burned as a result, then knowing if those steps resulted in you gaining, losing or maintaining elevation means the resultant estimation will be somewhat less inaccurate than a simple "1 calorie = x steps" conversion."
Technically true, however it's also true that step counters are horribly inaccurate in actually counting steps. The error introduced by that has got to swamp out whatever error might be introduced by changes in air pressure.
Also, determining elevation by air pressure will only give a rough guess unless you have a way of comparing it to the air pressure at a known elevation in the same area.
"Also, determining elevation by air pressure will only give a rough guess unless you have a way of comparing it to the air pressure at a known elevation in the same area."
Nah, you just need to measure changes. Of course, things may appear a little different if there's a big pressure change due to weather while out walking.
> hen knowing if those steps resulted in you gaining, losing or maintaining elevation means the resultant estimation will be somewhat less inaccurate than a simple "1 calorie = x steps" conversion.
The app can calculate that locally from those inputs, but it doesn't need to send that raw data into the cloud.
I thought elevation was only provided by the GPS... Is that available without location permissions?
Even if it is, being a non-primary function of GPS, elevation is not really very accurate, which might be OK if you're tracking someone in the foothills of the Andes which dwarf the margin of error, but those is flatter areas are likely much harder to track...
If paranoid move to the Netherlands.
They use the barometer. Combine air pressure with known atmospheric pressure in the region you are in and you get a pretty good estimate of altitude. Worked for the aviation industry for many years before GPS.
I did mean to mention that, how common is a barometer in smartphones these days? I realise I'm not cutting edge, still happily using a 3 year old phone, but I certainly don't have one.
GPS elevation data is consistent, if not accurate, and therefore can be used for assumptions.
Agree that all sensor information should have permission, and frankly should be more prominent in advance of app installation. Why would a torch app need ANY sensor information, for example, its either ad related or malicious (fine line sometimes...)
data leakage of any kind is likely to result in some kind of matching data attack, although it is also likely that this will become a de-facto issue of having a smartphone at all. Organisations that you permit e.g. Strava can still have the TLA organisations tapping them on the shoulder or subverting their feeds regardless. Probably easier for them to simply open their own advertising shops though in a similar vein to creating their own TOR nodes...
Most people outside the reg forums don't really know what tinfoil is for, let alone making hats out of it and broadcast their every movement, purchase and bank balances to all and sundry.
If you really want to stay relatively hidden, the old phones are your friend, without all the clever sensors. (as well as being very cheap)
"Agree that all sensor information should have permission, and frankly should be more prominent in advance of app installation. Why would a torch app need ANY sensor information, for example, its either ad related or malicious (fine line sometimes...)"
There was the case, a few years ago, of the fine upstanding gentleman who murdered his wife and wanted to get rid of the body. This is Flori-duh, home to many lakes, rivers, streams, and canals inhabited by everyone's fav reptile, the American Alligator (as distinct from its cousins the Chinese Alligator and the American Crocodile; the Chinese 'gator lives in, well, China, while the American croc rarely ventures north of Miramar) and the nice, warm, welcoming, ocean has lots and lots and lots of assorted sharks and barracuda (the Flori-duh Tourist Board is now very upset with me). We're not quite up to Australia levels of wildlife hostility, but we're working on it. In any case, instead of just dropping the body into a convenient body of water, m'man decided to go out into the woods and dig a grave. At night. He turned on the flashlight app on his phone to shed some light on the process (why he needed light to dig a hole is another question...) and the flashlight app called home to Mama. When the cops investigated (those of us who watch Law&Order know that the first suspect is always the nearest and dearest) they called up the cellco and got pointers to go to the company which sold the flashlight app, who were only too happy to provide all kinds of data, including exact GPS readings on where the phone had been that night. This resulted in a little expedition into the woods, and a quickly located body.
Moral of the story: if you want to get rid of the wife, leave the phone at home when you do. Or feed her to the gators. Or, at least, don't turn on the flashlight app.
A "Flashlight" app that calls home and dumps your co-ordinates to a central server?
I'm thinking most of these apps should just be filed under the section of the app store marked "Trojans" since TBH that is exactlywhat they are, wheather or not they are actively trying to commit a crime with your phone. Violating your privacy for someone else profit so they can pimp the data out.
There was the case, a few years ago, of the fine upstanding gentleman who murdered his wife and wanted to get rid of the body....
Moral of the story: if you want to get rid of the wife, leave the phone at home when you do. Or feed her to the gators. Or, at least, don't turn on the flashlight app. Or just don't murder wife.
Just being very obvious.
Personally I use a firewall (the root free variety) and block any apps from accessing the data connection that I don't think needs it. I downloaded one app a couple of years ago and it wanted access to everything despite the fact that it had no need for most of it. It was one of those word search apps and I only downloaded it to use on a long train journey. It was trying to reach a large number of IP addresses and was a vast majority of the access requests that the phone was making. It was caning the battery too (about the same as Candy Crush) and I deleted it shortly after I spotted this.
Sure... Then you enter the country by car, drive through those license plate registration ports at the border, continue your journey while traced by the traffic/ speed cameras which have been deployed in the Netherlands on a massive scale "to prevent road casualties". Realising this, you decide to move to public transport, and purchase an "OV Chip card" with your credit/ debit card (cheaper! Cash sale limited and more expensive!), swipe it at the station entrance to gain access to the platform and train/ bus/ tram/ metro you want to go on. The advantage of this of course it that "one card works everywhere!". Swiping your card to be able to leave the station again (not doing so will result in an automated fine, conveniently received in the comfort of your own mailbox at and @ home (email registration required for purchase OV card), you indulge in a bit of shopping the Dutch stores (which now massively use in store device tracking for marketing purposes) and pay with your BSN (Dutch general purpose "citizens number", registered for everything, think social security number, but also used for health insurance, bank details, booking a trip, getting a speeding ticket, applying for a job, paying taxes, buying a telly. Really handy!) coupled electronic payment method. Being "foreign", you grab your cash, and the store attendant asks "if you can't pay electronically, preferably the Dutch, BSN coupled, PIN method. After all, cash is only used by tax dodgers, terrrorists, and criminals. You say sorry, no, you're foreign, and have no Dutch accounts. You slip the € 100 bill across the counter. "Sorry, we don't accept these. Don't you have € 50 or smaller?" You turn up a few coins, but not enough. "Sorry", the attendant says, "but could you please go to a bank to change?" [...] Arriving at the bank, the person at the till asks you for your passport so she can give the change ... ... ...
This is IRL Netherlands, no fiction. So I suppose it's safe to say they don't need terrain elevation...
I shouldn't feed the troll, I know, but...
The FBI, or any other arm of a government, can go to the phone company and get the cell tower location records directly. The article describes a method that can be performed by pretty much anyone.
Plus, if the FBI wanted to know Trump's location they could either ask the Secret Service, or just go to the nearest golf club that's next to a McDonalds.
How will the FBI illegally spy on Trump and hand info to the DNC if this gets fixed? I think The Register means to have this fixed... in 7 years.
I was asked by one of my non technological friends when Obama became President how they would keep him safe when he had a phone on him. They'd heard that it was possible to track a phone and find someone that way. I said he wouldn't be in much danger of that as he was protected by an army of people dedicated to keeping him safe and healthy. What I'd do to increase that security if it was me was have the phone only connect to a WHCA (White House Communications Agency) picocell transmitter. Then install one of these at the White House/Camp David/in the planes likely to be get the call sign Air Force One, USSS Road Runner vehicles etc. The calls are then routed back to the White House via various methods certainly not using local cell towers. As the President is never (or shouldn't be) very far from one of these cells his phone should be operating on very low power as a result. That should help with people trying to scan for his phone as they'd have to get quite close and would probably look suspicious enough to alert the USSS. I would also have a bunch of phones that connect to these pico cells so that you couldn't pinpoint one of them as belonging to POTUS.
The iPhones mentioned have barometers in them so can sense elevation (much more accurate than GPS elevation which is 1 reason why aircraft do not use GPS for elevation), but in a pressurised cabin it won't tell you outside elevation. by the time the plane is on the ground cabin pressure should be close to that of local so how do they know if the phone has been in the air or are they trying to just match phone reported elevation with that of known airports?
or are they suggesting the phone can regurgitate historical elevation data?
The phone app will have recorded the pressure data, showing that it was fluctuating at around the equivalent of 8000 feet for a period before equalising to the outside qfe pressure. The app would then send this recorded information.
"or are they suggesting the phone can regurgitate historical elevation data?"
From the article: "In the PinMe attack, the researchers went down the malicious app path" - if you're in control of the data collection process, then pretty much anything is possible provided the phone remains powered up...
"I keep location switched off because I know where I am. I have yet to find an app that tells me something useful about my location that is anything other than fucking irritating."
In all my years of owning a GPS capable smart phone, I've never once had to actually use it for figuring out where I am. I still turn on GPS regularly to use Google Daydream apps, coz Google insists, which wouldn't be so bad if they actually used that to figure out tho position of my head, instead of only using the rotation of my head. Google have no valid reason for needing GPS data in Daydream. Considering any VR app can drain my battery in a couple of hours, leaving the GPS turned off would be a good thing, the battery would last a little bit longer.
Yes. I was puzzled when my phone displayed my postion on a map app even though GPS and Location were turned off. Cell towers will still show where you are. You could switch to Airplane mode -- but then you can't receive calls/texts.
Slightly more worrying is the way Amazon etc calculate your street address via your IP address. And get it wrong. Careful when ordering or your neighbours may get your stuff.
"Slightly more worrying is the way Amazon etc calculate your street address via your IP address. And get it wrong. Careful when ordering or your neighbours may get your stuff."
Using my IP address to figure out where I am either results in the capital city of the Australian state to the south of me, or the data centre on the other side of the planet where my server lives, coz I proxy most web stuff through that server. IP to location data is only as accurate as your ISP tells the world, coz that's where the information comes from. If your ISP tells the world "all our customers IPs are located at our HQ in Sydney", tough luck. I wonder how many Amazon deliveries get sent there?
"the phone still needs to be transmitting some form of telemetry"
Yes. This is why I use a firewall to block all outgoing traffic by default. No app (or the OS itself) gets to talk to the outside world without me giving permission. This is my backup safety measure -- if an app gets all sneaky-sneaky and collects data without my knowledge, it does no harm if it can't send it anywhere.
> This is why I use a firewall to block all outgoing traffic by default.
AFWall+ is one of the first things that you want installed on an Android device.
While the typical firewall use is to keep things from getting in, in this case and as the other poster says, the purpose is to keep things from going out. Kind of sad, isn't it?
"While the typical firewall use is to keep things from getting in, in this case and as the other poster says, the purpose is to keep things from going out. Kind of sad, isn't it?"
Google apps totally ignore my "give fake GPS results to apps" app, I'm sure they'll totally ignore firewall apps to.
I need to root my new phone some day soonish. Only thing that has stopped me so far is that rooting involves asking permission from Motorola, who will then void your warranty. sigh
Google apps totally ignore my "give fake GPS results to apps" app, I'm sure they'll totally ignore firewall apps to.
Most android non-root firewall are based on VPN connection. If you have a network monitoring log, you should see the connection getting blocked by the firewall. I do recommend getting one as it is the easiest way to keep some control of your phone.
If you install a custom rom (android OS) like lineageOS, there are individual options for you to block network and gps permissions.
I need to root my new phone some day soonish. Only thing that has stopped me so far is that rooting involves asking permission from Motorola, who will then void your warranty. sigh
Rooting should have nothing to do with asking permission from Motorola. Unless you meant unlocking bootloader to install custom rooted rom, then you might need Motorola permission to unlock it. However regardless of rooting or installing custom rom, doing either will indeed void your warranty. This is straightly because the manufacture won't fix your rom if you broke it yourself.
Nonetheless if there is a well community supporting your very-specific phone, you can more or less find ways to unroot your phone and/or re-lock the bootloader if you really need to use the limited warranty. Just don't forget to keep a backup copy of your OEM rom for that case.
If you are rooting for the first time, I do not recommend doing this on a brand new expensive phone, since you can easily and accidentally soft brick your phone.
That still won't help much if the device runs Android 6+ since not just the bootloader but the entire system partition is hashed by Merkle tree to detect any kind of tampering. Plus there are the root- and custom-aware apps (which appeared before Android 6) who will balk on anything but a pristine system.
"Google apps totally ignore my "give fake GPS results to apps" app, I'm sure they'll totally ignore firewall apps to."
If you're rooted and using something like (the excellent) AFWall+, then Google apps can't ignore the firewall. AFWall+ is just configuring the native Linux firewall all Androids have, and (barring a bug somewhere) can't be ignored. If an app wants to be malicious, it could rewrite the firewall rules, but that's detectable.
> Google apps totally ignore my "give fake GPS results to apps" app, I'm sure they'll totally ignore firewall apps to.
AFWall+ is an iptables-based firewall. I am running a rather pure AOSP with no non-Android Google proprietary stuff, but even so I did do a long-running network capture on the router to validate the effectiveness of the firewall, and it does work as intended.
Curiously, in the firewall logs, I see nothing Googlishy (unsurprisingly in light of what I've just explained), but I do see bits provided by OEM manufacturers (Samsung I think was one, and some Chinese company another, but this is from memory) that do try to call home. Those get blocked all right and the phone works very nicely.
You can already do this given enough meta data with very little access. How? Correlation and a BIG data centre.
If one person in a bus has GPS on, plus a secondary data set (almost anything "shared" with everyone else on the bus, cell signal, compass, air pressure, heading/gyro, sound, temperature etc), you can then correlate your low knowledge data set to your high knowledge data set...
Then boom, you tracked the phone indirectly.
You do though require a certain large data centre in a certain area with big fat pipes feeding it. I wonder who has that kind of kit... hint hint.
This is what Google, Facebook, Apple, Amazon and world + dog are already doing. They sweeten the malware with some kind of network effect or promise not to do anything bad and people will happily install anything. For the rest: throw in the offer to get some thing for nothing and we'll nearly all sign up.
It's that one time when your routine changes that will alert them to call in the black helicopters.
Black helicopters already fly over my house on a semi-regular basis. No, really, they do. I figure I must be on the flight path between the local airport and a military base or something.
Good thing I'm not a conspiracy nutjob who believes that the black helicopters are spying on me. I know the ones watching me are the blue helicopters.
You know watching this happen is extremely painful, only this morning my trusty Vaio got it's specter and meltdown patch, then promptly melted down. No post via display, checked the RAM all good, checked the PSU all good, unable to check the BIOS because all I get is a blank screen. Damn thing cost close to 2'000 new and it was made with quality bits from the best quality places like Taiwan and China and this is what I'm left with to show for it, a whiff of smoke from the vents! I feel your pain Linus I do... Well another PC bites the dust damn I've only got 5 left and those ones are not running windows and after that debacle they never will be.
You know watching this happen is extremely painful, only this morning my trusty Vaio got it's specter and meltdown patch, then promptly melted down. No post via display, checked the RAM all good, checked the PSU all good, unable to check the BIOS because all I get is a blank screen.
This is unfortunate for you, but did the keyboard light up at all? Did you get any sound? here's something you can do to check.
Option 1: Plug in a keyboard with a caps lock light and a headphone to the headphone jack. If you get any response either keyboard light or sound from the headphone after boot, then it's just the monitor that is having problem.
Option 2: Disconnect all bootable device and then boot up a linux usb. If the PC is old and it beeped at startup or you see the caps lock light working after you keyboard your way for the linux to booting up, then it's just the monitor with problem.
If you still couldn't get any response and nothing is shown on the screen, then it might be the mobo. If you're lucky then it might be a disconnected RAM or something. If you're unlucky, then the mobo is indeed dead. If you really like your PC, you can probably find mobo parts and monitor for your PC replacement.
Yeah but they're only capturing your data so they can write you a rude letter telling you about how you where found on a bit-torrent swarm or you where using TOR for privacy and the Microsoft persistent routes routed all your connections via redmond so they could write you the afore mentioned letter to whine about potential "infringement" there's something extremely retarded with these people if they think TOR and bit-torrent file sharing are the only way to share a file. People are going to start using alternatives soon enough if they're not already and those kind of alternatives require "Key's and Keyrings" and complex Vaults where the retarded people who have nothing better to do than steal your details and write you letters will get greeted by the message 401 - Unauthorized. Blockchain with Kerberos is invite only bitch!
No... They caught Kevin with triangulation and broke the law to do it... Haven't you seen the movie?
Best bit was when they social engineered the investigating agent in charges, Water and Gas supply, he's in the kitchen preparing a coffee as all the Water and Lights go off and all you hear out of him as it goes all dark is "Oh son of a bi***!"
They told Mitnik about SAS - Switched Access Services which is the special southern service Bell offers to the FBI to listen to phone calls.
The fact that we all, now know about SAS and the fact it's deeply rooted in Jewish Communism & Socialism is neither here nor there, but at least it bring's the issue sharply into focus for everybody!
> The fact that we all, now know about SAS and the fact it's deeply rooted in Jewish Communism & Socialism is neither here nor there
And there I was thinking it was all about shifty blokes hanging around Hereford with seventies-era porn-star moustaches.
By the gyroscope. Both it and the magnetometer are tri-axial and can measure in three dimensions. The gyro tells the phone which way is up for auto-rotation and the like (VERY old hat, that). Given that, it's easy to interpret the magnetometer to orient a 3-D compass.
"By the gyroscope. Both it and the magnetometer are tri-axial and can measure in three dimensions. The gyro tells the phone which way is up for auto-rotation and the like (VERY old hat, that). Given that, it's easy to interpret the magnetometer to orient a 3-D compass."
Except for the large amount of drift in those gyros. Gyros are used to track head rotation in VR headsets like Google Cardboard and Daydream, and drift a lot in a few minutes. Which is why Daydream has the built in "hold down the home button to line things up properly" function.
That usually happens if you use it soon after power on as it lacks an orientation history. Flipping the phone on its axes a few times usually gives it enough to get a bearing, plus for checking the compass it only needs a ballpark estimate of its orientation to give the magnetometer enough data to lock onto magnetic north.
Just look on the positive side, when they ask you what you know about Switched Access Services, just purse your lips, look thoughtful and reply. "That's when you decide you've had enough of using Microsoft products and you voluntarily make the Switch embracing Socialism and Communism ideals as you do it!" you see the irony is, that in a communist society, the government doesn't spy on its people, the people spy on there government!
This post has been deleted by its author
This doesn't just work if you've turned off the GPS, it works with saved data if you don't have cell connections to triangulate, for example in airplane mode.
(Only if you later make a connection that the app can send data on, or your phone is seized, but if you never make a connection, why have a phone at all?)
ANY details that you provide (continuously/regularly) will easily identify you, eventually. Even a single datum, when combined with all the publicly available info, may be enough to nail you.
Still, as Bush, Obama, Blair, Cameron, May and maybe Trump would say, "if you've done nothing wrong..."
I completely forgot about how Android users used to brag about the barometer in some older Galaxy S phones back when the iPhone didn't have one (because they bragged about anything the iPhone lacked that some Android phone had) I also completely forgot that Apple added one (or more likely the supplier of their MEMs chip integrated one and they didn't bother to disable it in case someone found a use for it someday) starting with the iPhone 6.
I've never used the barometer in my iPhone - don't even know what apps might access it - and can't think of anything useful to use it for. You can't use it to assess altitude, because air pressure is independent of altitude, and it probably isn't sensitive enough to detect changes of less than a thousand feet in elevation. If I need to know the barometric pressure I'll visit Accuweather.
Maybe here's a good reason to disable the damn thing - as if anyone would ever notice!
Please mate, not yet another one of those idiotic pissing contests. Listen, I do not fucking care what brand of phone you use, what car, bicycle or helicopter you ride, what perfume you wear or what brand of toilet paper you use. I seriously do not give a shit, and I doubt whatever choices you make in that respect will make you better or worse than anyone else.
So please, stop that idiocy. It is cringeworthy that anyone with the ability to read or write could fall victim to such base displays of tribalism.
Fatuous my-brand-is-better-than-your-brand comments just make this site (or any other) a lot less interesting to read so I would appreciate if you could save that shit for the pub.
Air pressure doesn't change that drastically due to weather; otherwise, airplanes couldn't use them for their altimeters. Yes, they do need calibrating before a flight, but the fact they can fly through different weather systems and not deviate that much indicates that a barometer is still useful to get a general idea, especially if bolstered by local data to give a reference altitude.
When I join the People's Liberation Front for the UK, this will be a big concern. Whilst the main tyranny of our government is the amount of taxes we pay, its not that likely.
In the meantime, is this any different from all the leaky systems already tracking your number plate, facial recognition etc. Will we maybe just have to accept that some information is more open now, and if you want to go someone secretly you need to leave your phone at home ? Or just use "Airplane mode" ??
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
