Feeds

No, iPhone location tracking isn't harmless and here's why

Secret Apple database already being tapped by cops

  • alert
  • submit to reddit

Internet Security Threat Report 2014

Analysis It didn't take long for the blogosphere to pooh pooh research presented on Wednesday that detailed a file in Apple iPhones and iPads unknown to the vast majority of its users that stored a long list of their time-stamped locations, sometimes with alarming detail.

On Thursday, a forensics expert who sells software to law enforcement agencies gave a first-hand account why scrutiny of the location-tracking database is crucial. We'll get to that in a moment. But first, let's take a sampling of the rampant naysaying.

The most common criticism was that the contents of the SQLite file, which is stored on the phone and on any computer backups, were wildly imprecise. Blogger and web developer Will Clarke, for instance, used the researchers' freely available software to map the coordinates gathered by his own iPhone during a recent round-trip bike tour he took from Philadelphia to New Jersey. When he compared the results to the actual route, he found that “almost all the points were way off.”

In an interview with The Reg, he said some of the points on the resulting map were as much as 3,000 meters, or almost two miles, away from his true location.

“The data that is exposed basically reveals which city you were in at a given time,” he concluded in a post that called the research “sensational.” “Nothing more specific than that. It can't tell what house you live in, it can't tell what route you jog on, nothing like that.”

He went on to conclude: “Apple is not storing the device's location, it's storing the location of the towers that the device is communicating with.”

Software analyst David “Lefty” Schlesinger found similar inaccuracies when he used the database contents of his iPhone to plot a train ride he took in July from Amsterdam to Den Haag, about 60 kilometers away. He also found that the iPhone file showed he was in Santa Cruz, California, on Christmas Day and traveled as much as 80 miles, when in fact he stayed in the state's Central Valley, some 130 miles away, the entire day.

Like several other bloggers, he also noted huge inconsistencies in the time intervals that locations were logged. Sometimes iPhones and iPads went days without updating the database, and on one occasion went almost two weeks.

The critics make a valid point that the data stored in the consolidated.db file hardly contains a historical record of a user's real-time comings and goings, or a user's every move, as incorrectly suggested in initial coverage from The Register and many other news sites. Researchers Pete Warden and Alasdair Allan readily acknowledge that they have yet to figure out what triggers iDevices to log location details, but it's not unusual for hours or even weeks to occasionally pass between entries.

They said they have noted one or two grossly inaccurate locations logged in the database. One region that seems to regularly pop up in files stored on multiple phones is an area just outside of Las Vegas. Allan said the database extracted from his iPhone and the iPhones of several people he knows logged that Nevada city even though none of the owners were anywhere near it on the date indicated in the corresponding timestamp.

Las Vegas also incorrectly showed up on the iPhones of Clarke and a co-worker of his, suggesting the iOS code that logs locations may be buggy.

“We both have the exact same data point in Vegas, and neither of us have been,” he said.

Warden and Allan said their reverse engineering exercise made it impossible to learn the precise way the logging works, but they insist the conclusion of their research is still correct: The contents of the consolidated.db file stored on every iDevice and on any computer containing a backup of its data contains a “scary amount of detail on our movements.”

“By inspecting it, I can tell what part of downtown San Francisco I'm in, I can see that I'm in a particular neighborhood,” Warden said.

Added Allan: “It's a bit above block level, but it can certainly tell that I'm in north east Manhattan, or south east Manhattan.”

They said the precise latitude and longitude plotted on a map is accurate to about 500 meters in areas where there are many cellphone nodes and as much as 4 kilometers with fewer nodes.

“It really does seem to be dependent on how good your cell coverage is,” Allan said. “If you're in a big city like downtown San Francisco, the positioning is going to be much better. If you're in the middle of London, the positioning is going to be much better. If you're in a rural or semi-rural area, your positions are going to be much rougher.”

They also refuted Clarke's assertion that the latitude and longitude coordinates logged in the database referred to the position of cell towers rather than the Apple devices themselves. Some of the extracted databases they examined plotted literally thousands of unique coordinates in a small part of a single city. It's almost impossible that there could be that many corresponding nodes in such a confined area, they said.

What's more, the geographic locations of cell towers is usually kept secret by the carriers who own them, and there's no clear way an iPhone would be able to detect its longitude and latitude anyway.

“Our current stance is that this is the position of the device,” Allan said. “There has to be now or very soon a big public debate about location data and privacy. This (research) might be something that helps kick that debate off.”

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.