Boffins crack smartphone location tracking – even if you've turned off the GPS

Religiously turning off location services may not save you from having your smartphone tracked: a group of IEEE researchers have demonstrated it's possible to track mobes even when GPS and Wi-Fi are turned off.

And, as a kicker: at least some of this data can be collected without permission, because smartphone makers don't consider it sensitive.

The researchers from Princeton University (student Arsalan Mosenia, IEEE members Xiaoliang Dai and Prateek Mittal, and IEEE fellow Niraj Jha) tracked smartmobes using a technique dubbed PinMe, which combined information from the phone and non-phone sources to work out where a user is.

In their paper, out this week, they explain that PinMe works with “non-sensory/sensory data stored on the smartphone” (the first category includes timezone and network status; the second includes air pressure and heading), and when that's combined with “publicly available auxiliary information” like elevation maps, it's able to “estimate the user's location when all location services, eg GPS, are turned off.”

The combination of data sources, the paper says, yielded user tracking “comparable to GPS” on their iPhone 6, iPhone 6S and Galaxy S4 i9500 test devices.

The paper noted that while an attacker might try to sweep up such data using the well-trodden path of installing a malicious app (after all, user-snooping flashlight apps have been around for years), there are also public sources of data: fitness apps such as Strava.

Arousing

Fitness apps "can, without arousing suspicion, collect and upload a significant amount of valuable non-sensory/sensory data, which can be post-processed to infer critical information about the user," the researchers wrote.

In the PinMe attack, the researchers went down the malicious app path, and as noted above, some of the information a smartphone can get doesn't need the user's permission. Timezone, device IP address and network status don't need permission; nor do the accelerometer, magnetometer (which measures the angle between the phone's heading and north), or barometer.

The public data PinMe uses includes OpenStreetMap, Google Maps' elevation data fetched through its API, OpenFlights (which maps 9,541 airports); they built a train heading database from Google Maps, and accessed public transport timetables (where possible, from their APIs).

As an example of how all this translates to getting a user's location: the IP address can be geolocated to provide a guess at a city; barometer data tells you if the user arrived on an aeroplane; if the user's heading doesn't change much, they're on a train; travel by car can be correlated to street map data; and so on.

In the cities in which the boffins ran their tests (Princeton and Trenton in the US state of New Jersey and Philadelphia in Pennsylvania), the correlation between heading changes and street maps yields a track that gets more accurate the further the trip – because the longer the drive, the fewer the possible paths the user might take.

Likewise, you don't need a GPS to work out which airport someone flew into: takeoff and landing times are public, you can grab elevation from the phone, so the "planeTracker" component in PinMe "was able to accurately and uniquely return both departure and destination airports for all four flight routes" in the test.

The paper suggests phone manufacturers give users the ability to shut down sensors, or put sensors into a privacy mode that limits their sampling rate and accuracy. ®