It is common knowledge that smartphones and many Internet of Things (IoT) devices store and share data about their whereabouts. If they did not, numerous built-in services and user-installed applications would be unable to operate the way they should. For instance, mapping tools are useless unless they have access to one’s current geolocation. The same goes for ridesharing apps and growingly popular augmented reality solutions. The list goes on and on.
Whereas this form of tracking is an inalienable part of full-blown user experience these days, it can expose people to numerous risks by playing into the hands of unscrupulous advertisers, espionage groups, and thieves.
This is a serious concern for regular users who may discover at some point that the geolocation foul play of the applications they use is at odds with their privacy. The threat escalates considerably if you are a government official or a senior executive in a major corporation. In either case, adversaries may want to monitor your movements behind the scenes.
It can be difficult to find a reasonable trade-off between making the most of a location-aware electronic device, on the one hand, and ensuring the intactness of sensitive information, on the other hand. To bridge the gap between these two extremes, the U.S. National Security Agency (NSA) has recently published actionable insights into the challenges that stem from geolocation tracking. The following paragraphs will highlight some of these considerations and provide tips to stay safe.
Mobile devices broadcast a ton of location data
The moment you power on your smartphone, it starts exposing your geolocation. These devices trust cellular networks by design and therefore transmit their coordinates to the mobile service provider whenever the connection is established, continuing to reveal this information down the line. Moreover, these details can be tracked over a wide area.
If a malicious actor gains unauthorized access to the provider’s system, it can obtain the entirety of this identifying info. To top it off, cellular companies may sell real-time location data to third parties. Even if none of this happens, well-motivated adversaries may purchase and leverage bogus base stations, also known as IMSI-catchers, to eavesdrop on you. This gear mimics a provider’s legitimate equipment and offers the strongest cellular signal to make sure your smartphone connects to it automatically instead of the genuine base station nearby. All communications, including your whereabouts, will be intercepted by criminals in this scenario.
Another caveat is that location data is stored locally on your device. If retrieved, this log can allow crooks to connect the dots and trace your recent movements while predicting future ones. Using this data they can steal your online accounts. An additional risk comes down to browser fingerprinting. It paves a dodgy website’s way toward accurately determining where you are accessing it from.
Turning off cellular does not necessarily address the problem
Wi-Fi and Bluetooth are communication protocols that may also allow an adversary to figure out where you are. By using commercially available devices called “wireless
sniffers,” malefactors can calculate your geolocation based on signal strength. The worst part is that this trick can be pulled off even if you are not actively using wireless services at the moment.
Turning off these connectivity options is not an ultimately effective way to thwart unwanted tracking, though. For Example, as soon as you re-enable Bluetooth, the previously saved information may still be sent out. In addition to Wi-Fi and Bluetooth radios, mobile gadgets are equipped with plenty of sensors that can be verbose in terms of your location.
Location services vs. GPS: the disambiguation
A common misconception is that location services and GPS are synonymous. The truth is location services are a means for a mobile device to provide apps with the location data feed. If you turn off this feature in your smartphone settings, GPS will still be up and running. Doing so simply restricts the scope of apps’ access to your geolocation details. Meanwhile, the operating system will continue to transmit this information to the cellular network.
Mobile devices are not the only low-hanging fruit
The range of appliances that expose users’ location data goes well beyond smartphones. Anything with wireless connectivity onboard is susceptible to similar risks. These devices run the gamut from smartwatches, fitness trackers, connected medical equipment, and vehicle communication modules – to Internet-enabled elements of a smart home, including automatic door lock systems, thermostats, smart fridges, and even remotely controlled light bulbs.
Collectively referred to as IoT devices, these entities can be extremely hard to secure. Many of them provide no way to disable wireless features and come with crudely developed firmware riddled with gaping security loopholes. To add insult to injury, their manufacturers follow poor patching practices, let alone the fact that some devices do not support firmware updates at all.
Another concern is that the data automatically sync to the cloud may include geolocation records. If the cloud service falls victim to a breach – which is not too uncommon – this personally identifiable information (PII) will end up in the wrong hands.
Apps and social networks harvest a plethora of location data, too
A real scourge of the present-day online ecosystem is that some applications request and use permissions they do not actually need. Even if you stick with official app marketplaces that are rigorously vetted for abuse, you still run the risk of installing something that requires access to your geolocation, which is redundant for its normal functioning. As a result, the app author will be able to keep tabs on where you are.
Therefore, read the fine print and think twice before granting such permission to an app unless it really needs to determine your whereabouts. Apps that cannot properly work without knowing your location include news and weather apps, rideshare apps, compasses, shopping apps, and navigation apps. Anything that does not fit the mold of these solutions should be treated with caution.
Social media sites collect a lot of location details as well. Not everyone knows that photos uploaded to these services may include obfuscated metadata conveying this type of information. Even if they do not, the picture background can speak volumes about where the person is.
Unfortunately, toggling privacy settings is not an ultimately reliable way to prevent tracking. Some popular social networks have gained notoriety for having vulnerabilities that may fuel exploitation by threat actors.
Location tracking prevention best practices
Here is a roundup of mitigations that will keep your location data from being harvested and mishandled by snoops.
- Turn off location services in your device’s settings. If you are using an Android smartphone, head to Settings > Location and slide the toggle to the “Off” position. In iOS, go to Settings > Privacy > Location Services and disable the option there.
- Disable wireless radios when you are not using them. This primarily applies to Wi-Fi and Bluetooth. The Airplane Mode is a great shortcut to switching them off in a snap.
- Do not give apps more permissions than they need. Refrain from allowing an app to access your geolocation unless it inherently needs this data to deliver its features.
- Minimize ad tracking. Fine-tune the privacy settings on your device to narrow down the scope of advertising permissions. Another good habit is to reset the device’s advertising ID once in a while (preferably every week). On an Android gadget, go to Settings > Google > Ads > Reset advertising ID. On an iPhone or iPad, go to Settings > Privacy and tap the option that says, “Reset Advertising Identifier.”
- Disable Find My feature (or its analog). This tip relates to a service that allows you to pinpoint a misplaced or stolen mobile device. Although it can be useful in certain adverse situations, it reveals the accurate coordinates of your smartphone.
- Secure your web surfing routine. To steer clear of browser fingerprinting previously mentioned in this article, disallow the use of location data by your browser of choice.
- Mind what you store in the cloud. If possible, reduce the amount of location information synced to your cloud accounts.
- Do not overshare. If cybercriminals seek to track you down, one of the first things they will do is scour your social media profiles for materials that may expose this information through metadata or publicly accessible geotagging details. A few examples are photos and check-ins at places like airports, hotels, or restaurants. To err on the side of caution, you are better off not uploading such content to social networks
- Location Tracking Risks and Protection - August 29, 2020