As Location Goes Mainstream, So Does The Potential For Abuse

Geolocation isn’t really anything new. In a lot of cases we’ve come to expect it. Most smartphones sold today have an on-board GPS receiver and it’s considered a selling point for a handset to have one. Today’s mobile mapping applications and Location Based Mobile Services make use of the location fix that GPS provides. We’re used to our technology saying “you are here“. Without this there’d be no Ovi Maps, no Google Maps, no Foursquare and no Facebook Places.

Long before we put up a network of over 20 satellites a less accurate version of geolocation was available. Pretty much anything that puts out a signal in the radio spectrum can be used to triangulate your position, if there’s enough radio sources spead out over a wide area and if someone’s done the leg work needed to geolocate you based on the position and strength of those radio sources. This can be done with mobile cell towers, with radio masts and more recently with the proliferation of wifi enabled access points, both in people’s homes, in offices and in public areas.

No matter where you go, there you are - Buckaroo Bonzai

The process of wifi geolocation, sometimes called Wifi Positioning System or WPS, is sometimes combined with GPS, known as Assisted GPS or A-GPS, and sometimes provides geolocation facilities for devices which don’t have onboard GPS. WPS is what allowed the first iPhones and the iPad, both of which lack GPS, to position themselves relatively accurately and WPS also forms part of the W3C Geolocation system which allows web browsers to get a location fix. WPS isn’t as accurate as GPS but most of the time it’s good enough. Both SkyHook Wireless and Google maintain WPS databases, which allow you to geolocate based on the publicly accessible unique address (the MAC address) that every wifi access point broadcasts, regardless of whether the access point is open, closed or encrypted. This isn’t a flaw or a vulnerability, it’s how your laptop or mobile phone seeks out and connects to a wifi network.

Again this is nothing new. But the crucial part is that either implicitly or explicitly this is done by opting into the service. Either by configuring a service, by installing an application or by saying “yes it’s OK to use my location“.

But what is new is that by going “mainstream“, location sharing is now also ripe for abuse.

One indication of this abuse is the recent news that free apps on the Android platform are secretly sharing A-GPS location without the user being aware of it. One could argue that when installing the app this is listed as one of the capabilities …

This application can access the following on your phone:
Your location
coarse (network based) location, fine (GPS) location

… but just like the EULA, or End User License Agreement, people rarely read the small print and simply click through to get to the “good stuff“.

Another indication is the recent proof of concept that allows a malicious web page to exploit a user being logged into their wifi access point’s web based administration console, grab the MAC address of the access point and utilise a third-party WPS web service to geo-locate the user. Admittedly this is a proof of concept; it requires a very specific set of circumstances to be in place in order to work … a vulnerable wifi router, visiting a malicious site with the exploit installed, being logged in as an administrator on the wifi access point’s console at the time of visiting the malicious site.

But we should all be warned. As location goes mainstream and becomes ubiquitous, so does the attention of those who would abuse and exploit this.

As a footnote, the inspiration for this post came from Paul Clarke, who spotted the geolocation exploit proof of concept. In addition to taking a damn fine photograph, Paul also writes equally as well. If you don’t read his blog, you should.

Photo Credits: Stefan Andrej Shambora on Flickr.
Written and posted from the Nokia gate5 office in Berlin (52.53105, 13.38521)

3 Comments

  • […] This post was mentioned on Twitter by Giuseppe Sollazzo, Miguel E. Gil Biraud. Miguel E. Gil Biraud said: RT @vicchi: New Bloggage: As Location Goes Mainstream, So Does The Potential For Abuse – http://vtny.org/C9 […]

  • Gary.. Good, interesting post. Of course these geo-databases that create the WPS are being refined and updated all the time while we continue to use these applications. Skyhook on iPhone, Google and yes, Ovi, all have background applets which crowd source available WLAN information and geo-code them to determine new geo data which is centralised to a server.

    The point being that while we “agree” to offer our location to an application as part of the EULA, we sensibly believe we need to do this in order to enjoy the service. However, we are often unwittingly also allowing something else within the core platform to run in the background and monitor our location for the specific purpose of refining a central database of geo data.

    Smarphone platform location acquisition APIs are already very adaptable and can allow many forms of location information to be whisked off to a central database without the user knowing anything about it. This is because installing the application also installs a module which can access this API but the module is purely for the purposes of the geo data provider, not the application. In the EULA there needs to be a distinction between the application obtaining your location in order to provide you with the service, and also an indication that unless you are distinct in saying “no” the phone will also sniff available WLAN signals in the background and send them to a database.

    Because the company that provides you with the application is a different entity to the company that provides the geo data, making this distinction even as part of a EULA is very difficult and therefore a privacy issue open to exploitation. Of course the geo data providers (Google, Skyhook, Ovi) will all say that the geocoded WLAN signals are not associated with the any user data (such as the EMEI) and so user privacy is not being violated (such as tracking your movements), but given the choice would most people be bothered if they knew it was happening? I think they would.

  • […] privacy is getting a fair bit of attention at the moment and I was quite interested to read this blog about how informed users need to be about applications that use your smarphone’s AGPS to […]