Posts Tagged ‘abuse’

As Location Goes Mainstream, So Does The Potential For Abuse

Geolocation isn’t really anything new. In a lot of cases we’ve come to expect it. Most smartphones sold today have an on-board GPS receiver and it’s considered a selling point for a handset to have one. Today’s mobile mapping applications and Location Based Mobile Services make use of the location fix that GPS provides. We’re used to our technology saying “you are here“. Without this there’d be no Ovi Maps, no Google Maps, no Foursquare and no Facebook Places.

Long before we put up a network of over 20 satellites a less accurate version of geolocation was available. Pretty much anything that puts out a signal in the radio spectrum can be used to triangulate your position, if there’s enough radio sources spead out over a wide area and if someone’s done the leg work needed to geolocate you based on the position and strength of those radio sources. This can be done with mobile cell towers, with radio masts and more recently with the proliferation of wifi enabled access points, both in people’s homes, in offices and in public areas.

No matter where you go, there you are - Buckaroo Bonzai

The process of wifi geolocation, sometimes called Wifi Positioning System or WPS, is sometimes combined with GPS, known as Assisted GPS or A-GPS, and sometimes provides geolocation facilities for devices which don’t have onboard GPS. WPS is what allowed the first iPhones and the iPad, both of which lack GPS, to position themselves relatively accurately and WPS also forms part of the W3C Geolocation system which allows web browsers to get a location fix. WPS isn’t as accurate as GPS but most of the time it’s good enough. Both SkyHook Wireless and Google maintain WPS databases, which allow you to geolocate based on the publicly accessible unique address (the MAC address) that every wifi access point broadcasts, regardless of whether the access point is open, closed or encrypted. This isn’t a flaw or a vulnerability, it’s how your laptop or mobile phone seeks out and connects to a wifi network.

Again this is nothing new. But the crucial part is that either implicitly or explicitly this is done by opting into the service. Either by configuring a service, by installing an application or by saying “yes it’s OK to use my location“.

But what is new is that by going “mainstream“, location sharing is now also ripe for abuse.

One indication of this abuse is the recent news that free apps on the Android platform are secretly sharing A-GPS location without the user being aware of it. One could argue that when installing the app this is listed as one of the capabilities …

This application can access the following on your phone:
Your location
coarse (network based) location, fine (GPS) location

… but just like the EULA, or End User License Agreement, people rarely read the small print and simply click through to get to the “good stuff“.

Another indication is the recent proof of concept that allows a malicious web page to exploit a user being logged into their wifi access point’s web based administration console, grab the MAC address of the access point and utilise a third-party WPS web service to geo-locate the user. Admittedly this is a proof of concept; it requires a very specific set of circumstances to be in place in order to work … a vulnerable wifi router, visiting a malicious site with the exploit installed, being logged in as an administrator on the wifi access point’s console at the time of visiting the malicious site.

But we should all be warned. As location goes mainstream and becomes ubiquitous, so does the attention of those who would abuse and exploit this.

As a footnote, the inspiration for this post came from Paul Clarke, who spotted the geolocation exploit proof of concept. In addition to taking a damn fine photograph, Paul also writes equally as well. If you don’t read his blog, you should.

Photo Credits: Stefan Andrej Shambora on Flickr.
Written and posted from the Nokia gate5 office in Berlin (52.53105, 13.38521)

No Comment?

Why do we blog? It’s a gross simplification but I think the reasons are three-fold. Firstly when you write a blog post you have something to say, you need to find the right words and write them down, albeit virtually. Secondly, you want someone to read what you’ve written. Thirdly, sometimes you want to stimulate or generate a debate on a topic, to provoke discussion and to participate in a dialogue with the people who’ve read your words. The last of these reasons is why comments are open on my blog by default and why it’s not necessary to register on my blog, just to provide a name and an email address.

So why then, after writing all of the above, have I closed comments on my recent post on the Ordnance Survey supported GeoVation awards?
I woke up this morning to discover that the post had attracted a reasonable amount of traffic; I saw this from the stats on the link to the post that was publicised on Twitter and on Facebook, I saw this from a quick peek at my analytics logs and I saw this from the number of comments waiting for approval.
I firmly believe that everyone has the right to an opinion and a view on a topic and that they also have the right to air those views and opinions. But I also firmly believe that I have a right not to display abusive, offensive and derogatory comments on my personal blog and so I’ve removed those comments and closed the post for further comments. I’ve never had to do this before and I sincerely hope that I don’t have to do this again.
I made an informed decision as to whether to support the GeoVation scheme; you may not agree with that. You may feel the having the Ordnance Survey support the scheme and provide the seed fund is not something you want to be associated with. That’s totally fine but does it give you the right to be abusive towards me and have me publish that abuse? I don’t think so.
I’m really happy that you had a similar awards program in your country and that you feel it was better, or superior or vastly different that the GeoVation awards were in the UK. I’m not really sure that “my awards are better than your awards” make for meaningful or informed discussion though.
I’m sure that you think you could have come up with better ideas, better venture submissions, better applications, better uses of geography. So why didn’t you? Why didn’t you participate in GeoVation if you’re UK based or in a similar scheme in your country?
Time to move on from this topic I think.
Written and posted from the Yahoo! London office (51.5141985, -0.1292006)

Posted via email from Gary’s Posterous