As the US Supreme Court mulls over the case of Carpenter v. United States, which may have far-reaching consequences for police who track suspects without a warrant via their cellphones, four engineers at Princeton University have revealed a brand-new method for identifying the location of a cellphone user. The result of their ingenuity is as remarkable as it is alarming.
Using only data that can be legally collected by an app developer without the consent of a mobile phone’s owner, researchers have been able to produce a privacy attack that can accurately pinpoint a user’s location and trajectory without accessing the device’s Global Position System—GPS. And while the ramifications of this ability falling into the wrong hands are distressing, the way in which they pulled it off is nothing short of genius.
To protect a mobile phone user’s privacy, any app distributed through Google Play or the Apple App Store must explicitly ask for the user’s permission before accessing location services. Now, we know that even with that functionality turned off in a phone’s settings, law enforcement is able to track mobile phones using either historical cell-site data (identifying cellular towers you’ve been closest to) or mobile site data collected using a class of law enforcement devices colloquially referred to as Stingrays. But as it turns out, neither mobile site data nor locational services are needed to track a mobile phone owner with GPS-like precision.
In fact, basically all you need is your phone’s internal compass, an air pressure reading, a few free-to-download maps, and a weather report.
Your mobile phone comes equipped with an amazing array of compact sensors that are more or less collecting information about your environment at all times. An accelerometer can tell how fast you’re moving; a magnetometer can detect your actual orientation in relation to true north; and a barometer can measure the air pressure in your current environment. You phone also freely offers up a slew of non-sensory data such as your device’s IP address, time zone, and network status (whether you’re connected to Wi-Fi or a cellular network.)
All of this data can be accessed by any app you download without the type of permissions required to access your contact lists, photos, or GPS. Combined with publicly available information, such as weather reports, airport specification databases, and transport timetables, this data is enough to accurately pinpoint your location—regardless of whether you’re walking, or traveling by plane, train, or automobile.
Previous attempts to track users with non-critical data have seen only marginal success. They’ve been hindered by either excessive power consumption—meaning the attacks are easy to detect—or they’ve required some advanced knowledge of either the mobile phone owner’s initial location or potential routes. This newly discovered method requires none of these.
First, for this particular privacy attack to work, the mobile phone owner must install an app to gather the information. But in a true threat scenario, the app could be disguised as anything. The 2,000 lines of code needed for the tracking function could be buried in something as seemingly innocuous as a flashlight app (for some reason, people keep downloading these apps, even though they almost always contain malware). The app created by the researchers to test their attack was aptly named “PinMe.”
To track a user, you need to determine what kind of activity they’re performing. It’s easy enough to tell if a person is walking versus riding in a car, speed being the discriminant factor; but also, when you’re walking you tend to move in one direction, while your phone is held in a variety of different positions. And in a car, you make sudden stops (when you break) and specific types of turns—around 90 degrees—that can be detected using your phone’s magnetometer. People who travel by plane will rapidly change time zones; the air pressure on a plane also changes erratically, which can be detected by a mobile phone’s barometer. When you ride a train, you tend to accelerate in one direction that doesn’t significantly change. In other words, determining your mode of travel is relatively simple.
The fact that your mobile phone offers up your time zone as well as the last IP address you were connected to really narrows things down—geolocating IP addresses is very easy to do and can at least reveal the last city you were in—but to determine your exact location, with GPS-like precision, a wealth of publicly-available data is needed. To estimate your elevation—i.e., how far you are above sea level—PinMe gathers air pressure data provided freely from weather reports and compares it to the reading on your phone’s barometer. Google Maps and open-source geographical survey data also provide comprehensive data regarding changes in elevation across the Earth’s surface. And we’re talking about minor differences in elevation from one street corner to the next.
Upon detecting a user’s activity (flying, walking, etc.) the PinMe app uses one of four algorithms to begin estimating a user’s location, narrowing down the possibilities until its error rate drops to zero, according to the paper. Let’s say, the app concludes you’re in a car. It knows your elevation, it knows your timezone, and if you haven’t left the city you’re in since you last connected to Wi-Fi, then you’re pretty much borked.
With access to publicly available maps and weather reports, and a phone’s barometer and magnetometer (which provides a heading), it’s only a matter of time. When PinMe detected one of the researchers driving in Philadelphia during a test run, for example, the researcher only had to make 12 turns before the app knew exactly where they were in the city. “[A]s the number of turns increases, PinMe collects more information about the user’s environment, and as a result it is more likely to find a unique driving path on the map.”
The researchers offer suggestions for a variety of countermeasures that could prevent this type of tracking. Of course, it wouldn’t hurt if apps requested permission before accessing sensory information that we now know to be sensitive. One method is decreasing the sampling rate used by those sensors, when they aren’t in use for activities like jogging, below what’s required for a malicious app to fly under the radar (high-sampling rates can trigger anti-malware detection). Another suggestion is to include a physical switch, allowing users to deactivate those sensors whenever they wish. Of course, Apple, which is nauseatingly obsessed with aesthetics, would likely never add such a feature.
The real problem here is that users are effectively helpless against this kind of attack. In fact, the kind of target the researcher’s had in mind when they developed this technique was a user who is actually very cautious about which apps have permission to access sensitive data—the kind of person who switches off their GPS when travelling so details about their routine can’t be scooped up by anyone who might be watching. Again, your phone doesn’t consider air pressure readings, or which direction you’re facing relative to the north pole, to be all that sensitive.
It might be time for lawmakers to start paying attention before every app we download knows exactly where we—and they—are at all times, without our knowledge or consent.