We have often discussed the risks to privacy and security when talking about IoT, mobile devices, and ‘smart’ technologies. One thing we haven’t discussed often is the exposure to risk that geolocation tracking can bring to you and your business.
Most mobile devices (like smartphones, tablets, and laptops) store information about the physical location it is in. This is usually done through GPS, but if it’s connected to the Internet, the device can get a general sense of where it is in the world based on the ISP or network it is attached to.
One thing to keep in mind is that when your device stores and shares location data, it is operating as intended. All of the features we have come to rely upon (scheduling, directions, Google searches) are based on the device’s ability to determine where you are. However, there are indeed obvious, yet unintended, consequences when dealing with this kind of data.
If you want a really simple example of how this works, just do a Google search for “pizza near me.” Because Google can see your location, they can serve you relevant results. When applied like this, it massively improves how helpful our devices and the services we use can be.
The NSA (National Security Agency) has recently released a whitepaper discussing the risk and how to mitigate location data exposure due to geolocation. There are different types of geolocation, let’s take a moment to examine them.
GPS: Global Positioning Systems. GPS is a satellite-based radio navigation system using satellites orbiting the earth to provide information for navigation. Initially developed for the military, GPS has become ubiquitous and can be found on a wide range of technologies and devices.
Bluetooth: Developed approximately two decades ago, it is designed for communicating short distances (around 10 meters). Bluetooth’s main feature is that it is low-energy, and hence battery-powered Bluetooth devices can function for months if not years. Bluetooth is used to connect devices together, like your smartphone pairing to wireless speakers, or your car stereo.
Wi-Fi: As one of the most recognized technologies in use today, Wi-Fi intersects with most aspects of our daily life. While technically designed for local area networks, in practice, Wi-Fi can spread far beyond the building containing it. This way, for example, when driving on the highway, you often find your cell phone bombarded with a plethora of Wi-Fi networks pinging it.
Internet (IP-based): Finally, your Internet Service Provider (ISP) gives your devices an idea of their location. If your ISP is located in Rapid City, a device connected to it will be associated with that area. It’s not always perfect, and not always accurate, but this does play a role as well.
While these technologies use different methods to communicate with your devices, the one thing they have in common is that their connection to your devices can be used to track your location. While this is to be expected from GPS, which was designed from the ground up to provide navigation, and therefore location tracking, other technologies such as Bluetooth and Wi-Fi provide geolocation tracking as an unintended consequence when they connect to your device.
Mobile devices store location data in their logs, and cellular networks receive the real-time coordinates of your device's location every time your device pings the network. Since most people carry their devices on their person, if you can track the device, you can track the person. This means if an unscrupulous actor gains access to the network your devices connect to, they have access to you. Additionally, websites, apps, and other services can retain location data, and most tellingly, the data kept in your cell phone's logs can be used to predict where you may be going, based on where you were previously.
According to the NSA, "Anything that sends and receives wireless signals has location risks similar to mobile devices. This includes, but is not limited to, fitness trackers, smartwatches, smart medical devices, Internet of Things (IoT) devices, and built-in vehicle communications." Moreover, the NSA states. "These security and privacy issues could result in these devices collecting and exposing sensitive location information about all devices that have come into range of the IoT devices. Geolocation information contained in data automatically synced to cloud accounts could also present a risk of location data exposure."
We often discuss IoT devices and how they can be used to compromise your network's data security. However, as the NSA notes, these devices can be compromised in even more ways due to their transmission of data 24/7.
While it may be intuitive to turn off the location services on your mobile device, your GPS can still be active. Moreover, your GPS should not be confused with your device's location services. Turning off your location services does not turn off GPS, and if you turn off your GPS while your Wi-Fi and Bluetooth are still active, your location can be tracked using the Wi-Fi and Bluetooth connections to your device.
The only way to truly reduce the risk of your location being compromised is to disable location services, advertising permissions, Bluetooth, Wi-Fi, and even turning off the "Find My Device' option, which allows lost or stolen devices to be tracked. Finally, give as few apps as possible the ability to collect data or have permissions. For example, a camera app will ask for permission to access your location. This means if you post a photo you took, someone may be able to glean your location from the picture's data.
Well, consider for a moment how you use your device and the type of device you use. If you're using a fitness tracker, you need your GPS. Your wireless earbuds are Bluetooth, and if you're searching for a pizza joint, Google uses your location to provide the closest location to you. With some smartphones costing over $1,000, it makes sense to enable the location finder on your phone in case it's lost or stolen. Weather, traffic, time, and news both local and national, all depend on the device's ability to share its location and receive information based on where you are.
So while the NSA is correct about your device providing your geolocation, this function is a feature, not a bug. It’s important to cover your bases with strong security practices and general common sense. Go ahead and utilize these great features that make our modern-day technology amazing, but be mindful of them.
Always use strong passwords, never use the same password on more than one account, and avoid connecting to untrusted networks.