iPhone Tracking debacle - risks and countermeasures

Question

For those of you who are not familiar with the topic, a quick search will turn up a lot of hits, e.g. see the researcher's report at Got an iPhone or 3G iPad? Apple is recording your moves - O'Reilly Radar and their application at petewarden/iPhoneTracker @ GitHub, and Fox News: Apple iPhones Track Your Location, British Experts Warn
To summarize, there was a recent "discovery" that iPhones track your location via cell tower tracking, and store months of that data in a single file, "consolidated.db". Thus, a hardcopy record of your phone's every movement (while the phone is on). The data is typically also backed up by iTunes to your computer.

See e.g. Marco Ramilli's Blog: iPhone Tracker (thanks @atdre for the link) on the one hand, or 3 Major Issues with the Latest iPhone Tracking “Discovery” | Alex Levinson (which notes the similar predecessor file, h-cells.plist) on the other.

---

My two part questions here, without speculating on what is actually done with that data (unless you have hard information):

1. What is the extent of risk here? What is the worst impact, and what does this mean? Basically I'm looking for a threat model / risk profile on this data.
2. (Assuming the risk is high enough... ) How can one go about protecting themselves (short of dropping the iPhone altogether)? e.g. protecting that file, preventing the logging, deleting it, setting it to not send, etc.

Note that privacy exposures of location tracking information for other phones is also on-topic here.

Answer 1

I dunno, the following seems like an easy way to get information on someone, without much work at all.

From http://www.wired.com/gadgets/wireless/magazine/17-02/lp_guineapig?currentPage=all

To test whether I was being paranoid, I ran a little experiment. On a sunny Saturday, I spotted a woman in Golden Gate Park taking a photo with a 3G iPhone. Because iPhones embed geodata into photos that users upload to Flickr or Picasa, iPhone shots can be automatically placed on a map. At home I searched the Flickr map, and score—a shot from today. I clicked through to the user's photostream and determined it was the woman I had seen earlier. After adjusting the settings so that only her shots appeared on the map, I saw a cluster of images in one location. Clicking on them revealed photos of an apartment interior—a bedroom, a kitchen, a filthy living room. Now I know where she lives.

Answer 2

The most obvious and widespread security issue is that anyone with access to a machine that backs up the iPhone can look at where the phone has been. This can be a plus from the perspective of an iPhone owner who wants to track their children, or a minus from the perspective of a cheating lover.

It is also obviously a way for law enforcement to get loads of data on where people have been, hopefully only after appropriate approvals. Or alternately, for them to track activists, as Thomas points out.

I'm sure some iPhones controlled by enterprises will be used to mine information about their employees, and that may or not be legal, depending on circumstances. And of course the use or suspected use of data under those circumstances can also be used to embarrass an organization.

I wonder if bot herders will be looking for this information on the computers which they have compromised, and what they might think to do with it. A very clever terrorist might look for people who regularly seem to have access to interesting places, and find a way to plant some sort of dangerous payload on such people.

Finally, root access to the iPhone itself, which might happen remotely, could get access to not only current location info (which the attacker would presumably already have), but also to prior locations.

The researchers note one simple and helpful countermeasure: encrypt your backups through iTunes (click on your device within iTunes and then check "Encrypt iPhone Backup" under the "Options" area). Another would be to write a script to systematically delete the files as they are backed up, or to configure backups so they don't back that file up, or to just turn them off....

Update: For a more comprehensive solution, anyone (without jailbreaking) can apply the SQL triggers in the article atdre noted: Blocking iPhone Tracking (consolidated.db) Solved - Dominic White

Update 2: Apple just released a statement saying that this is cached data crowdsourced by other iPhones, not location data for the individual user, and they will be changing how much is stored, and where, and stop backing it up: Apple - Press Info - Apple Q&A on Location Data

Answer 3

An example which was given to me is parallel control of political activists. If you get the localization data from an iPhone, you can automatically know whether the owner was part of a protest or meeting. With localization data from many iPhones, you could even deduce the existence, time and position of meetings that you were not aware of. Whether this is a security issue depends on the viewpoint: some governmental agencies would see it as a solution.

Of course, when an iPhone records which cell towers it senses, the said cell towers also sense the iPhone, and dutifully report that fact to the phone operator, because this is how the iPhone can act as, say, a phone (with a user who can be called). Having to extract the data from a file on the iPhone looks very indirect and inefficient to me; simply asking the data from the operator is much easier. So I have some trouble imagining what new security weakness this file creates.

Answer 4

There is a use @nealmcb touched on but is quite an issue - legal investigations. Generally law enforcement requires warrants (it varies by jurisdiction) to seize and analyse a suspect's computers. They usually do not require the same for phones - which can usually be confiscated when bringing the suspect into custody, and the file is easily accessible to anyone.

So it becomes very easy for law enforcement to know where the suspect was at 10pm last Tuesday (I know, really they know where the phone was last Tuesday, but still...)

I'm guessing there'll be an app very soon that wipes it daily:-)

Answer 5

Dominic White goes through a very detailed blog post entitled Blocking iPhone Tracking (consolidated.db) Solved. This is the best blog post yet on the subject matter, and provides some very simple and walkthrough-esque solutions for both jailbroken and stock phones.

Answer 6

Typically, the iPhone coordinates are personal information, thus most of the directives for data protection regulations protect it. This is not a vulnerability, this is an information disclosure of personal information that are expected to be confidential and subject to data owner consent---> this is a privacy violation. Still the risk is not to be assessed with a C.Vulnerability.S.S. rating that shows Confidentiality Integrity and Availability perspective but needs a different scale for privacy violations.

Imagine wikileaks publish those data online! Imagine how many wife/husband cheating on her/his partner would be endangered ;) how many delivery personal would be found in wrong places... These data are personal and have personal type of risk that for some would be nothing and for others would be a lot. Just for example, if you can monitor's the politician's movements... You know everyone has an iPhone from those politicians ;)

How can you protect yourself? I don't know. Interesting enough, I took some photos with an iPhone 3G and when I synchronized these images with my iPhone 4, for every photos, the iPhone was exactly telling me where i was. So, Apple justification would be this one for sure but that left me puzzled for long time. In between I assume you know that iPhone 3G didn;t support GPS coordinates with the photos (at least not documented anywhere)

check PiOS http://www.iseclab.org/papers/egele-ndss11.pdf if you want some more insights

Answer 7

iPhone hacking is common both by users (also known as jailbreak) and hacker. I'm do no know i what version this feature was implemented because there are exploits that can take over your phone just by using safari. A lot of jailbroken phones have ssh enabled whit a default root password. Most of thees users don't know what ssh even is.

So say that someone compromise your iPhone and get this file. What dose the attacker really have? Well they know where you have been and when (i think the logger logs time to but don't quote me on it...). This mean that they know your daily routine. And since they can figure out where you live by looking at where the phone is during the night and they know when you work so ther's a big opportunity of a brake in.

Another use is to use social engineering. Say that you have hacked a CEO phone and you want to extract data from him but you don't what him to be in the office to avoid him be at the office. Well you have his current location wait until he leaves and the call.

This can also be done on a unknown target, call and say that you are there carrier and that there's a problem whit there billing. And when they ask for proof you can give the there home address and if you have access to the phone give them there current location as prof.

---

Now how do one protect them self form this. It's the hard part. My suggestions are as follow:

• Keep the device up to date
• If you jailbreak it make shore that you know what you are doing. turn off ssh and other features.
• Turn of Location Services (I do not know if this will work, but if you don't I know it wont.)
• If you have a jailbroken the phone look for apps in Cydia that will ether turn the feature of or delete the file.

---

Android phones.

I saw a Black Hat or Def Con presentation about android hacking and they had written an app that was able to without having requested location or networking premissons was able to phone home whit current location. It read the syslog file and was able to find current coordinates that other apps had logged and send it to a remote server.

Answer 8

Steal/find an iPhone, easily deduce where the owner lives, works, spents his/her holidays etc... A stalker wet dream, it's sure a lot more convenient than following someone 24/365.

It doesn't make much of a difference to law enforcement unless you went to a foreign country whose mobile operator they can't subpoena as they can already ask operators for logs.

As for protecting yourself it appears that the file not being purged was actually a bug and should be patched by next software update...