As it turns out, turning off location services (e.g., GPS) on your smartphone doesn’t mean an attacker can’t use the device to pinpoint your location.
A group of Princeton University researchers has devised of a novel user-location mechanism that exploits non-sensory and sensory data stored on the smartphone (the environment’s air pressure, the device’s heading, timezone, network status, IP address, etc.) and publicly-available information to estimate the user’s location.
The PinMe mechanism
The non-sensory and sensory data needed is stored on users’ smartphones and can be easily accessed by any app without the user’s approval, which means that the data can be captured through a malicious app or harvested from databases of many legitimate fitness monitoring apps.
The researchers used an app that doesn’t have access to GPS and has no permission to query the identity of visible cellular base stations or the service set identifier (SSID) of visible WiFi networks.
The publicly-available auxiliary information includes information from:
- Navigational and elevation maps (PinMe uses OpenStreetMap and the Google Map API)
- Weather reports (e.g. fromThe Weather Channel)
- Airports’ specifications databases (PinMe uses OpenFlights)
- Trains’ heading databases (The researchers constructed one based on Google Map)
- Transport timetables (available online in various forms and often through various APIs).
The system uses different characteristics to infer the activity of the target (walking, traveling by plane, car or train) and different algorithms for each activity to discover the target’s destination or last location.
“Our experimental results indicate that, without knowing the initial location, PinMe was able to return a single accurate driving path that is very similar to the trajectory provided by GPS readings,” the researchers noted.
In fact, the researchers believe that PinMe could be used as an alternative to GPS in situations where GPS cannot be trusted due to possible signal spoofing.
They’ve noted several countermeasures for mitigating the risks of this attack against location privacy, and they include limiting the sampling rate of sensors, sensor data manipulation, and turning off the sensors.
“A hardware turn-off switch that lets the user quickly and easily turn off all sensors or a sensor-free mode implemented in the operating system in which no application can obtain sensory information enables the user to easily stop information leakage when he suspects that there might be privacy risks. For example, the user can turn off all sensors when he is driving to ensure that no application can track him,” they pointed out.