As the Supreme Court mulls over the case of Carpenter v. United States, which may have far-reaching consequences for police who track suspects without a warrant via their cellphones, four engineers at Princeton University have revealed a brand-new method for identifying the location of a cellphone user. The result of their ingenuity is as remarkable as it is alarming.
Using only data that can be legally collected by an app developer without the consent of a cellphone’s owner, researchers have been able to produce a privacy attack that can accurately pinpoint a user’s location and trajectory without accessing the device’s Global Position System—GPS. And while the ramifications of this ability falling into the wrong hands are distressing, the way in which they pulled it off is nothing short of genius.
To protect a cellphone user’s privacy, any app distributed through Google Play or the Apple App Store must explicitly ask for the user’s permission before accessing location services. We know that even with that functionality turned off in a phone’s settings, law enforcement is able to track cellphones using either historical cell-site data (identifying cell towers you’ve been closest to) or cell-site data collected using a class of law enforcement devices colloquially referred to as Stingrays. But as it turns out, neither cell-site data nor locational services are needed to track a cellphone owner with GPS-like precision.
In fact, all you really need is your phone’s internal compass, an air pressure reading, a few free-to-download maps, and a weather report.
Your cellphone comes equipped with an amazing array of compact sensors that are more or less collecting information about your environment at all time. An accelerometer can tell how fast you’re moving; a magnetometer can detect your orientation in relation to true north; and a barometer can measure the air pressure in your surrounding environment. You phone also freely offers up a slew of non-sensory data such as your device’s IP address, timezone, and network status (whether you’re connected to Wi-Fi or a cellular network.)
All of this data can be accessed by any app you download without the type of permissions required to access your contact lists, photos, or GPS. Combined with publicly available information, such as weather reports, airport specification databases, and transport timetables, this data is enough to accurately pinpoint your location—regardless of whether you’re walking, traveling by plane, train, or automobile.
Previous attempts to track users with non-critical data have seen only marginal success. They’ve been hindered by either excessive power consumption—meaning the attacks are easy to detect—or they’ve required some advanced knowledge of either the cellphone owner’s initial location or potential routes. This newly discovered method requires none of these.
First, for this particular privacy attack to work, the cellphone owner must install an app to gather the information. But in a true threat scenario, the app could be disguised as anything. The 2,000 lines of code needed for the attack could be buried in something as innocuous seeming as a flashlight app (for some reason, people keep downloading these apps, even though they almost always contain malware). The app created by the researchers to test their attack was aptly named “PinMe.”
To track a user, you first need to determine what kind of activity they’re performing. It’s easy enough to tell if a person is walking versus riding in a car, speed being the discriminant factor; but also, when you’re walking you tend to move in one direction, while your phone is held in a variety of different positions. In a car, you make sudden stops (when you brake) and specific types of turns—around 90 degrees—that can be detected using your phone’s magnetometer. People who travel by plane will rapidly change time zones; the air pressure on a plane also changes erratically, which can be detected by a cellphone’s barometer. When you ride a train, you tend to accelerate in a direction that doesn’t significantly change. In other words, determining your mode of travel is relatively simple.
The fact that your cellphone offers up your time zone as well as the last IP address you were connected to really narrows things down—geolocating IP addresses is very easy to do and can at least reveal the last city you were in—but to determine your exact location, with GPS-like precision, a wealth of publicly-available data is needed. To estimate your elevation—i.e., how far you are above sea level—PinMe gathers air pressure data provided freely by the Weather Channel and compares it to the reading on your cellphone’s barometer. Google Maps and open-source data offered by US Geological Survey Maps also provide comprehensive data regarding changes in elevation across the Earth’s surface. And we’re talking about minor differences in elevation from one street corner to the next.
Upon detecting a user’s activity (flying, walking, etc.) the PinMe app uses one of four algorithms to begin estimating a user’s location, narrowing down the possibilities until its error rate drops to zero, according to the peer-reviewed research. Let’s say, the app decides you’re traveling by car. It knows your elevation, it knows your timezone, and if you haven’t left the city you’re in since you last connected to Wi-Fi, you’re pretty much borked.
With access to publicly available maps and weather reports, and a phone’s barometer and magnetometer (which provides a heading), it’s only a matter of turns. When PinMe detected one of the researchers driving in Philadelphia during a test-run, for example, the researcher only had to make 12 turns before the app knew exactly where they were in the city. With each turn, the number of possible locations of the vehicles dwindles. “[A]s the number of turns increases, PinMe collects more information about the user’s environment, and as a result it is more likely to find a unique driving path on the map,” the researchers wrote.
The researchers offer suggestions for a variety of countermeasures that could prevent this type of tracking. Of course, it wouldn’t hurt if apps requested permission before accessing sensory information that we now know to be sensitive. One method is decreasing the sampling rate used by those sensors, when they aren’t in use for activities like jogging, below what’s required for a malicious app to fly under the radar (high-sampling rates can trigger anti-malware detection). Another suggestion is to include a physical switch, allowing users to deactivate those sensors whenever they wish. Of course, Apple, which is nauseatingly obsessed with aesthetics, would likely never add such a feature.
The researchers further suggest the location technique used by PinMe may be better for autonomous cars than GPS, which can be spoofed, causing wrecks.
The real problem is that users are effectively helpless against this kind of attack. In fact, the kind of target the researcher’s had in mind when they developed their technique was a user who is very cautious about which apps have permission to access sensitive data—the kind of person who switches off their GPS when traveling so details about their routine can’t be scooped up by anyone who might be watching. Again, your phone doesn’t consider air pressure readings, or which direction you’re facing relative to the north pole, to be all that sensitive.
The Geolocation Privacy and Surveillance Act has been introduced in Congress but has yet to advance out of a committee or receive much attention. It likely wouldn’t do much to prevent apps like PinMe from tracking people, anyway. It might be time for lawmakers to start paying attention before every app we download knows exactly where we—and they—are at all times, without our knowledge or consent.