Can your iPhone's digital footprints reveal your physical location?

Users of iPhones may be uniquely vulnerable to a new kind of cyberstalking that can reveal their real-life whereabouts, if they leave GPS and Wi-Fi activated.

|
Alexander F. Yuan / AP
A man leaves an Apple store with an iPhone and an iPad in his hands in central Beijing, April 1.

An Australian computer-security expert has created an application that lets anyone see the locations of the last three Wi-Fi access points used by an Apple iPhone or iPad — information that could be used to deduce where the iOS device user lives.

Melbourne-based researcher Hubert Seiwert's iSniff GPS, now freely available for anyone to download and use, combines three different Apple iOS features.

None of the features pose any threat to privacy on their own, but when combined could tell strangers a lot about you.

"This could be used to locate ... where people live," Seiwert told SC Magazine.

Three's a crowdsource

The first feature Seiwert used is well-known. Apple iOS devices that have both Wi-Fi and GPS turned on send the names and locations of all Wi-Fi access points they encounter back to the Apple mothership. The devices don't need to be connected to a specific access point for this to happen.

This feature helps Apple's mapping services. Google does the same thing with Android devices. Users of both kinds of devices can turn the data-sharing off.

The second feature is unique to iOS devices. Last year, security researcher Mark Wuergler of Miami-based Immunity Inc. found that iOS devices, when trying to connect to a Wi-Fi access point, will broadcast the unique network-interface IDs of the previous three Wi-Fi access points to which the devices actually did connect.

These unique network-interface IDs, called MAC addresses, can be physically located when run against online location services that keep databases of such things.

(MAC addresses differ from Wi-Fi access-point names such as "John's Wireless Router." MAC addresses are fixed, unique and used by machines to communicate with each other; Wi-Fi location names, also called SSIDs, can change at any time and exist for human convenience.)

Wuergler told the tech blog Ars Technica in March 2012 that he'd combined the Apple MAC-address feature with Google Location Services for Android to create a proof-of-concept application called "Stalker."

"I'll know where you work, I'll know where you live and know where you frequent," Wuergler said at the time. "If the last access point you connected to was your home, for example, I'll know right where to go to get to you later or get to your data."

One door closes, another opens

After Ars Technica ran its story, Google adjusted its location services so that they could no longer be used for that purpose.

But Seiwert leveraged the third Apple feature to get around that. He discovered that Apple's own Location Services for iOS gave up the physical locations of MAC addresses, collected as part of the crowd-sourcing mapping feature, if it thought the request came from an iOS device rather than from a human being.

"You can send Apple a single MAC address of a Wi-Fi router and they will send back a result set including the GPS coordinates of that MAC address and about 400 others" in the near vicinity, Seiwert told SC Magazine.

Seiwert's iSniff GPS tool automates the collection of data from all three processes. When Seiwert's laptop is connected to an open Wi-Fi access point he himself has set up, iSniff GPS locates all iOS devices within range; collects the MAC addresses of the previous three Wi-Fi access points to which each iOS device had connected; queries Apple Location Services for the physical location of each of logged MAC address; and finally, overlays the location results on Google Maps.

In a few minutes, iSniff GPS will have found and mapped the physical locations of the home wireless routers of the owners of most of the iOS devices within Wi-Fi range of the user's laptop.

While attending the BlackHat security conference in Las Vegas in July 2012, Seiwert used iSniff GPS to harvest 3,543 MAC addresses from 1,337 iOS devices. He gave a brief presentation on his findings at the Chaos Communication Congress security conference in Hamburg, Germany, in December 2012.

Seiwert has now posted iSniff GPS to the online open-source code repository GitHub.

Follow us @TechNewsDaily, on Facebook or on Google+. Originally published on TechNewsDaily.com.

http://www.technewsdaily.com/18044-apple-location-stalker.html

Copyright 2013 TechNewsDaily, a TechMediaNetwork company. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Can your iPhone's digital footprints reveal your physical location?
Read this article in
https://www.csmonitor.com/Science/2013/0513/Can-your-iPhone-s-digital-footprints-reveal-your-physical-location
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe