iPhones secretly track 'scary amount' of your movements
Apple's iPhone and iPad constantly track users' physical location and store the data in unencrypted files that can be read by anyone with physical access to the device, computer researchers said. The file, which is stored on both the iOS device and any computers that store backups of its data, can be used to reconstruct a …
To be honest, I'd taken it for granted that most smart phones did this.
In the US the Feds mandate that all US cell phone have lojack capabilities so that the cops can track you. It's actually written into the rules. So the fact that Apple records them comes as no surprise to me.
There is a bit of a difference in being able to ask a phone to remotely tell you of its location when it has been lost/stolen (as is done with MobileMe on the iphone and countless applications on Android including "Where's My droid" and "Lookout") and having a device "pre-emptively" recording your every move and recording it for month after month without any permission requested or granted!
Would you say "OK" to an a new application that said it would record all your movements and store them in an unencrypted file when you backup? I certainly wouldn't.
Whilst there are reasons to need to know the current location, there are no reasons I can see that would require this to be stored in a historical log. I'm sure the security services could find lots of reasons this is a good idea, but then they aren't interested in your privacy.
It does sound like a bit of debugging code which has been left in, but whatever the reason, it's not a nice discovery.
Didn't you read evreyword in the 16000 word EULA it clearly gives them permission to track you and share this info with whoever they like. You clicked the agree button or opened the shrink wrap or whatever so you did agree to this.
...for not buying anything with an 'i' in front of it
The tracking laws in the US mandate that the carriers be able to track users, not that the information be stored in the device or in the backup software
....I never go anywhere "interesting" with a mobile phone.
I downloaded and tried the software. While it found all of my tracking data for the UK it failed to find any of the trips my phone had made to France, Germany or Russia.
France and Germany where on roaming (Orange in the UK) and Russia is a separate SIM card.
Personally I have no problem with this data being collected as Orange are able to track me everywhere I go anyway.
...and now Apple too apparently. And anyone with user access to any PC or Mac you sync it with, and the authors of any executable which might be run on said machine and call home. It doesn't even need to be you running them. Any user can see it and see what your routine is.
Why don't you have a problem with that?
Uh you say: anyone with user access to any PC or Mac you sync it with
Actually they would need your user account and password to read your files right. I mean one user on the OS cannot read the files of another user's account. And if someone hacked my user account there's much more valuable data they can get to.
How secure that is would depend on how the PC/Mac was configured. I've used plenty of both that automatically start up logged in to the desktop. Linux would be far safer (if it ran iTune), as every distro I've used insists on a log in.
And if your user files aren't encrypted, or stored with with a file system which enforces access control, then simply removing the hard drive and plugging it into an external USB housing on another machine will let you read all the files.
Not that this is likely to be required in the spouse spying context mentioned in the article.
Coming next week:
"Here dear, I've bought you an iphone for Easter"
*SLAP*
"simply removing the hard drive and plugging it into an external USB housing"
That's the hard way... Just boot up a live CD and you can see everything.
Since information is only stored once (a year or more) for each cell tower. They just get a blob of places you might have been around.
But if you're still worried just tick the checkbox that says "Encrypt my backup." Problem solved.
"Personally I have no problem with this data being collected as Orange are able to track me everywhere I go anyway."
This isn't about Orange tracking you. You have a contract with Orange and part of the price you pay for the service you recieve is that Orange can track you. Quid pro quo.
This is about other people being able to track you and find out historically where you have been. The article gives the example of someone getting hold of the database from a backup which seems irrelevant to me. Might matter more if I were the sort to play away, if Mrs iShit wants to know where I've been she's welcome to.
What I'd find more concerning is that this is available to any app on the phone. Pleanty of apps have been found doing questionable background activity, how long before a freebie ad sponsored game starts feeding this back to the mothership?
Surprised the file isn't called newlabour.mbdb.
The 'price I pay' is NOT they can track me. The price I pay is on my invoice. Since I am not offered a 'no tracking' option (which MAY be differently priced), I have no choice in the matter,. Hence, the contract is extortionate.
It's obvious that your phone service provider has to know where you are (at least, in the sense of which cell you are communicating through) in order to route calls to you. The ETSI standards define mechanisms for this information to be recorded and made available to law enforcement subject to appropriate legal provisions. If you're concerned about this tracking, it can be circumvented (at least in normal circumstances) by simply turning off your cell connection.
But this is very different from the phone manufacturer using built-in GPS to record your phone's movements throughout its lifetime (and sharing that information with 'appropriate' third parties). Apparently the right to do so is buried on page 94 of the 20,000 word legal document that you agreed to by breaking the seal on your new phone.
Lawyers: start your engines!
Orange or any GSM operator in a modern country is bound to some insanely serious laws about such location data. In fact, in some countries, people have died because the network operator declined to give location data without proper paperwork.
Ask anyone at a GSM operator, even they can't access such data without proper paperwork. Yes the people sitting at their data centers. Every access is logged and there must be something to show for each access.
Apple is not bound to such laws, especially with their evil genius lawyer written EULA.
Just watch when they sue them, you will be surprised.
"But this is very different from the phone manufacturer using built-in GPS to record your phone's movements throughout its lifetime (and sharing that information with 'appropriate' third parties)"
This is very different from what it actually does. It tracks your location based upon triangulation of cell towers (think what would happen to the battery if GPS was constantly on), and also keeps a log of Wifi networks your phone has spotted. You could probably also circumvent this by turning off your cell connection and your Wifi.
I have an iPhone and this concerns me, but at least get it right.
You beat me to it, It's one thing to have the cell provider track when you're camped-on to the network , but this would normally be just the tower ID.
This creepy thing triangulates between "n" towers and records WiFi MAC's - a shitload more detailed information than you (are compelled to) agree to by using a mobile phone.
There are legal agreements in place to cover disclosure of mast ID's - I would presume "reasonable suspicion" is required, or at least the pretence of it. There is no regulation whatsoever of this new datagrab.
Still, i don't have a iThing and don't frequent public toilets much, so I've nothing to worry about. Right? ,
Many programmers will be familiar with cache files. This just stores the results of the Cell ID to latitute/longitude that all smartphones with GPS have to use.
I've confirmed that eg the area around my own home only shows up once since I got my iPhone (6 months ago)! Hardly tracking to the second... Also the resolution (in the raw data) is only down to about cell tower level.
All this does is saving my phone making constant queries to Apple for this Cell ID mapping, which is how Android does it. At least this way Apple has no way of knowing what I do every day.
Oh it saves battery to.
Any privacy loving person will already encrypt their backups, and apps approved by Apple will not have ways of accessing this file in the phone.
Complete non-issue in my point of view.
This does sound like a rather plausible explanation of what the data is doing on the phone, I'm not sure why you are getting voted down, unless its your assertion that it's a complete non-issue. Presumably someone determined *could* get the info off the phone.
"Any privacy loving person will already encrypt their backups,"
I hate to disagree, but where I come from privacy means a 14 year old girl hiding their cell phone while they;re in the shower so that their mom can't browse through their text messages.
The idea of encrypting a backup simple wouldn't occur to 90% of smart phone users. Most smart phone owners aren't technical people. Most probably don't back up at all. Syncing their iTunes with their laptop is probably the closest thing that they get to doing a backup.
You buy an iPhone because "it just works". Not because you want James Bond style privacy.
He's probably been voted down because he didn't immediately call for Steve Jobs' head and recommend everyone blend their iPhone and then put a tinfoil hat on.
"He's probably been voted down because he didn't immediately call for Steve Jobs' head and recommend everyone blend their iPhone and then put a tinfoil hat on."
Yes, yes, very droll. I'd wager though, that he's been downvoted because he's posted a smarty-pants rebuttal of the findings in the article, and he's wrong. Just throwin' it out there. Could also be the 'to' vs. 'too' thing.
If you had read the cited article, it's not the tower location, it's triangulating your actual location down to a few metres and recording it with timestamps with 1 second precision. And it's not a cache file, it's an SQL database which is not getting deleted.
Encrypting a backup is just one checkbox tick away on the device's page in iTunes.. hardly a very complex operation.
There's very little in this cache file. It also has many errors, for example it shows up with places I've never ever been to.
The downvotes are typical whenever anyone says Apple might not be entirely to blame anywhere in El Reg.
Apparently to even technical people at El Reg it's fine to send location data to Google, but it somehow becomes an invasion of privacy when even sparser information is stored in your own devices.
Ahhh..that would explain why iTunes always ask me to upload crash* files to Apple when I try to synch the iCrap device.
* Crash, cash...who in the walled gardens know the difference....YOU ARE ALL SAVE!!!!
Next....targeted advertisement
@ .3
If you had read his comment, it sounds like he's actually taken the time to investigate the contents of this file from his iPhone and has not found per second data, has noted accuracy "only down to about cell tower level" (i'm guessing he's not in the position to go and work out exactly how accurate), and has not seen his home location more than once in the data (and I'd guess he's being going there most days in the past 6 months). Kind of at odds with the article, I know, but why shout at /downvote him instead of questioning the article?
Also, it may be that it *is* a cache file, it all depends on how many duplicate entries one can find - if you find lots then it's more akin to a log file (which should be purged regularly), if you find one then it's most likely a cache file (which really should be limited in size and have least used records removed on a regular basis).
@ PerfectBlue
Your assumptions seem to indicate that encrypting backups is not that much of an issue.
1) Most people won't think about encrypting a back-up (a checkbox on the device's "home" page - not exactly hard - but let's run with the assumption)
2) Only Tech savvy people will encrypt.
3) Hardly anyone backs up their devices anyway.
Based on the above, it seems like the issue of encrypting backups won't affect most people and the chances are pretty good that those who *do* back up are the tech savvy ones (we like backups, after all) who will encrypt said backups.
If you actually see the file and not go by some speculative articles you'll see it is the cell tower locations and timestamps are precise but towers only get recorded once.
Here's the SQL for the CellLocation table:
CREATE TABLE CellLocation (MCC INTEGER, MNC INTEGER, LAC INTEGER, CI INTEGER, Timestamp FLOAT, Latitude FLOAT, Longitude FLOAT, HorizontalAccuracy FLOAT, Altitude FLOAT, VerticalAccuracy FLOAT, Speed FLOAT, Course FLOAT, Confidence INTEGER, PRIMARY KEY (MCC, MNC, LAC, CI))
as you can see MCC, MNC, LAC, CI are primary keys, therefore will only appear once! So this does not track all your movements.
Sorry to state the bleeding obvious - but you've identified a bunch of keys defined one table - wouldn't that suggest that the data might be linked to information held in other tables?
Perhaps phone keeps a unique record of the location of each hotspot/tower and also has a table (with one entry per second) referencing them - you know, some kind of a log - so when you use the two together you can generate a detailed mapping of the phones location over time.
I think we used to call those kinds of things relational databases.
Wow, talk about exaggeration, I was expecting a _really_ accurate trail of where I'd been with my phone. It is _not_ that. It was various dot sizes, very roughly where I'd been in the UK, sort of.
Apparently I'd visited Cardiff (or my phone has, without me). I think I have visited Wales as a young child, certainly pre iPhone days, nearest I've been since then is Bristol (ironically doing some consultancy for cellco there). It had no indication of my various trips to Aberdeen (nothing North of the Border).
There is a very small dot (accurate fix I'm assuming?) on my house for one day, when I hit play. I'm pretty sure I've spent more time here than that! There is no dot covering my office, and I seem to be spending a lot more time south of the river than I remember.
The data is very inaccurate, which greatly lessens the security impact (though does not remove it of course). I did see that I'd visited Exeter and Bournemouth with the in-laws last year, but there are probably easier ways to find that out (like my flickr feed?).
First off I am glad we can agree this is not a cache file.
Secondly, you are spot on that MCC, MNC, LAC and CI will only occur once in the table. However this is not the protection you think it is.
Lastly, I have had a look at mine now and despite what you are claiming here it *does* seem to be tracking a lot of my movements very accurately. How can that be?
You seem to know about relational dabatabases so why are you ignoring that primary keys also have that other function you, indexes for quick lookup of data.
Which would be very convenient in a table that need quick access.
@ +++ath0
The phone was pwnd at Infosec. Pentesting companies view its security as so weak they wont issue it to their employees. I am sure you know more than any of the other people who have published their findings, which is why you confine your rebuttals to a discussion forum on the Register.
Bravo.
Interesting update.. nice summary paragraph in there of one of the main issues
"Now for law enforcement and other purposes the device can come in handy. Will it give you a 100% accurate GPS point with Date/Time? No. Will it give you real-time tracking data to track someone? No. Can it help you narrow down timeframes and locations of potential suspects or victims? Absolutely, if used properly."
@ +++ath01 or Gk.pm,
The point is not that pwning the device will allow you to install trackers it is what historical information is now available.
I dont think anyone thought you only posted here - I suspect like most you have a day job.
Christopher Vance's article is good (and it is an improvement to see links to supporting claims rather than simple assertions) but the simple fact remains that a lot of his conclusions are guesses and assumptions. He says so himself.
He makes the following statement:
"Can it help you narrow down timeframes and locations of potential suspects or victims? Absolutely, if used properly."
And this is pretty much the problem.
@Tim and @AC
Yes he does say that if used properly law enforcement can narrow down timeframes and areas. But he also says " after looking at a freshly wiped iPhone 3G which was running iOS 4.2.1 which didn’t leave a single building, had points from all over the town."
So there seems (and I see this too, both in my data and in the original movies posted) a lot more data in there than actual location. It would be really difficult to pinpoint anyone based on this data.
From my own experience I can't even pinpoint my own house to where spend at least 8 hours a day.
This opens a lot of plausible deniability cases: if someone claimed you were somewhere based on this data you can easily say you were not and it's all down to the phone caching more than it needed. No one could truthly say otherwise.
I agree a lot more research has to be done on this, but hopefully not the sensationalistic kind. That's just destructive and doesn't help much.
It seems from other articles I've read that yes - it *is* the location of cell towers and WiFI hotspots that is recorded, *not* the location of the device.
And whether the data is held in an SQL database or not is immaterial to the question of whether it is a cache.
"iDevice location tracking vulnerability: Apple says innocent have nothing to hide"
That's already been Googles answer courtesy of Eric Schmidt:
"If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place."
Oh what like using Google to look up if I have an embarrassing disease, or my gps route tracked by an Android phone? Why on earth might I not want anyone to know that? How stupid and unreasonable of me.
Apple are less concerned to intrude on your privacy just so they can sell you advertising. Their response would more likely be "You're holding it wrong"
You cannot be tracked if you're holding it *right*
But what if you can do the Kessel Run in under fifteen seconds?
see the field "Speed FLOAT" ;)
incidentally, why IS there a speed field if apple are innocently "just" single records of each cell tower you've been near once like the fanboys would like us to believe?
Cache files don't normally store date for 12 months.
if the information they store doesn't change much. Like for example cell tower locations.
Think about it, isn't it better that the phone already has this Cell mast id to location mapping and doesn't contact Apple with a new request?
This way Apple gets to known even less where you are at a some given time.
Why are some people demanding that their phones don't store this and in turn have to request information from Apple more often?
Symbian on phones with a GPS receiver appears to only request this data when you're using some software that wants your location (e.g. maps) AND you enabled Network-based location and/or A-GPS. Even if it was a cache (which it isn't - why the timestamp and repeated data?), it should be possible to easily disable it.
Sign up, sign up for The Register's weekly IT security newsletter - click here
