To save time, battery life and processor cycles, smartphones don’t rely on “pure” GPS to fix their locations – they get help from location data in the mobile network. Research presented at Black Hat in Las Vegas last week cautions users that this represents a serious security vulnerability. Under A-GPS (Assisted-GPS) schemes, …
Article short and to the point, containing all the necessary information. Well done again Mr. Chirgwin.
Is this another android security flaw? How many more will be found?
@AC 06:49 GMT
All complex systems designed for communication will have security flaws whatever the OS. If you want a mobe with as few security flaws as possible, I suggest you get the cheapest phone you can find which can't do any more than make voice calls. If, however, what you want is a good trade off between functionality and fewest unpatched vulns, find a phone with a relatively old open source OS but still popular and which is still having security patches sent out to handsets. Reason for open source choice being that more security research is likely to be published. The closed source handsets still attract plenty of security research, some of it by the wrong people, and there are more reasons not to publish it.
Re: @AC 06:49 GMT
Open or closed source is insignificant, because an attacker does not make that distinction. A bigger concern is adoption scale. Consider the number of exploits that target Windows (closed source) vs. Linux (open).
A factor that contributes to Android's apparently vulnerable stack is that while Google make it mostly secure, you're risking the handset manufacturer as well as the network operator getting it wrong. And get it wrong they do with Android all the time. Not being able to uninstall apps that aren't wanted is a risk. Changing parts of the stock OS introduces risk.
I hate Apple in a really big way, but have to concede that their OS provides fewer opportunities for malicious or unintentional exploits, because Apple control the entire stack.
Actually, the techniques being discussed here are used by all the popular mobile OSes.
Now if you'll excuse me I have to go dig that old Garmin unit out of the closet.
1) Why is this an Android only issue? ANY phone using AGPS uses this method - including the hallowed iPhone.
2) It doesn't ask for help over the WiFi network - it asks the Mobile Network it is connected to for help. You can actually see this on Android phones when they are running a little bit sluggishly because despite being connected to WiFi - when you open an app that wants a GPS position - the Mobile data indicator will briefly appear as it talks to the mobile network - and then disappear again when it has received the necessary information - normally within a fraction of a second.
Why just Android phones?
Yeah didn't explain that one. What about iphone and that Nokia /MS phone?
@Andrew Jones 2 "Why is this an Android only issue?"
It is of course not an Android only issue (as you point out yourself and explain why in point 2.). Indeed, the article itself (as far as I can see) does not mention the os at all, it only appears in the subheading. Now why might the subbie (or whoever composed that subheading) have chosen to frame it in that way? I put to you that we all know why it was done that way and we also see the same kind of approach to headlines when it involves Redmond, Cupertino etc. etc. Knowing why of course does not make it any less irritating. -:)
Re: Why just Android phones?
The fandroids have got a point - it's not like you've got to get a malware-app into the marketplace in order to do this, so why just Android?
A-GPS Not Using Wi-Fi? Huh?
I must be missing something, so I readily concede my ignorance.
However, I am using my Sprint-locked HTC Android in a country that does not use technology Sprint is using. I am using the phone only for text, surfing, and navigation, and of course I cannot make Mobile Calls. I cannot even reactivate Kakao because I cannot get the text-delivered confirmation, since Kakao (for now) does not deliver the confirmation code via e-mail.
But, I most definitely am getting GPS inputs as I walk all around,and the updates appear to have no lag. I am probably being assisted by the mobile hot spot that is in one pocket while my phone is less than 12 inches away.
I sincerely do want some clarification so I can learn. Can someone clue me in?
Now, as for worrying about being tracked by GPS, all it takes to be tracked efficiently is for the phone to be in a mode to allow data updates to be done continuously. Even if that is not set to be active in the phone, all it then takes is for one to keep fetching messages and making curiosity surfing a habit. If one is being tracked, it may not be necessary for the trackers to have a solid, pretty, continuous ticker or paint brush line. After watching a person for a few days, maybe even a few hours, it is pretty easy to predict where someo... the target... will eat, drink, relax, or hop on or off of transit.
Well, that is, assuming the phone is never turned off longer than 2 hours and assuming the user never leaves the phone behind more than 2 hours and assuming that the user is not be physically monitored by eyeballs and embedded darts/tags. (I assume that anyone being tracked by multiple means is a VERY hot/radioactive/"interesting" person....)
Reading the original article...
it would appear they are stating that the A-GPS messages are sent over your general internet connection (i.e. over an IP based protocol), not the mobile network specifically (although of course if your internet connection was via the mobile network they would go that way) - so reading between the lines, if you happen to be connected to the internet over wi-fi it will send the A-GPS data over that wi-fi connection.
Again reading between the lines, if the A-GPS over IP protocol had the facility to send a new A-GPS server IP address back to the phone, the wi-fi network could spoof that message and re-route all future data from that phone wherever it likes, this would continue to happen even once disconnected from that wi-fi network (although presumably only until the real network re-configures this at a later point in time).
It's all speculation on my part though, this article and the original are both lacking in too many details.
Oh yes, and of course it has nothing to do with Android.
Re: A-GPS Not Using Wi-Fi? Huh?
You are most likely getting location information over wifi rather than a-gps. My iPod touch can only use wifi for location, as it has no GPS or cell connection. When it is connected to the internet via my tethered android, the location the iPod shows on for example Google Maps is pretty accurate and regularly updates itself if for example I am on a train.
"if an attacker had access to a WiFi network the phone connected to, its assistance request could be captured, and redirected to the attacker’s server. The attacker would now know where the phone is"
Errrm, hate to point out the obvious, but if you're connected to a WiFi network, I have a pretty damn good idea where you are without fancy hacking involving capturing, processing, and returning packets. You're gonna be somewhere within ~30m of the basestation!
The point of the attack, though...
...is that the requests for assistance can be rerouted to the attacker's server and that re-routing remains in place in the future, meaning the attacker will be able to see where you are at any time in the future, not only at the time of the immediate attack on your friendly local WiFi. At least, that's the way I read the article.
haha, I came in to make the same point!
"Tracking Android phones is easy, says researcher"
"Tracking Android phones is easy, says researcher".
You'd expect nothing less from Google!
Re: "Tracking Android phones is easy, says researcher"
"Tracking Android phones is easy, says headline".
The researcher said it's possible to track smartphones but requires the phone to be connected to a malicious wifi network whilst it makes a location request. The only appearance of the word "easy" in the linked article is in a quote from another expert: "Today, it is not easy to infect many users with a malicious app". You'd expect nothing less from Google!
The original article specifically mentions Android devices
But this is likely because they devised their attack on Android since the source code is available. They mention this code runs on the CPU rather than on the GPS chip. Assuming the A-GPS code similarly runs on the CPU and not the GPS chip on the iPhone, the same attack would also be possible. This would be more work on the iPhone however, since you'd have to devise your attack on disassembled object code rather than well documented source code.
Not sure what this Wifi hijacking thing is. It sounds like when Android connects to Wifi, there is something related to A-GPS that can be done. There are DHCP options related to GPS, maybe this indicates the Android DHCP client processes them? Perhaps it turns out that's not such a good idea...
Re: The original article specifically mentions Android devices
Sorry, but I don't think you know what you're talking about. Sounds to me like the type of attack the author is discussing involves an external site intercepting communications between the phone and and an A-GPS server, then spoofing the phone with a "man-in-the-middle" attack. This has nothing to do with the code running on the GPS chip or the CPU. It has to do with the way A-GPS is designed.
I don't quite understand how this could work, though. My Android phone has a hard-coded A-GPS server: supl.google.com to be exact. I would assume that the phone looks up this address through DNS, then resolves the address to the correct IP address. So it sounds like the attacker could intercept the initial DNS lookup and redirect to another IP address. This would allow the attacker to monitor the transactions for a while.
What I'm not understanding, though, is how this would provide ongoing interception. Seems that once the GPS function or the phone was turned off, the next time GPS was used, the phone would go and do a new DNS lookup and then fetch the correct IP. In fact, it's possible that it does the DNS lookup every time the initial DNS lookup expires. So, without some more detail, I don't know how significant this threat might be.
Woody, you are correct
The DNS resolver can only use the cached result for as long as the TTL is not expired. Of course, the attacker could set a very high TTL, but this could be easily mitigated in software by applying a lower maximum TTL.
So let me get this right. So the attacker needs to be connected to the same wifi point and he can get the phones location. You mean they guy in the corner playing with his phone?
Surely there has to be more to this than this?
My somewhat limited understanding of it is.....
The device requests assistance from the mobile provider to locate nearby sat positions, it then uses this data to help get a fix quicker.
So on to the hack....
In the event your connected to a malicious wireless network or someone can hack your phone over the wifi then they could override the settings provided by the mobile provider and replace them with there own. I would assume since they stated it remains in effect afterwards there must be some mechanism which then prevents the device from either asking the network for settings and again or simply prevents the settings from being update.
I suppose the easiest thing to compare it too would be DNS spoofing
This might boos sales of disposable phones. Even if it does, the truest utility in using a ditchable phone derives from the level of intelligence of the user, and the least amount of use of that phone, and the ability to obscure the acquirer and distributor and recipient of the phones, at the very least.
Most A-GPS does not use network for location information
Most stand alone GPSs are slow to get a first lock because they have to download data about the GPS satellite orbits from the GPS satellites. About 56KB of data but the download rate is really slow and often times out. Once the device has this data it can get a fix in a couple of seconds which is why the second fix is quick. The data is useful for about 6 days.
What most A-GPS systems do is download this orbit data from the internet rather than from the satellite which is quick. Most smart phones do this.
Google also does mapping of IP addresses to approximate locations. This is a form of A-GPS but when a phone spec says it supports A-GPS this is not what they are referring to.
Intercepting orbit data downloads is not going to help you pin point a phone. Most phones do not use tower signal strengths to pinpoint locations.
More like a problem with any phone which uses the SUPL protocol
Doesn't matter if you use supl.garmin.com, supl.google.com, supl.navteq.com, supl.nokia.com, etc etc etc... But at least if you've got an Android phone and use supl.nokia.com you get a faster lock and it's one less bit of data Google has on you, so Nokia aren't all bad...