The Register reported on February 7th that researchers can locate your smartphone even if you have location tracking and Wi-Fi turned off. Some of this data can be collected without permission, because smartphone makers don't consider it sensitive.
The researchers from Princeton University (student Arsalan Mosenia, IEEE members Xiaoliang Dai and Prateek Mittal, and IEEE fellow Niraj Jha) tracked phones using a technique called PinMe, which combines information from the phone and non-phone sources to determine a user's location.
In their paper, they explain that PinMe works with "non-sensory/sensory data stored on the smartphone" (the first category includes the time zone and network status; the second includes air pressure and heading), and when that's combined with "publicly available auxiliary information" like elevation maps, it's able to "estimate the user's location when all location services are turned off."
The combination of data sources, the paper says, yielded user tracking "comparable to GPS" on their iPhone 6, iPhone 6S and Galaxy S4 i9500 test devices.
In the PinMe attack, the researchers used a malicious app to gain access to the data from the phones. Time zone, device IP address and network status don't need permission from the user to access – the same is true for the accelerometer, the magnetometer (which measures the angle between the phone's heading and north) and barometer.
The public data PinMe uses includes OpenStreetMap, Google Maps' elevation data retrieved through its API, and OpenFlights (which maps 9,541 airports). They built a train heading database from Google Maps, and accessed public transport timetables.
How does all this determine location? The IP address can be geolocated to provide a likely city; barometer data tells you if the user arrived by air; if the user's heading doesn't change much, they're on a train; travel by car can be correlated to street map data, etc.
The tests were run in Princeton and Trenton, N.J. as well as Philadelphia, Pa.
The paper suggests phone manufacturers allow users the ability to shut down sensors, or put sensors into a privacy mode that limits their sampling rate and accuracy. That sure sounds like an excellent idea to me. Having seen the dangers of fitness apps (like Strava, recently in the news for revealing the location of American troops) the ability for users to control sensors should be a priority of smartphone manufacturers.
Hat tip to Dave Ries.
E-mail: email@example.com Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology