By Kevin McCaney
Global Positioning System receivers in smart phones and digital cameras can be an invaluable tool, providing location information and directions to users. But if you’re not careful, they also can provide location information and directions to anyone who might be watching you.
Examples of the risks have cropped up recently in both military and everyday situations.
Two security experts told NetworkWorld that hacked smart phones used by military personnel could reveal location information, which could endanger troops and missions.
Hugh Thompson, a software security professor at Columbia University and conference chairman for the RSA Conference, and Markus Jakobsson, who works for PayPal’s online security and malware strategy team, said enemies could get location information from phones by using a technique similar to a recently discovered malware program aimed at phones using the Android operating system.
That malicious program, discovered by Russian security company Kaspersky Labs, sends Short Message Service messages to a number that charges the phone’s user $5 a message, but it also could be used to expose location information.
Thompson and Jakobsson told NetworkWorld that hacked phones aren’t the only danger for troops. A lot of the applications they might use to communicate with people at home could pose a risk. Malware isn't even necessary, according to Gautham Naugesh, writing in The Hill. "Even using the applications that come with the phone can pose risks. Unless deactivated, most pictures taken with smartphone cameras are tagged with geocodes containing the coordinates of where they were taken," Nagesh wrote. "Troops sending pictures home to family members could give away their locations if the pictures are intercepted."
A number of security experts and privacy advocates have been trying to raise awareness about geotags, and that fact that they could reveal location information without the user’s knowledge, according to the New York Times. Free browser plug-ins allow anyone to identify the location of a photo from the geotag.
Geotags can be turned off, but users would have to root around a bit to manage it. However, the Web site ICanStalkU.com provides instructions for disabling geotags on Android, BlackBerry, iPhone and Palm devices.
Beyond image tagging, devices with GPS receivers could be compromised in other ways. In a blog post this week, Symantec researchers said that a Trojan in a free game application for Android phones taps the GPS to upload the user’s location every 15 minutes. Their location could be tracked by someone using an app called GPS Spy, which cost $4.99 and also runs on Android devices.
The Tap Snake application, a variation of the snake video came that dates to the 1970s, “uploads the GPS data every 15 minutes to an application running on Google’s free App Engine service,” the Symantec researchers said. “GPS Spy then downloads the data and uses this service to conveniently display it as location points in Google Maps. This can give a pretty startling run-down of where someone carrying the phone has been,” including the times a user stopped at any location.
Fortunately, the threat to anyone from Tap Snake is unlikely, since the attacker would have to have access to the user’s phone – an e-mail address and registration key would have to be entered into both the phone running Tap Snake and the phone running GPS Spy, the researchers said. A bit of social engineering would likely be required.
But the intent behind Tap Snake is another indication of the how cyber threats grow with new technology. Theoretically, a hacked smart phone in the hands of military personnel could provide a detailed picture of troop movements, said Jakobsson, who told NetworkWorld he has discussed the problem with the Defense Advanced Project Agency.
Meanwhile, experts advise users to be careful about how they use some of their new tools, since they could also be used against them.