Security Review: Cell Phone GPS
With the increasing popularity of auto-enabled GPS features in cell phones, a group at UC Berkeley is experimenting with using the phones as a means to gather real-time traffic information. The phones will broadcast their locations back to a central server at three-second intervals as students drive along a predetermined route. As speeds are aggregated, it is hoped that a model will emerge allowing for traffic statistics to be gathered in real time.
While such an ability would undoubtedly be of use to a variety of organizations and benefit those stuck in traffic, this usage of GPS data from private cell phones is indicative of a developing change in the type of personally identifiable data available in the public realm. As such, it poses significant privacy concerns as long as steps to mitigate such threats go unimplemented.
The ability to locate a cell phone was originally mandated by federal law in 2005. Deemed an issue of personal safety, the goverment was concerned that cell phone users who dialed 9-1-1 might not be able to describe their location, and consequently couldn’t be helped unless some method of automatically locating them was developed. As a result, all cell phones made after 2005 have the capability to locate the phone to within 100 meters.
From a security perspective, there are several assets that must be considered as usage of GPS functionality increases. Of primary concern is clearly the location data being sent over the network by a client’s cell phone. Given the important role of GPS information in emergencies, it seems unlikely that the feature will disappear any time soon, but carriers and phone manufacturers should aim to ensure any positional data is not openly broadcast over the air and susceptible to being intercepted. Additionally, access to the phone or its data should be considered to be valuable and secured in such a way that will prevent an unauthorized user from spoofing a fake ID on the network.
When one considers how much information could be gleaned from merely tracking an individual’s GPS information, it becomes clear how important securing the GPS process is. Over the course of a day, an adversary (perhaps an identity thief, or another surveilling party) might be able to glean the location of one’s home, place of business, bank, child’s school, and daily routine. All of this could be tied to one of the most easily obtained personal identifiers: a phone number. Such a wealth of information could easily allow an adversary to carry out a social engineering scheme to the detriment of the targeted party. Alternatively, it might be sold to a third party with the intent of providing highly targeted information on a person’s preferences or habits. A store might wish to find out who shops at with a competitor, and then target them with telemarketing or mailings.
At this time, there are several ways in which an adversary might exploit the system in order to get tracking data from a user’s phone. In the case of a user who hasn’t explicitly set the phone to provide GPS information only to E911 providers, that information is often sent over the network at some interval, and is rarely encrypted, allowing a third party within range to intercept the phone’s coordinates. Alternatively, for those who’s phones provide location data only to E911, a malicious user could spoof an E911 session and trick the phone into transmitting its coordinates.
In both cases, cellular networks and phone manufacturers would benefit from establishing a secure protocol for the transmission of GPS data. Just as any online user would expect their shopping cart details to be encrypted and securely transmitted to a server, a mobile phone user should expect their sensitive location data to be handled similarly. Encryption would prevent anyone nearby from plucking the information out of the air, and an authentication scheme would stop spoofing efforts. Finally, a strong “opt-in” policy should be adopted by wireless carriers, ensuring that their networks don’t ask for location information without making sure the user is aware of such actions first.
As GPS capabilities become more widely used by phones and their applications, there will undoubtedly be a number of ways such information can be exploited. The host of privacy implications of making such data available is only likely to increase as both the government and private sector become more familiar with the technology and its capabilities. There can be little question about the usefulness of such a feature for a variety of purposes, but without a strong security backbone, there may prove to be a larger negative implication for the public’s privacy than is worth the added convenience of saving a few minutes in traffic.
For more information specifically on the legal ramifications of GPS enabled cell phones, see legalaffairs.org
Comment by Jessica
February 3, 2008 @ 11:58 pm
Using cell phones to track traffic sounds like a great idea. Imagine not only having the traffic on freeways available, but also all side streets. Wow. That would make my life easier!
With that said, I agree with you regarding the security prospect of collecting data from cell phones. However, I think that many of the negative aspects can be mitigated.
First of all, there does not need to be many cell phones tracked in order to get traffic data. Very few, in fact. It is not important the number of cell phones in a given area to see the traffic – you can simply track the speed of one cell phone. I think any large scale implementation of a traffic monitoring system could use a very limited number of tracked cell phones.
Like you said, there needs to be a opt-in policy. I think it would also be awesome if the cell phone user could change whether they wanted their data to be used on the spot. Perhaps by using a switch or a setting on their phones, they could opt out of being part of the traffic study at any time. The cell phone would still need to have the GPS enabled for emergency purposes, of course.
The traffic data could be sent anonymously also. Instead of the traffic study being able to follow a specific cell phone, they would just get a signal from some cell phone and not be able to map it to any previous signals. Although I am sure this could still be hacked, at least the data is not being centrally stored.
Even with security concerns, I like the idea. I’d be willing to pitch in my cell phone signal for the cause.
Comment by Matt
August 24, 2008 @ 7:28 am
I think that the traffic data would benefit hundreds of people who have to make the commute everyday between school and home or school and work. There is a large amount of data that could be sent between cell phones. I guess we would just have to be careful on who got our phone number.
Comment by tommy
November 5, 2008 @ 10:37 pm
I dont know that there needs to be an opt-in or out policy. Personally, unless you are doing something wrong, in which case you shouldnt be using it, then I think every phone should have a tracking feature that can be activated and signaled in on when needed. I wonder if there is something like that on my xperia x1. It has gps, so there could be right?