My presentation from this summer at ToorCamp, probably the most fun you can possibly have at a security conference. I learned tons.Read More»
The Wall Street Journal recently reported on the FBI’s cell phone tracking tools collectively referred to as “Stingrays” being the forefront of a new Fourth Amendment battle. The tools were used to track Daniel David Rigmaiden who was arrested for fraud, he has stated he is innocent and requested information regarding the tools used to track him, which the FBI are not keen to give up as they state it would provide criminals with knowledge to evade the tools which are being used without a warrant.
The Stingray devices are wireless surveillance tools that operate as multi-channel software defined radio which mimics a cellular base station and collects information from a phone even if the device is not in use. The tools are used to gather unique device IDs and subscriber IDs from target phones (MIN, IMSI, MEID, IMEI). In addition these devices can track location using a method similar to cell tower triangulation but a bit in reverse. Instead of getting location and signal strengths from the towers, a surveillance vehicle that is running the device will drive around a target location and gather the signal strength from the target device as it connects from different locations. This allows the operator to get a fairly accurate location via triangulation of the target phone.
The reason for using tools such as this is to circumvent the need to get information from carriers directly, which requires a subpoena, and a court order and possibly even a search warrant depending on the information requested. By intercepting the signals with these devices, law enforcement is able to essentially cut out the middle man. However as the case with Mr. Rigmaiden shows at special court order was still granted before the tool was used. The question for the courts is if the use of these tools require the same protections for monitoring citizens as other methods.Read More»
Although Apple is on the hot seat this week for the file that was found that is logging your location data unencrypted, both Apple and Google have been logging your location for quite a while. Both platforms regularly transmit name, location and signal strength of Wi-Fi networks along with a unique device ID back to Google and Apple. Although both claim that this data is collected and “anonymized” they do not provide a lot of specifics regarding how the data is collected and secured. Android also keeps a cache of location data, however it is only accessible by a root user and is once the file hits a certain size will reset itself, unlike the Apple file which saves cached data for what seems to be forever, it does not appear to cycle itself.Read More»
Researchers have discovered a spy in your pocket, your iPhone is keeping a working history of where you have been in a hidden file on the phone that is copied over to your computer when connected and synched with iTunes. Not only is the device logging your location, but also at timestamp so anyone with access to this file will know when and where you have been.
Odds are that this is something Apple was doing for use in a later feature, or possibly for bug reporting purposes, but the fact that this data is logged on your device and copied to your computer without consent is grounds for concern. That Apple would intentionally do this also raises serious concerns regarding Apple’s approach to privacy. You can download an application that you can run that will load the file and show on a map where you have been. I ran a test on my iPhone 4 which is only a few days old and the results were as expected, it showed me at work and at home and everywhere in between.