Geolocation data obtained from global positioning satellite (GPS) devices or smartphones with GPS capabilities is increasingly being used by those preparing spear phishing attacks to build a picture of their victims.
A phone user’s location data is mostly owned by the phone company’s network operators, so there is little legal protection for users.
Location data can provide insight into victims’ whereabouts as well as their habits and lifestyle, helping an attacker get to know the victims, their interests, where they go and what they do. Armed with this type of information, an attacker can more easily script a personalised email that references the victim’s recent activities. This greatly increases the chance that the victim will assume the email is from someone they know, rather than an imposter, and fall prey to a spear phishing attack.
Any organisation whose risk assessment indicates its employees may be the targets of spear phishing campaigns needs to teach employees how their geolocation data can be leaked into the public domain and be misused, and how to stop phone tracking and evade GPS spying.
How attackers use GPS data
With today’s smartphones, notebooks and social networking sites, an attacker no longer has to intercept someone’s mobile calls to calculate a rough approximation of their whereabouts. Many devices have built-in GPS functionality which, if accessed via a malicious app, provides location data accurate to within a few metres. Tracking someone using GPS data means their daily routines, such as routes to and from work, can be recorded and mapped. GPS data can even be used to uncover favourite venues after work where chance meetings can be arranged or opportunities to steal information created. Easier still is following a target on any of the social networking sites they use, such as Facebook and Twitter, where many people either intentionally or unwittingly expose their current or intended location.
For example, geo-tagged photos provide clues to where and with whom somebody has been. Facebook and other social networking sites allow users to update their profiles with their location from their phone. This information can inadvertently be shared by a friend, captured by malware on a friend’s computer, or divulged by the friend via a social engineering attack. It’s easy to see how such information can easily be spread further than originally intended.
How to stop phone tracking and GPS spying
If sharing an employee’s information is deemed necessary for some reason, then take advantage of the option to degrade the accuracy of the location data shown. Twitter allows you to choose whether to include your whereabouts for each message as well as letting you delete your entire geolocation history. Face2face lets you restrict geolocation data to specific friends, while Location Spoofer lets you spoof your location so your real location is not transmitted.
Apps such as FourSquare and Google Mobile, which allow groups of people to track each other, should be discouraged. Some members of the group may not be security-aware and could be open to social engineering attacks, inadvertently allowing an attacker to join the group. Geo-social aggregators, which allow people to track each other as well as pool information from other apps, thereby creating a more complete picture of somebody’s whereabouts and profile, should also be avoided. The analytics from these aggregators provide others with additional information regarding age, gender and even photos. Hotlist, for example, is a geo-social aggregator that combines Facebook, Twitter, Foursquare and Yelp in one package, allowing people to see where others have been, where they are now and where they are going later, in addition to providing real-time check-in information.
Employees should also be warned against installing unapproved apps on their phones. For example, a free game for Android phones called Tapsnake uploads GPS data every 15 minutes to a remote server where it is available for a fee via a separate application called GPS Spy. This allows another person to monitor the location of the phone.
Many mobile devices record quite a lot of information when a users exits an app. This information can be used to recreate a targeted victim’s movements, which is why it’s important to have a remote wipe function on mobile devices in case they are lost or stolen.
Tracking devices used on corporate vehicles also need to be carefully protected. The tracking data is likely to be shared with a third party, so you need to assess the devices’ security standards and procedures as well as the monitoring company’s employee policies. (The monitoring company may be the same as the device provider, or it may be a different service provider.) This also goes for services such as traffic updates, which send location data back to the company that is providing the traffic updates.
The use of Bluetooth in public places should be reviewed for employees deemed at risk. It has a range of 10 to 15 metres, which is enough to help someone track users without being noticed. As with any technology, Bluetooth devices should be turned off or made non-discoverable to others when not in use.
At this point in time, a phone user’s location data is mostly owned by the phone company’s network operators, so there is little legal protection for users. This is of particular concern when employees are travelling abroad as most intelligence services have arrangements with their local service providers to access voice and location data.
Geo-location services make today’s smart devices essential and fun to use. However, the risks to employees should not be underestimated. Employees should be encouraged to disable location services whenever they are not needed, and remember, old fashioned map reading can be fun!
About the author:
Michael Cobb, CISSP-ISSAP is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Cobb serves as SearchSecurity.com’s contributing expert for application and platform security topics, and has been a featured guest instructor for several of SearchSecurity.com’s Security School lessons.
This was first published in January 2012