Mobile devices expose location data in more ways than most people know, and turning off services such as Find My Phone, Wi-Fi and Bluetooth can help mitigate tracking, but are no silver bullet that prevents a third party from tracking users. That’s advice shared by U.S. top spy division, the National Security Agency (NSA).
The NSA released the advisory (PDF) this week informing people of the various ways mobile phones, by design, give up location information—which go beyond the well-known Location Services feature that people use on a regular basis. The agency also provided some tips on how privacy-minded people can limit the ways they’re being tracked.
Indeed, cybercriminals have been known to take advantage of the ability of smartphones to pinpoint a person’s location in the form of security threats such as stalkerware, spyware, socially-engineered phishing campaigns and others.
The NSA is in the business of collecting information and data for intelligence purposes using signals for the U.S. military and the intelligence community, and was notoriously outed by whistleblower Edward Snowden in 2013 for collecting surveillance on citizens in the United States via their telephone and computer activity.
But now the agency seems to be making a 180-degree turn and trying to help people protect themselves and hide their location data from anyone—from threat actors to law enforcement to even the government itself—who wants to find them using their mobile devices.
The move is inline with the release of Ghidra, a free, open-source software reverse-engineering tool that was released by the agency in 2019. It also comes as mobile location information is becoming more critical in light of the COVID-19 pandemic. Authorities aim to use mobile phone location data to help with contact tracing—or locating people who may have come in contact with an infected person—to try to control the spread of the virus.
NSA Privacy Awareness Campaign
Most people are aware that location services on devices can pinpoint where they are so people can have access to services in the area, as well as share their location with friends via mobile apps such as WhatsApp, among other useful activities.
But there are other activities on a mobile device that share location about which people may be less informed, the NSA said. One is the mere act of turning it on, which due to the trust relationship between cellular networks and providers, sends real-time location information for a device every time it connects to a network.
“This means a provider can track users across a wide area,” according to the agency. While this can be helpful, such as in the case of 911 calls, it also can put someone at risk if that info falls into the wrong hands, according to the NSA.
“If an adversary can influence or control the provider in some way, this location data may be compromised,” the agency warned, adding that network providers also have been found—and subsequently fined by the FCC for–selling data, including near-real time location data, to third-parties.
Other services that people use regularly such as Find My Phone, Wi-Fi and Bluetooth also provide device location data on a nearly constant basis when turned on, the NSA said, advising people to turn off these services when they are not in use to help mitigate any external tracking.
People also make the common mistake of confusing Location Services for GPS, which are not the same thing. Even if Location Services and mobile data settings are turned off for a device, it can still be tracked using GPS, the NSA said.
“Disabling location services only limits access to GPS and location data by apps,” the according to the advisory. “It does not prevent the operating system from using location data or communicating that data to the network.”
Even turning off a device’s cellular service, such as when it’s in Airplane Mode, does not totally protect someone from having their location pinpointed, the NSA warned.
“Inconspicuous equipment (e.g., wireless sniffers) can determine signal strength and calculate location, even when the user is not actively using the wireless services,” according to the advisory. “Even if all wireless radios are disabled, numerous sensors on the device provide sufficient data to calculate location.”
Even if people are vigilante and aware of the myriad ways their smartphones reveal their location, they can’t totally avoid having this data exposed, the NSA said. Ultimately, they can only reduce the amount of location shared and the ways third parties can have access to that information.
Complimentary Threatpost Webinar: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable” brings top cloud-security experts from Microsoft and Fortanix together to explore how Confidential Computing is a game changer for securing dynamic cloud data and preventing IP exposure. Join us Wednesday Aug. 12 at 2 p.m. ET for this FREE live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix – both with the Confidential Computing Consortium. Register Now.