iPhone secretly tracks user location, say researchers
iOS 4 logs up to 100 locations daily in unencrypted file on iPhone, iPad and syncing computers
Computerworld - A pair of researchers have found that Apple iPhones and iPads track users' locations and store the data in an unencrypted file on the devices and on owners' computers.
The data, which appears to have been collected starting with iOS 4, which Apple released last summer, is in a SQLite file on iPhones and iPads with 3G capability, said Pete Warden, the founder of Data Science Toolkit and a former Apple employee, and Alasdair Allan, a senior research fellow at the University of Exeter.
The same file, named "consolidated.db," is also stored in the iOS backups made by iTunes on the Mac or Windows PC used to synchronize the iPhone or iPad.
Stored in the file in clear text are locations' longitude and latitude, a timestamp and other information, including Wi-Fi networks in range of the device.
About 100 data points per day are logged to the file, said Warden and Allan in a video posted on the O'Reilly Radar blog.
"There can be tens of thousands of data points in this file," said the pair in the blog post.
The data may be hard to extract remotely from an iPhone or iPad, but not impossible, said Charlie Miller, a noted Mac and iPhone vulnerability researcher, and a four-time winner at the Pwn2Own hacking contest.
"The file is in the root's directory, so apps, including Safari, won't have access," said Miller. "That's still bad, though."
To view the location file on an iPhone remotely, an attacker would have to exploit a pair of vulnerabilities, one to hack Safari -- likely by duping the user into visiting a malicious site -- then another to gain access to the root directory, Miller said. That's possible, but unlikely for most criminals.
Instead, he said the biggest threat was if a person lost his or her iPhone, or it was seized by authorities. "If you lose it, or it's taken when you're crossing a border, say, then the data is accessible," said Miller.
Allan echoed Miller in the video. "If you lose your phone, then all your movements for the last year are on that phone, and can be taken off," said Allan.
Graham Cluley, a senior security senior technology consultant with U.K.-based security company Sophos, pointed out that the backup file on a PC or Mac also poses a risk. "If you're not around, someone else can access the information on your home or work computer," said Cluley.
- Hands on: Apple's Mac Pro is the fastest Mac ever
- Apple CFO to retire in September after he cashes in $53M stock award
- Apple's CarPlay to spark mobile apps war in your car
- Apple retires Snow Leopard from support, leaves 1 in 5 Macs vulnerable to attacks
- Apple patches critical 'gotofail' bug with Mavericks update
- Why Apple needs a $700 MacBook Air
- Apple takes top spot in brand value computation
- Apple gets a patent for health-monitoring ear buds
- Apple shifts to hardware-first TV strategy with revamped set-top box
- iTunes is almost as big a biz as OEM Windows
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts