You are here

You are here

NSA warning on location tracking: ‘Stop using your phone’

Richi Jennings Your humble blogwatcher, dba RJA

The US National Security Agency published advice this week, aimed at the military and related roles. The guidance basically amounts to, “Phones are insecure.”

Well, duh. The idea is to limit leaked location data. But it seems we can only really do that by turning the wretched things off.

So do you fancy living off grid? In this week’s Security Blogwatch, we build a Faraday cage.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: awaken!

Your tax dollars at work

What’s the craic? Dan Goodin reports the NSA’s advice—Beware of find-my-phone, Wi-Fi, and Bluetooth:

NSA officials acknowledged that geolocation functions are enabled by design and are essential to mobile communications. The officials also admit that the recommended safeguards are impractical for most users.

But these features come at a cost. Adversaries may be able to tap into location data that app developers, advertising services, and other third parties … store in massive databases. Adversaries may also subscribe to services [that sell] locations of customers collected by … cellular carriers.

The advice is aimed primarily at military personnel and contractors whose location data may compromise operations or put them at personal risk. But the information can be useful to others, as long as they consider their threat model and weigh the acceptable risks versus the benefits of various settings.

So Simon Sharwood says It might be best not to ask how the NSA knows this and why it advises most mitigations don’t help:

The [NSA] says location services create a security risk. … Which is not good at all for spies and defence force personnel.

[It] also suggests that it is impossible to stop mobile devices recording and revealing location data. … [It] nonetheless suggests many mitigations, including turning off radios when not in use, using a VPN, and disabling features like “Find my Phone.” Users are also told to [limit] ad tracking and [reset] the advertising ID for the device at least weekly.

Clearly the NSA has given some thought to how the information is available. It may therefore be best not to ask how it knows its advice is sound..

Horse’s mouth? The snappily titled U/OO/155603-20 | PP-20-0535 | Limiting Location Data Exposure:

Mitigations reduce, but do not eliminate, location tracking risks in mobile devices. … Users should be aware of these risks and take action based on their specific situation and risk tolerance. When location exposure could be detrimental to a mission, users should prioritize mission risk and apply location tracking mitigations to the greatest extent possible.

Using a mobile device—even powering it on—exposes location data. Mobile devices inherently trust cellular networks and providers, and the cellular provider receives real-time location information for a mobile device every time it connects to the network. … In some scenarios, such as 911 calls, this capability saves lives, whereas for personnel with location sensitivities, it may incur risks.

Other examples of risk exist: Websites use browser fingerprinting to harvest location information, and WiFi access points and Bluetooth sensors can reveal location information. [But] disabling location services on a mobile device does not turn off GPS, and does not significantly reduce the risk of location exposure.

The risk isn’t limited to mobile devices. Anything that sends and receives wireless signals has location risks similar to mobile devices. This includes … fitness trackers, smart watches, smart medical devices … IoT devices, and built-in vehicle communications.

What’s prompted this? Jon Fingas fingers the motivation: [You’re fired—Ed.]

The alert may seem self-evident if you’re privacy-conscious, but it comes after incidents where military staff inadvertently revealed sensitive location info. Researchers discovered at the start of 2018 that Strava’s public location database was revealing military bases, supply routes, and even secret CIA facilities — people going for runs were unintentionally creating maps.

This warning also comes at a moment when app privacy is foremost on the government’s mind. President Trump has threatened to ban TikTok over concerns its parent company ByteDance might hand over sensitive user data to the Chinese government, including location info. The NSA’s recommendations might not be aimed directly at TikTok … but the move could clearly limit adoption of apps like TikTok across the government.

It’s much worse, according to Cuddles:

This has nothing to do with [Strava]. It's about being able to gather valuable information just by tracking people going about their daily lives.

Heatmaps giving away the precise perimeter of military bases are examples that have come up before. But the point … is that even if you try to deal with those more glaring examples, it's virtually impossible to prevent any tracking from happening at all.

You can't prevent the local telecoms company from noticing that 1000 new America-registered SIMs are suddenly connecting to their base stations. And you can't prevent spies from setting up their own fake base station to get the same information.

Block phones from your operating base or agency building all you like, you can't stop people being able to figure out where the living barracks are, changes in staffing levels, troop movements, and so on. … All you can do, as the NSA effectively say here, is try to at least make your opponents work a bit harder to get that information.

So cell tracking is the important bit? It depends, says 8jy89hui:

An individual interested in tracking you has a much better chance of finding your data online through a breach or through an auction on the dark web. That data most likely comes from 3rd party apps rather than the cell networks themselves.

However … cellular tracking is also a serious concern that undermines a lot of this work if the tracking is coming from the government.

Whatever. Whatever5000 sounds slightly sarcastic:

I guess we're safe if we only allow NSA access to it then.

But the unintended consequences? Glen 1 suggests 1:

High paying job, but no phone? That's interesting. Routinely encrypt email (PGP etc), but have no overt background in computing? That's interesting.

That's the thing about tradecraft, you need to look as "normal" as possible. Including leaked information. Bonus points for compromat consistent with any cover you're trying to cultivate.

Although Fatesrider had to laugh:

I had to laugh. … I've been doing this ever since I started using cell phones. But not because of security reasons.

My phone's battery lasts a hell of a lot longer if all that **** is turned off until I need it. … I don't let any apps use GPS except Google Maps and Star Sky, and only if I'm actively using it.

Wi-Fi and Bluetooth the same: only while in use. … I'm averaging 6-7 days between recharges now.

Meanwhile, in terms, gldoorii searches for contradictions:

What's that whole thing? Silent thunder, jumbo shrimp, military intelligence.

The moral of the story?

Your tax dollars at work. But what can you learn from spies like thus?

And finally

Wake up, sheeple!

Previously in “And finally”

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or Ask your doctor before reading. Your mileage may vary. E&OE. 30.

This week’s zomgsauce: Christoph Scholz (cc:by-sa)

Keep learning

Read more articles about: SecurityInformation Security