Geotagging, Geolocation, and your Privacy

| 1 Comment

You may have seen a TV episode where they pull up the coordinates of someone's cell phone and save the day.  You also may have thought that it was just Hollywood taking liberties with current technology.  Sad to say, that is real, current, technology and it is a huge privacy concern.  A cell phone without GPS can be tracked through cell phone towers with some (minimal) effort.  A cell phone with a GPS is a beacon, an information lighthouse advertising your location with minimal effort.  In both cases, a warrant would be needed to obtain that information from the cell phone company.  However, you may be unknowingly giving that information away for others to use.

Recently a security expert (and friend) found something interesting in iPhone generated photos.  When he analyzed pictures from an iPhone camera, the GPS coordinates (Degrees, Minutes, Seconds) were embedded into the "Exchangeable Image File format" (EXIF) data associated with the picture.  This means that wherever you were standing, when you snapped a picture with your iPhone, the location was recorded inside the picture file.  If you share that picture on the internet, you are sharing evidence that you were at a particular place at a particular time.

Example EXIF information from an iPhone camera image.  Note GPS coordinates:

 
Recognizing this is a fairly large privacy concern, a proof of concept was developed to help get the word out.  Using the "Popular" image feed on the Tumblr blogging platform, an incredibly simple program was created to analyze the EXIF data of images posted to Tumblr for GPS coordinates and then creates a link to Google Maps, providing context to numerical GPS coordinates, showing the exact location where the picture was taken. 

That proof of concept is now live at http://whereismyiphone.tumblr.com***.

The images displayed are streaming from the tumblr.com "Popular" image feed.  When you click on a picture, you are directed to Google Maps to the exact location the image was snapped.

How else is this used?  Well a simple bit of coding could allow web pages, visited from a mobile phone browser, to pull GPS coordinates and deliver *highly* targeted ads.  The simple concept of proof could be tweaked to import public feeds from facebook, twitter, and other social media/image sharing web applications. 

For iPhone users, when you first use the Camera you should be prompted to allow the camera access to "Your Location."  If you didn't know what that meant and clicked okay, never fear.  The GPS tagging can also be turned off in the settings menu.  Apple's support page has a write up on understanding Location Services here: http://support.apple.com/kb/HT1975.  Also see below for graphical pointers.

 
. . . . . . . . . . . . . . . . . .
. . . . . . . .   . . . . . . . .

 

Credit for this scary proof of concept goes to Omachonu Ogali, a computer and network security professional and researcher.  He can be contacted at oogali@idlepattern.com.

 

 

 

1 Comment

I prefer to delete all the metadata after taking photos, on my desktop computer and with utilities like EXIFCleaner. Because JPEG files contain much more sensitive info than just geotags.