An overview of the security risks associated with geo-location enabled mobile devices and how to address them.

1. Geo-Location Security: Issues &
Best Practices

2. “Her father had taught her about a dog's paws. Whenever her father was alone
with a dog in a house he would lean over and smell the skin at the base of its paw.
This, he would say, as if coming away from a brandy snifter, is the greatest smell
in the world! A bouquet! Great rumours of travel! It's a cathedral! her father had
said, so-and-so's garden, that field of grasses, a walk through cyclamen--a
concentration of hints of all the paths the animal had taken during the day.”
Michael Ondaatje, The English Patient

3. Getting to Know You
• 07774 23X XXX
• 07940 47X XXX
• 07761 55X XXX
• 07459 13X XXX

4. Where are you?

5. Value

6. How
Satellite tracking
Web browsing
Mobile phone
GPS devices
RFID tags
Credit / debit card transactions
Geo tags photos / postings
Proximity readers

7. How
A desktop browser is likely to use WiFi
(accurate to 20m) or IP Geolocation
which is accurate to the city or post code
depending on your ISP.
Mobile devices tend to use triangulation
techniques such as GPS (accurate to 10m
and only works outside), WiFi and
GSM/CDMA cell IDs (accurate to
1000m).

8. Browser Based
The Geolocation API is default in the following desktop
browsers:
•Firefox 3.5+
•Chrome 5.0+
•Safari 5.0+
•Opera 10.60+
•Internet Explorer 9.0+
•And for updates on earlier versions for all of the above

9. App Based
And the W3C Geolocation API on mobile devices:
•Android 2.0+
•iPhone 3.0+
•Opera Mobile 10.1+
•Symbian (S60 3rd & 5th generation)
•Blackberry OS 6
•Maemo

10. Detailed Of Data Captured

11. On the Road?

12. Down Loading It

13. Hacking It

14. Where You Live

15. Business Uses
A US-based car rental company started using
deployed GPS tracking devices to monitor
driving speeds of its customers.
If a customers car exceeded 79 miles per hour for
2 continuous minutes, they were charged an
additional $150 (without their consent).

16. Example
A French Insurance company used both
mobile phone and car GPS data to track sales
executive locations and cross reference to
their expense accounts.
Policy resulted in 21 employee dismissals and
the identification of over .5 million euro in
false claims.

17. Example
Earlier this year, a large New York-based
charity used geo-location data from Grindr to
identify homosexuals working in their offices.
4 employees were fired for “inappropriate
behavior.”

18. I’ll Be Watching You

19. Lay of the Land

20. Every Word You Say
• Tracking customers
• Tracking employees
• Tracking competitors
• Tracking subjects

21. Every Single Day
• Competitive Intelligence
– Location of executives easily disclose activities
such as mergers and acquisitions or real estate
sittings.
• Targeting Intelligence
– Location of subjects by private detectives
– Location of subjects by the media

22. Every Claim You Stake

23. Can Someone Own
Your Whereabouts?

24. Can’t You See, You Belong To Me?

25. Every Pound They Make
=

26. Every Law You Break

27. Every Arm You Break

28. Every Snack You Take

29. Every Move You Make

32. Every Word You Say
• How the app exposes the users is not the problem.
• How Google Maps, Facebook and Foursquare expose
the users without their knowledge is the problem.
• Opt out is the default not opt in.
• Social networking business model = get everyone to
share everything
• Your personal information (your life) is their product

33. I’ll Be Watching You
"If you have something that you don't want
anyone to know, maybe you shouldn't be
doing it in the first place,"
Former Google CEO: Eric Schmidt

34. Industry Response
User beware !

35. Every Window You Break

36. Every IP You Fake

37. Fake Your Location

40. Industry Location

41. Understand the Data
• Where you go
• Where you went
• What you do
• What you did
• Forever

42. Data Classification
+ = PII

43. Regulatory Conundrum
Geo-location data falls under special category
of data subject to E-Privacy Directive. To
comply you must either:
– Obtain prior consent - or:
– Process the data anonymously (Good luck as this
includes UDID, IMEI, Mac or IP addresses)

44. Best Practices?
Information Security Governance Framework
 Policies
 Identification, Classification & Marking
 Prior Consent
 Identifier Sanitisation (UDID, IMEI, IPs)
 Privacy Statements
 Limited Retention
 Testing & Auditing

45. Find the Browser Secrets

46. Change Defaults

47. Change Defaults

48. DIY
Apple Safari:
• Go to the ‘Display a menu of General Safari settings’
• Go to ‘Preferences’
• Go to ‘Security’
• Uncheck ‘Allow websites to ask for location information’
Comodo Dragon:
• Go to the ‘Customize and control Comodo Dragon' icon
• Go to ‘Options’
• Go to ‘Under the Bonnet’
• Choose ‘Content Settings’
• Choose ‘Location’
• Check ‘Do not allow any site to track my physical location’
Facebook:
• Go to Privacy Settings
• Click ‘Custom’
• Click ‘Custom Settings’
• Disable ‘Places I check in’
• Disable ‘People here now’
• Disable ‘Friends can check me in to places’

49. DIY
Google Chrome:
• Go to the ‘Customize and control Google Chrome’ icon
• Go to ‘Options’
• Go to ‘Under the Bonnet’
• Choose ‘Content Settings’
• Choose ‘Location’
• Check ‘Do not allow any site to track my physical location’
Google GMail:
• Scroll down on your GMail page until your reach 'Last account activity:
• Hit 'Details'
• Scroll down
• Check 'Never show an alert for unusual activity'
Google Toolbar:
• Go to the ‘Adjust Toolbar options’ icon
• Go to Tools
• Uncheck ‘My Location’
• Hit 'Save'

50. Where are you?

51. Geo-Location Security