Weaknesses in the technology that allows smartphone users to pinpoint themselves on a map, or check into restaurants and bars using apps such as Foursquare, could allow those users to be tracked remotely.
Ralf-Philipp Weimann, a researcher at the University of Luxembourg, reported this finding at the Black Hat computer security conference in Las Vegas yesterday. He believes that the complex mechanism by which phones get location fixes likely also hides vulnerabilities that could allow the mechanism to be used to install and run malicious code on the device.
Smartphones do not use GPS satellites alone to determine their location, because doing so accurately requires complex calculations based on signals collected from four orbiting satellites, a process that takes as long as 12 minutes. Instead, they use assisted GPS (A-GPS), in which a cellular network supplies an approximate location to simplify and speed up the necessary GPS calculations. A-GPS also allows a device to ask the mobile network to do the work and send back the exact location fix once it’s finished.
Weimann discovered that the messages that pass between a phone and its network during this process aren’t exchanged over a secure connection, but rather over a non-secure Internet link. That makes it possible to trick a phone into swapping A-GPS messages with an attacker instead, Weimann realized, and to have that attacker know the result of every location fix wherever the phone goes.
Using this method, a malicious Wi-Fi network could instruct phones to relay back all future requests for A-GPS help and to report all location fixes, even after the phone goes out of range. “If you just turn it on once and connect to that one network, you can be tracked any time you try to do a GPS lock,” said Weimann. “This is rather nasty.”
Weimann demonstrated the vulnerability on a variety of Android handsets and said that handset manufacturers haven’t bothered to implement technologies that could prevent such attacks. The problem is solvable, though, and Weimann said it will likely be addressed in future versions of software from mobile-device manufacturers. “I wouldn’t count on it until you buy the next-gen device.”
Weimann also presented work showing how A-GPS messages could be used for seriously compromising attacks. He showed that many smartphones process these messages on their main processor, not the GPS chip or the radio chip dedicated to communicating with the cellular network. This means the messages could potentially be used to trigger crashes that would allow the device to be taken over remotely, said Weimann, who added that he has identified some candidate bugs already.
Other experts at the conference said that the kind of attack Weimann demonstrated could convince professional malware developers to take mobile devices more seriously as lucrative targets. Today, it is not easy to infect many users with a malicious app, explained Vincenzo Iozzo, of the information-security company Trail of Bits, who is a member of Black Hat’s advisory board. “What’s interesting is to find the venues where an attacker can gain additional scale and profit,” he said. “This attack actually allows them to reach a huge number of targets without being close to them.”
It is still early days, Iozzo said, but there’s cause for concern. “Exploitation for the time being is not going to be a big problem in mobile, but mobiles are more complex compared to desktops and so offer more places to explore.”