Online is a default state of being. In the Western world, we can easily stay connected no matter our location, in contrast with early days of the Internet when online was somewhere we went. However, the more our physical locations and virtual locations intersect, the more devices, apps and attackers learn about where we go IRL.

Urbanites allow for a certain amount of location-tracking technology in return for convenience, from RFID tags as you scan a subway card, building fob or toll pass to Bluetooth beacons used by retailers to send coupons to our phones while we walk through physical stores. These technologies record your location at a point in time, and while privacy advocates will debate the futility of truly anonymized location data, there are other ways to continuously track individuals throughout the day that are far more insidious.  

For attackers, profiling and locating targets at a precise latitude and longitude becomes increasingly more possible with every leap forward in technology. Some technologies are benign, while others, like commodity spyware, are more sinister. Highly skilled threat actors tracking individuals through advanced attack techniques can go unnoticed for years. Having awareness of each of these monitoring techniques is the first step in avoiding unwanted location tracking.

Harmful Use of Benign Location-Sharing Apps

There are plenty of benign uses for built-in location-sharing apps: Android users can share their location using Google Maps, and iOS location sharing can be done through Find My Friends, Family Sharing or iMessage. While I find these apps invaluable for letting my family check on how much traffic I’m stuck in on my way home without an intermittent series of calls or texts, they can also be used in illegitimate ways.

A hacker successfully phishing a relative with whom you share your location using these apps can now monitor your location from any web browser. An ex you had previously allowed location sharing with, after a breakup, is able to track exactly when you get home from work using apps installed by default on their phone and yours.

Third-party apps that use location tracking can also leak location information in unintended ways. Cellphone fitness trackers like Strava made news in 2018 when users logging their workouts revealed the layout of military bases and secret facilities. Prior to that, Runtastic had a security flaw where users could be tracked in real time. 

While use of these apps may seem trivial, when abused, this data can have a significant effect on people’s lives. In a 2019 paper presented at the USENIX Security Symposium, researchers performing a field study of computer security and intimate partner violence found two of the top three concerns for clients in their study were related to location tracking or spyware.

The Link to Intimate Partner Violence

Dealing with cyber-stalkers and intimate partner abuse is an increasingly common intersection of issues being handled by domestic violence shelters. Dozens of shelters surveyed by NPR found that 85% of shelters work with victims whose abusers track them via GPS. In discussing unwanted location tracking, we need to consider both malicious use of legitimate apps and those that can be classified as spyware or stalkerware.

Commercial Stalkerware

Commercial spyware like FlexiSpy or mSpy promote their utility for monitoring cellphone activity on children's devices or corporate-owned employee devices. For a monthly fee, spyware will collect emails, photos, keystrokes and location tracking from unsuspecting users. The FTC has taken a stand against monitoring unsuspecting people when spyware is silently installed on their system, and while these apps are marketed as solutions to monitor the safety of children and employees, their ubiquity and ease of install makes non-consensual monitoring as easy as handing over a credit card number.

There’s also the case of spyware sold to governments around the world. In 2019, news articles mentioning NSO Group and Pegasus spyware include stories where human rights advocates were targeted and journalists killed. Zero-day attacks have installed Pegasus on mobile phones, allowing spyware to steal data ranging from GPS locations to camera photos, emails, texts and passwords. Pegasus is an example not only of commercial spyware but stalkerware from exceptionally well-resourced attackers. 

Leverage for Nation-States 

If readily available spyware is enabling individuals to track and geolocate other people, how much more insidiously can location-based attacks be leveraged by a nation-state actor to create a global geopolitical impact? 

One high-profile story from 2019 is Operation Soft Cell, a multi-year campaign against international telco providers. TTPs consistent with a Chinese-affiliated threat actor targeted Call Detail Records, which contain metadata about phone calls including cell tower location data. Knowing what cellphone tower someone is near and what their daily routines are, as was the case with the specific individuals targeted by Soft Cell threat actors, is a practically indefensible attack.

Taking Back Control

For both paid stalkerware and benign applications used in a malicious way, creating a plan for managing location monitoring can be a start to taking back control of your devices. 

Strategies to take these different location-tracking methods into account in your personal and corporate threat models include:

Just as developers are finding more useful ways to incorporate location-based technology into our lives, bad actors are often one step ahead. Awareness of the different ways in which location-based data can be abused should be considered in security professional threat modeling.
Contributors: