Categories
Security

GPS Vulnerabilties Found

It’s not a big secret that GPS is yet another system built largely on trust. Researchers however found some interesting new flaws in GPS implementations including the expensive ones. Most interesting is the attacks could be conducted using equipment that cost only $2,500. That’s a bargain for creating chaos.

Categories
Security

GPS Spoofing Not Far Off

Today’s disturbing technical news goes to…

“So far no credible high profile attack has been recorded but we are seeing evidence of basic spoofing, likely carried out by rogue individuals or small groups,” Humphreys explains. “Whilst the leap to more advanced, untraceable spoofing is large, so are the rewards. It’s therefore guaranteed that criminals are looking at this. All it takes is one person to put one together and publish it online and we have a major problem.”

Iran claims to have already done this to bring down a drone intact. There’s no public confirmation or evidence to prove if this is actually what happened or not.

The reality is messing up people’s phone or car navigation is relatively benign mayhem at best. Disrupting military systems, aircraft, financial systems is a much larger concern.

Categories
Apple Security

On Apple’s Location Tracking

The controversy over Apple’s “Location Tracking” is quite interesting. It’s worth making clear that the nodes stored in the database are approximations of cell phone towers and WiFi hotspots you’re likely to encounter rather than your location(s) at any given point in time. It’s a way to “prime the well” when doing a GPS lookup to improve performance.

Apple notably failed in a few key ways which should serve as a lesson to others:

  1. Always disclose what you’re doing. – Never just assume what you’re doing with someone’s information is cool. Apple could have mitigated a lot of this had they disclosed what the phone was actually doing from day 1. Never transmit anonymous or personal information without letting the user know first.
  2. Never store more than you need – I can’t believe how many companies mess this up. Storing user information is a liability. A good business limits it’s liabilities to only what’s necessary to conduct business. Storing so much data, and not expunging was a very bad move and amplified the situation. On top of not letting users know what was going on, there was no way to purge information. This just made things much worse. Apple went as far as backing up what should be an expendable cache.
  3. Always be paranoid with information – Apple states “The local cache is protected with iOS security features, but it is not encrypted. Beginning with the next major release of iOS, the operating system will encrypt any local cache of the hotspot and cell tower location information.” in the response to Edward J. Markey. This should have been encrypted since day 1. Various tools existed for a few years that could read this data in the surveillance community. Apple undoubtedly knew people were using this data sometimes for illicit purposes. No company has gotten in trouble for being to secure with customer information with anyone other than the NSA or FBI.

It’s worth noting that their software update in response to this controversy is actually pretty good and pretty thorough. I’m surprised they couldn’t quickly shim some encryption around it. The iOS is loaded with enough DRM and crypto.

On another note, I fully expect some court cases to be reopened now that “cell phone records” are not quite as accurate as they were falsely billed to be. Also companies who marketed software are capable of showing a users location history may be liable as this wasn’t accurately vetted. If they did good testing they would have seen the extent of it’s “tracking”. It seems inevitable.

Lastly, I wonder how much battery life, and how much bandwidth this was utilizing. Some customers are on metered WiFi (especially some hotspots). To geo-tag one must turn on GPS, meaning battery life was being drained behind the scenes.

Apple’s full response can be found on Congressman Ed Markey’s website (copied here for perpetuity).

Categories
Apple

MacWorld SF 2008

Another year, another great day of news coverage. I’m obsessed with watching it evolve and monitor several sites throughout the keynote. As expected this was a pretty big one. I suspect this year will contain the most product announcements of any year for Apple. They have a lot of products due for a refresh and announcements expected. Even Steve himself said:

All of this in the first two weeks, and we’ve got fifty more weeks to go.

In all the keynotes I’ve followed, this was the most aggressive agenda. 2008 is going to rock for Apple products.