GPS devices could put American soldiers at risk

Geolocation tools in phones and other devices can open users up to tracking


Global Positioning System receivers in smart phones and digital cameras can be an invaluable tool, providing location information and directions to users. But if you’re not careful, they also can provide location information and directions to anyone who might be watching you.

Examples of the risks have cropped up recently in both military and everyday situations.

Two security experts told NetworkWorld that hacked smart phones used by military personnel could reveal location information, which could endanger troops and missions.

Hugh Thompson, a software security professor at Columbia University and conference chairman for the RSA Conference, and Markus Jakobsson, who works for PayPal’s online security and malware strategy team, said enemies could get location information from phones by using a technique similar to a recently discovered malware program aimed at phones using the Android operating system.


Related stories:

Is your smart phone infected with malware?

Is there a place for smart phones of the battlefield?


That malicious program, discovered by Russian security company Kaspersky Labs, sends Short Message Service messages to a number that charges the phone’s user $5 a message, but it also could be used to expose location information.

Thompson and Jakobsson told NetworkWorld that hacked phones aren’t the only danger for troops. A lot of the applications they might use to communicate with people at home could pose a risk. Malware isn't even necessary, according to Gautham Naugesh, writing in The Hill. "Even using the applications that come with the phone can pose risks. Unless deactivated, most pictures taken with smartphone cameras are tagged with geocodes containing the coordinates of where they were taken," Nagesh wrote. "Troops sending pictures home to family members could give away their locations if the pictures are intercepted."

A number of security experts and privacy advocates have been trying to raise awareness about geotags, and that fact that they could reveal location information without the user’s knowledge, according to the New York Times. Free browser plug-ins allow anyone to identify the location of a photo from the geotag.

Geotags can be turned off, but users would have to root around a bit to manage it. However, the Web site ICanStalkU.com provides instructions for disabling geotags on Android, BlackBerry, iPhone and Palm devices.

Beyond image tagging, devices with GPS receivers could be compromised in other ways. In a blog post this week, Symantec researchers said that a Trojan in a free game application for Android phones taps the GPS to upload the user’s location every 15 minutes. Their location could be tracked by someone using an app called GPS Spy, which cost $4.99 and also runs on Android devices.

The Tap Snake application, a variation of the snake video came that dates to the 1970s, “uploads the GPS data every 15 minutes to an application running on Google’s free App Engine service,” the Symantec researchers said. “GPS Spy then downloads the data and uses this service to conveniently display it as location points in Google Maps. This can give a pretty startling run-down of where someone carrying the phone has been,” including the times a user stopped at any location.

Fortunately, the threat to anyone from Tap Snake is unlikely, since the attacker would have to have access to the user’s phone – an e-mail address and registration key would have to be entered into both the phone running Tap Snake and the phone running GPS Spy, the researchers said. A bit of social engineering would likely be required.

But the intent behind Tap Snake is another indication of the how cyber threats grow with new technology. Theoretically, a hacked smart phone in the hands of military personnel could provide a detailed picture of troop movements, said Jakobsson, who told NetworkWorld he has discussed the problem with the Defense Advanced Project Agency.

Meanwhile, experts advise users to be careful about how they use some of their new tools, since they could also be used against them

About the Author

Kevin McCaney is a former editor of Defense Systems and GCN.

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.