Last Updated on April 25, 2011 by Dave Farquhar
The scandal of the day is the iPhone and the discovery that it tracks your every move. Will that be featured in the next Android commercial? iDo track you. DROID DOESN’T. Update: Probably not.
Of course, the pundits are all over the map on this one. Nobody thinks it’s a particularly good idea. Some think it’s bad but are willing to live with it since they trust Apple not to misuse it. Some think it’s no big deal as long as Apple stops with the next patch. Others have gotten paranoid.
Lots of people have talked about the implications of this, weighing voyeurism against how governments might misuse it. Or how marketers might use or misuse it. And of course it’s standard procedure for phone companies to track who’s using their cell towers. It helps them figure out where to put more cell towers. But they store the information off the phone, on one of their own servers on a secured network.
The iPhone is storing this stuff in an unencrypted database file right on the phone, and when it syncs with a computer, the file gets copied with everything else.
I want to talk about one specific way I think this will be misused. It involves high school girls.
Imagine this scenario. Students are sitting in the computer lab for class, and they plug their phones into the computer because it’s a convenient way to charge them up for an hour. The phone syncs up–especially if it’s a Mac–and iTunes copies everything over, including the data file with the tracking information.
Now the file is sitting, unencrypted, on that computer, where it can be easily stolen and misused. I’ll talk about how in a minute. First, let’s talk about who would be interested in that file.
When my sister was in high school, there was a kid who liked her. It wasn’t mutual. She told him so, but either he didn’t get it or didn’t want to believe it. He never got anywhere with her at school, so he followed her around, showing up at work, and one night a neighbor caught him trying to shine a spotlight into her bedroom window.
I know this wasn’t an isolated incident because my neighbor has a daughter about my sister’s age, and she had the same problem in high school. It seems to be a fairly common problem.
When this kid showed up where my sister worked, the manager told him to get lost. When he did it again, the manager told him again. When he showed up outside our house, the neighbor across the street told him to get lost. Neighbors don’t like strange cars on their streets acting suspiciously either. I suppose telling him to get lost really was my job, but I was either at work or away at college when it happened. So me introducing him to Mr. Baseball Bat wasn’t an option.
This stuff happened long before phones started tracking our every move. But the existence of data files tracking where we’ve been makes stalking so much easier, because it tells more than just where the victim lives and works. If the stalker knows other places his victim goes, he’s going to try those places too. And there won’t always be someone there to tell him to get lost. And then what?
But the data won’t get stolen, right? Anything short of full-drive encryption can be broken easily in a school lab environment. If I have access to a computer’s power switch and its optical drive, I can have that file off it in a matter of minutes, if not seconds. Someone will have a page up describing the procedure in a day or two, if it isn’t out there already. Since the filename is completely predictable, it will be easy to work out a procedure involving a handful of steps that always works. Since it’s going to be misused, I’m not going to document it–I’ve probably said too much already.
In the meantime, if you have an iPhone and you don’t want to load Android on it, or if your teenage daughter has an iPhone and won’t let you load Android on it, , then you’re a little bit limited in what you can do. On your own computers, you can go into iTunes, click on the device icon, and select the option to encrypt the iPhone backup. But that won’t protect you if you plug the phone into a strange computer in order to get a quickie recharge. If that computer doesn’t have iTunes on it, no problem. If it does, it could be a problem.
The teenage girls from my generation wouldn’t have wanted to be bothered to think of whether the computer they’re plugging into has iTunes on it, and they especially wouldn’t want to click around, changing settings to encrypt the backup. Today’s generation probably isn’t much different in that regard. One of the reasons I hear over and over again that iPhones and iPods are so popular is because they don’t make you think of anything–you just plug them in and they do their thing without asking any questions.
Apple really screwed up on this one, and they need to issue an emergency patch to stop it, before the data gets misused any more than it already will be. It’s too late to stop it entirely.
And if some lowlife ends up killing someone and it comes out that he stole an iPhone data file to track the victim down, I won’t feel the least bit sorry for Apple if the family files a wrongful death suit. Apple made $12 billion on iPhones in the last three months. That would pay out a lot of wrongful death suits.
I don’t know if regulators can or will step in and make Apple stop, but losing a few wrongful death suits would probably give them ample encouragement.
Update: You can defeat this by rooting your phone and installing Untrackerd. Thanks Rob O’Hara. Own an iPhone? Go install it. Do it. Now.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.