New Security Horizons with Geolocation
Last weekend, people from all corners of the technology converged on Austin, Texas for the 2010 South By Southwest Interactive (SXSWi) conference. Much of the coverage has echoed the focus of an old real estate mantra: Location, location, location. In a rivalry dubbed the “geolocation wars,” mobile start-ups Foursquare and Gowalla competed for attention as attendees used GPS-enabled phones to record electronic check-ins at various conference events. And while these two players often come up in reports on location-aware social networking, Twitter has begun letting users record where they tweet (giving new meaning to the word “follow”), and sources indicate Facebook will be rolling out a similar feature soon.
Across the Web, sites are adding features that will quite literally put them on the map. And while letting the online world know where you are offline can certainly offer benefits, the sudden overlap raises fresh privacy concerns. One tongue-in-cheek response, aptly named “Please Rob Me,” drew attention to Foursquare users who publicly broadcasted when they were not at home. From a security perspective, problems have been observed on several platforms. An early flaw in Google Buzz risked exposing private location data. One researcher has noted that Gowalla’s API can apparently override privacy settings, then demonstrated location spoofing. Foursquare does not verify location, making fake check-ins trivial. But Foursquare also uses HTTP Basic authentication, meaning an attacker could steal logins sent over open Wi-Fi connections.
Of course, trailblazing applications are not the only ways people can share their location. Facebook users often leave a trail of event RSVPs that show past places visited. But even on the real-time Web, data can leak accidentally. A study of posts on Twitpic, a Twitter-based photo-sharing service, found that some pictures’ EXIF data included GPS information. In one case, an iPhone snapshot even included compass and accelerometer metrics.
All of these ways to track users, particularly when combined with other content, can create real risks for companies seeking to shield sensitive transactions or avoid corporate espionage. Similarly, those using company-owned devices with GPS capabilities ought to be aware of how such functions are used. With the online world increasingly intersecting the real world through geolocation services, it’s time to figure out what place they have in a secure business environment.