GPS devices could put American soldiers at risk

Geolocation tools in phones and other devices can open users up to tracking


Global Positioning System receivers in smart phones and digital cameras can be an invaluable tool, providing location information and directions to users. But if you’re not careful, they also can provide location information and directions to anyone who might be watching you.

Examples of the risks have cropped up recently in both military and everyday situations.

Two security experts told NetworkWorld that hacked smart phones used by military personnel could reveal location information, which could endanger troops and missions.

Hugh Thompson, a software security professor at Columbia University and conference chairman for the RSA Conference, and Markus Jakobsson, who works for PayPal’s online security and malware strategy team, said enemies could get location information from phones by using a technique similar to a recently discovered malware program aimed at phones using the Android operating system.


Related stories:

Is your smart phone infected with malware?

Is there a place for smart phones of the battlefield?


That malicious program, discovered by Russian security company Kaspersky Labs, sends Short Message Service messages to a number that charges the phone’s user $5 a message, but it also could be used to expose location information.

Thompson and Jakobsson told NetworkWorld that hacked phones aren’t the only danger for troops. A lot of the applications they might use to communicate with people at home could pose a risk. Malware isn't even necessary, according to Gautham Naugesh, writing in The Hill. "Even using the applications that come with the phone can pose risks. Unless deactivated, most pictures taken with smartphone cameras are tagged with geocodes containing the coordinates of where they were taken," Nagesh wrote. "Troops sending pictures home to family members could give away their locations if the pictures are intercepted."

A number of security experts and privacy advocates have been trying to raise awareness about geotags, and that fact that they could reveal location information without the user’s knowledge, according to the New York Times. Free browser plug-ins allow anyone to identify the location of a photo from the geotag.

Geotags can be turned off, but users would have to root around a bit to manage it. However, the Web site ICanStalkU.com provides instructions for disabling geotags on Android, BlackBerry, iPhone and Palm devices.

Beyond image tagging, devices with GPS receivers could be compromised in other ways. In a blog post this week, Symantec researchers said that a Trojan in a free game application for Android phones taps the GPS to upload the user’s location every 15 minutes. Their location could be tracked by someone using an app called GPS Spy, which cost $4.99 and also runs on Android devices.

The Tap Snake application, a variation of the snake video came that dates to the 1970s, “uploads the GPS data every 15 minutes to an application running on Google’s free App Engine service,” the Symantec researchers said. “GPS Spy then downloads the data and uses this service to conveniently display it as location points in Google Maps. This can give a pretty startling run-down of where someone carrying the phone has been,” including the times a user stopped at any location.

Fortunately, the threat to anyone from Tap Snake is unlikely, since the attacker would have to have access to the user’s phone – an e-mail address and registration key would have to be entered into both the phone running Tap Snake and the phone running GPS Spy, the researchers said. A bit of social engineering would likely be required.

But the intent behind Tap Snake is another indication of the how cyber threats grow with new technology. Theoretically, a hacked smart phone in the hands of military personnel could provide a detailed picture of troop movements, said Jakobsson, who told NetworkWorld he has discussed the problem with the Defense Advanced Project Agency.

Meanwhile, experts advise users to be careful about how they use some of their new tools, since they could also be used against them

About the Author

Kevin McCaney is editor of Defense Systems. Follow him on Twitter: @KevinMcCaney.

Reader Comments

Fri, Aug 27, 2010

It's going to get crazier. GPS logic ambushes as this stuff is used for law enforcement for example. The perp finds the device and more trouble, it's on the wrong vehicle suddenly. Then it isn't cat and mouse. You've been following it and it is wrong, so total waste of time. Don't chase your tail. The data said...Two weeks of data and a dead end.

Fri, Aug 20, 2010 Earth

One way to combat this problem for military and sensitive personnel would be for the government (or other trusted agency) to produce its own software for the smart phones. However, who’s to say the government wouldn’t put its own version of the clipper chip back door in its software.
This brings us to un-compiled open source publishing. A trusted agency publishes an open source compiler and publishes the MD5 hash that the compiled compiler should have. The user downloads the source for the compiler and compiles it with the manufacturer’s compiler, then checks that the manufactures compiler didn’t insert something with the MD5 hash. The programs are also published as open source and can then be compiled with the trusted compiler (checking the MD5 value again) to produce a semi-trusted program and another hash.
As published open source, everybody can examine the code for stuff they do not accept. Add on programs then have a certain level of trust and the manufacturer can easily be punished if it is found to have added unacceptable code to the base product.
One of the first add on programs to be developed would be an autonomic program to check for anything making changes to settings that don’t match a security profile, including the security profile.
Call it government/commercial/individual cooperation in the sunshine at the communications infrastructure level. It screws the people making software for profit but most of the for-profit software is not necessary software and the user can assume risk for its use. Software that people can agree is necessary can be claimed by governments to be the interest of the public and governments to be supplied via open source. That’s the “promote the general welfare and provide for the common defense” part.

Fri, Aug 20, 2010 RayW

The 'smarter', or in other words the more computer like phones get, the more likely you are to have a means of 'hacking'. Cell phones have been hacked for years. Back in the 90's the 'dumb' phones were used to listen in on meetings and the company I worked at banned them from all sensitive and up meetings. Eight years ago when I did my foreign country travel briefings cell phones were banned, or if you had one you had to show that the battery was removed since that was the only positive way of knowing you were not a leak (now cell phones are banned completely, apparently they do not trust battery removal).

This article is nothing more than a minor reminder that phones are becoming more like multifunctional computing devices/intercommunication access points and your opposition can do more and more with them, and that cell phones can be a wonderful tracking/spy device, if someone cares to do so.

Using the military as the only subject is a disservice to all the other activities that this activity can be used against ranging from stealing corporate secrets right down to tracking cheating significant others and wayward kids.

Fri, Aug 20, 2010

sometimes i wish we could revert to the days of writing letters, postcards and such...it seems that everyday there's a new threat resulting from technological advances. some of the greatest users of smartphones are our children. now we have the threat of their location being revealed because they upload pictures to their social networking sites. no one is safe anymore...it's crazy!

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above