The U.S. National Security Agency (NSA) warned about the security risks associated with location data tracked via mobile phones and other connected devices. The NSA released a detailed guidance report primarily intended for the Department of Defense (DoD) and Federal agencies personnel, and also noted that it could be useful to a wide range of users.
NSA stated that location data is valuable and must be protected against adversaries. The exploitation of location data can reveal details about the number of users in a location, user movements, and can expose unknown associations between users and locations.
“Mitigations reduce, but do not eliminate, location tracking risks in mobile devices. Most users rely on features disabled by such mitigations, making such safeguards impractical. Users should be aware of these risks and act based on their specific situation and risk tolerance. When location exposure could be detrimental to a mission, users should prioritize mission risk and apply location tracking mitigations to the greatest extent possible. While the guidance in this document may be useful to a wide range of users, it is intended primarily for NSS/DoD system users,” NSA said in a statement.
Not Just Limited to Mobile Phones
According to the NSA report, any device that sends and receives wireless signals is vulnerable to location data risks. Connected devices like fitness trackers, smart watches, smart medical devices, or built-in vehicle communication devices often store users’ geolocation information, which is automatically synced to cloud accounts. This could also pose a risk of location data exposure if the accounts or the servers linked to the accounts are compromised.
“Personal and household smart devices (e.g., light bulbs, cookware, thermostats, home security, etc.) often contain wireless capabilities of which the user is unaware. Such IoT devices can be difficult to secure, most have no way to turn off wireless features, and little, if any, security built in. These security and privacy issues could result in these devices collecting and exposing sensitive location information about all devices that have come into range of the IoT devices,” the statement added.
Location Risks with Apps and Social Networks
Most of the mobile apps request permission for location and other resources that are not required. They even collect, aggregate, and transmit information that exposes a user’s location. Users must be vigilant while sharing information or location data on applications and social media networks.
“If errors occur in the privacy settings on social media sites, information may be exposed to a wider audience than intended. Pictures posted on social media may have location data stored in hidden metadata. Even without explicit location data, pictures may reveal location information through picture content,” the NSA explained.
Risk Mitigation
The NSA also recommended security measures to mitigate location data risks:
- Disable radios when they are not actively in use: disable Bluetooth (BT) and turn off Wi-Fi if these capabilities are not needed. Use Airplane Mode when the device is not in use. Ensure BT and Wi-Fi are disabled when Airplane Mode is engaged.
- Disable location services settings on the device.
- Set privacy settings to ensure apps are not using or sharing location data.
- Avoid using apps related to location if possible, since these apps inherently expose user location data. If used, location privacy/permission settings for such apps should be set to either not allow location data usage or, at most, allow location data usage only while using the app. Examples of apps that relate to location are maps, compasses, traffic apps, fitness apps, apps for finding local restaurants, and shopping apps.
- Set privacy settings to limit ad tracking, noting that these restrictions are at the vendor’s discretion.
- Reset the advertising ID for the device on a regular basis. At a minimum, this should be on a weekly basis.
- Turn off settings (typically known as Find My Device settings) that allow a lost, stolen, or misplaced device to be tracked.
- Minimize web-browsing on the device as much as possible and set browser privacy/permission location settings to not allow location data usage.
- Use an anonymizing Virtual Private Network (VPN) to help obscure location.
- Minimize the amount of data with location information that is stored in the cloud, if possible.