Smartphone location tracking via Wi-Fi signals, motion sensors for subway riders

Here are two research papers about tracking people via their smartphones that might momentarily make you want to toss your phone into a lake. Both show a 90% or above accuracy in tracking people via their phones’ Wi-Fi connections or motion sensors.

Tracking you using Wi-Fi signals

Tracking Human Mobility using WiFi signals (pdf) makes the case for Wi-Fi scans to be considered “a highly sensitive type of data” that “should be considered location data.”

Using just one GPS observation per day per person allows us to estimate the location of, and subsequently use, Wi-Fi access points to account for 80% of mobility across a population. These results reveal a great opportunity for using ubiquitous Wi-Fi routers for high-resolution outdoor positioning, but also significant privacy implications of such side-channel location tracking.

Researchers Piotr Sapiezynski, Arkadiusz Stopczynski, Radu Gatej and Sune Lehmann point out that “large companies such as Google, Apple, Microsoft, or Skyhook, combine Wi-Fi access points with GPS data to improve positioning, a practice known as ‘wardriving’.” The actual “how” is “proprietary to large companies.” They added, “Predictability and stability of human mobility are also exploited by commercial applications such as intelligent assistants.” They used Google Now as an example of an app “which learns users’ habits to, among other services, conveniently provide directions to the next inferred location.”

In the Android ecosystem, location permission is separate from the permission for “Wi-Fi connection information.” Yet the researchers found that inferring location can be accomplished using only a small percentage of Wi-Fi access points (AP) seen by a device; it’s one way an app can inexpensively convert the APs into users’ locations. “The impact is amplified by the fact that apps may passively obtain results of scans routinely performed by Android system every 15-60 seconds. Such routine scans are even run when the user disables Wi-Fi.”

Developers whose applications declare both location and Wi-Fi permissions are able to use Wi-Fi information to boost the temporal resolution of any collected location information. We have shown that even if the location permission is revoked by the user, or removed by the app developers, an initial collection of both GPS and Wi-Fi data is sufficient to continue high-resolution tracking of the user mobility for subsequent months. Many top applications in the Play Store request Wi-Fi connection information but not explicit location permission. Examples from the top charts include prominent apps with more than 100 million users each, such as Candy Crush Saga, Pandora, and Angry Birds, among others. We are not suggesting that these or other applications collect Wi-Fi data for location tracking. These apps, however, do have a de facto capability to track location, effectively circumventing Android permission model and general public understanding.

The researchers argue that data collection and handling practices need to change to include Wi-Fi data as location data. “A third party with access to records of Wi-Fi scans and no access to location data, can effectively determine the location of each individual 90% of time by sending less than 20 queries to commercial services such as Google Geolocation API or Skyhook.”

Tracking you on the subway

If you dislike having your privacy “stolen,” then the second paper will likely irk you as researchers show how they can secretly steal motion sensor readings in smartphones to track subway riders. That’s not just theory; after conducting real-world experiments by tracking subway riders in Nanjing, China, researchers discovered that the tracking “accuracy can reach 92% if the user takes the metro for six stations.”

In We Can Track You If You Take the Metro: Tracking Metro Riders Using Accelerometers on Smartphones (pdf), the researchers wrote, “Our scheme does not rely on GPS or other positioning systems, which gives it a high level of concealment and considerable efficiency. It may disguise itself into normal smartphone software when it steals the information on the users’ trace.”

They proposed two attacks; the first had two phases. “In the training phases, the attacker collects motion sensor readings for each station interval and then uses a supervised learning scheme to build an interval classifier. In the recognition phase, the attacker analyzes the sensor readings collected by the malware from infected smartphones and then utilizes the interval classifier to identify the station intervals that users pass by.”

Yet collecting labeled data for each station interval was too time-consuming, since cities like New York and Tokyo have “tens of metro lines and hundreds of station intervals;” so they devised an improved attack “to significantly reduce the workload of the attacker.” Researchers Jingyu Hua, Zhenyu Shen and Sheng Zhong wrote, “In the improved attack, the attacker is only required to personally collect sensor data for one or a very small number of station intervals with obvious features, e.g. containing big turns, which can guarantee a high recognition rate.”

The researchers suggested, “If an attacker can trace a smartphone user for a few days, he may be able to infer the user’s daily schedule and living/working areas and thus seriously threaten her physical safety.” And Alice and Bob can’t hide a relationship from an attacker either because “if the attacker finds Alice and Bob often visit the same stations at similar non-working times, he may infer that Bob is dating Alice.”

Regarding possible defensive strategies to help users protect their privacy, the researchers suggested a user can keep an eye on her phone’s power consumption to find out if malware is operating in the background, draining the battery by constantly sending sensor data. “Noise” could be blended into the sensor data so an attacker can’t use it. Users could also pay attention to app permissions that let the user know the app will access sensors – but most users ignore permissions; additionally app permissions and the access they allow are complicated and wildly misunderstood. As the first research paper showed, the permissions can also be deceptive such as not putting Wi-Fi connection information in with location data.