Smartphone flaw allows hackers and governments to map your home

A newly identified smartphone vulnerability can reveal the floor plans of where you are and what you are doing - and it is possible that companies or intelligence agencies are already making use of it.

Hackers, app developers and even government agencies could be using your smartphone to create a map of the room you are in and determine what you are doing. The security vulnerability uses data in the GPS signal and doesn’t require access to data from the camera, microphone or accelerometer.

AI can be used to detect where you are and what you are doing from GPS data
South_agency/Getty Images


Soham Nag and Smruti Sarangi at the Indian Institute of Technology Delhi have been researching whether any information other than location could be extracted from GPS signals when Android smartphone users grant an app access to their location.

GPS data carries not only latitude, longitude and altitude information but also about 40 other metrics that help devices to reduce error rates and boost accuracy, such as doppler shift – how quickly a receiver is moving relative to the transmitting satellite – and the signal-to-noise ratio of the transmission.


Nag and Sarangi created an artificial intelligence-based system called AndroCon that took all of this information from five types of Android smartphone and pulled out additional clues about the room or building the user was inside and where they were in it. In one test, the pair collected more than 100,000 readings from multiple users with different phones, taken in various locations such as a university dormitory floor, a sports stadium and a bustling market. Various AI models were used to determine the location from the data alone, with at least one scoring accuracy of over 90 per cent.


In another test, the AI was tasked with determining whether a user was sitting, standing, lying down or waving at the phone when the readings were taken. One AI model managed this with more than 97 per cent accuracy. Models were also able to use the data to extract floor plans of the room in which the readings were taken, and when tested for accuracy, one correctly identified key points such as stairs, lifts and empty corners over 90 per cent of the time.

The researchers only tested Android devices but believe that any device that allows an app access to the various GPS metrics would be vulnerable.


Nag and Sarangi say the technique is probably already being used by intelligence agencies such as the US National Security Agency (NSA). “This is something an academic group can do. Intelligence agencies, my hunch is that they know it for sure,” says Sarangi. “In the world of security, if something is doable, rest assured someone is doing it.”


Kevin Curran at Ulster University, UK, says the techniques to extract more information from GPS signals could be of legitimate use in smartphone apps, and also that the signals are probably being used for other means already. “You never, ever underestimate the NSA and [other] intelligence services on what technologies they know about right now, but they’re keeping to themselves,” says Curran. “So only a fool would say that the Chinese and the Americans don’t know about this.”

Curran says that it is also possible that the technique is being used by companies to collect information that allows them to better serve advertising. “The only way to remain secure is not to have a smartphone,” he says.


Google hasn’t responded to a request for comment, but Nag and Sarangi say that they disclosed the vulnerability to the company before posting their work on the arXiv preprint site and were told that engineers had managed to replicate the issue, but it wasn’t considered dangerous enough to warrant an entry in the public Common Vulnerabilities and Exposures (CVE) database of security flaws or to be prevented with a software update.


The researchers want people to be made aware that the issue exists, so that they can decide whether the convenience of apps is worth the loss of privacy.


Reference


 arXiv DOI: 10.48550/arXiv.2407.19392

Post a Comment

Last Article Next Article