Endpoint Security , Governance & Risk Management , Internet of Things Security
NSA: Beware of Devices Collecting Location Data
Warning Intended Primarily for National Security, Defense UsersThe U.S. National Security Agency has issued an alert warning those working in the national security and defense sectors to mitigate the risks posed by mobile and internet of things devices, along with apps, that collect location data.
See Also: SASE: Recognizing the Challenges of Securing a Hybrid Workforce
"Users should be aware of these risks and take action based on their specific situation and risk tolerance," according to the alert issued Tuesday. “When location exposure could be detrimental to a mission, users should prioritize mission risk and apply location tracking mitigations to the greatest extent possible. While the guidance in this document may be useful to a wide range of users, it is intended primarily for [National Security Strategy/Department of Defense] system users."
Mobile devices, such as smartphones and tablets, use a number of technologies - including the cellular signal itself, GPS, WiFi and Bluetooth - to determine a user's location. The NSA notes that turning off some of these services can help reduce the amount of location data that a device transmits. But it notes: "Even if all wireless radios are disabled, numerous sensors on the device provide sufficient data to calculate location. Disabling [Bluetooth] completely may not be possible on some devices, even when a setting to disable BT exists. When communication is restored, saved information may be transmitted."
Location, Location, Location
The NSA notes that because smartphones and other mobile devices inherently trust cellular networks, service providers receive a constant stream of data from various devices, which can reveal location data as well as other details about the user.
For placing 911 calls in an emergency, this is a handy feature. The NSA notes, however, that providers are known to sell user data, including location data, and that a third party could intercept cellular signals using a commercially available base station.
"Commercially available rogue base stations allow anyone in the local area to inexpensively and easily obtain real-time location data and track targets," according to the NSA. "This equipment is difficult to distinguish from legitimate equipment, and devices will automatically try to connect to it if it is the strongest signal present."
The NSA also notes that turning off location services within a mobile device does not automatically disable GPS because the operating system can still connect to services to determine the device's location. Bluetooth and WiFi can also determine a user's location if it's not turned off or disabled.
IoT and Apps
The NSA alert notes that IoT devices - including smartwatches, fitness trackers, household devices, medical equipment and automobile services - transmit location data in much the same way as mobile devices (see: An Attacker's IoT Paradise: Billions of Insecure Devices).
Many IoT devices have security holes because they do not receive security updates from their manufacturers, the alert notes. In addition, connected devices will attempt to upload data to a cloud service, which creates another way for a device to leak location data to a third party.
"Such IoT devices can be difficult to secure; most have no way to turn off wireless features and little, if any, security built in," the NSA notes. "These security and privacy issues could result in these devices collecting and exposing sensitive location information about all devices that have come into range of the IoT devices."
The NSA alert offers similar warnings about apps and the type of data they can collect.
Mitigation
The NSA offers a checklist of ways to minimize the amount of location data a device can collect that includes:
- Disable location services settings on the device.
- Disable Bluetooth and WiFi when not needed.
- Give apps as few permissions as possible.
- Disable advertising permissions.
- Turn off settings that allow a lost, stolen or misplaced device to be tracked.
- Minimize web browsing on these devices, and set browser privacy and permission location settings to minimize location data.
- Use a VPN.
- Minimize the amount of data with location information that is stored in the cloud.
Location Data Concerns
In February, the Federal Communications Commission found that one or more U.S. wireless carriers violated federal law by selling consumer location data to third parties (see: FCC: Wireless Carriers Violated Law by Sharing Location Data).
Security and privacy experts have also raised concerns about using location data in contact-tracing apps used to in the fight against COVID-19 (see: Should Location Data Be Used in Battle Against COVID-19?).
Meanwhile, the issue of how devices and applications collect and store user data has made headlines in recent days.
For example, President Donald Trump threatened to ban social media app TikTok in the U.S., citing the amount of data – including location data - the service apparently collects and stores in China. Microsoft is reportedly considering buying TikTok (see: Microsoft May Be TikTok's Privacy and Security Lifeline).