Conference PaperPDF Available

Location Tracking Using Smartphone Accelerometer and Magnetometer Traces

Authors:

Abstract and Figures

We demonstrate a breach in smartphone location privacy through the accelerometer and magnetometer's footprints. The merits or otherwise of explicitly permissioned location sensors are not the point of this paper. Instead, our proposition is that other non-location-sensitive sensors can track users accurately when the users are in motion, as in travelling on public transport, such as trains, buses, and taxis. Through field trials, we provide evidence that high accuracy location tracking can be achieved even via non-location-sensitive sensors for which no access authorisation is required from users on a smartphone.
Content may be subject to copyright.
Location Tracking Using Smartphone Accelerometer and
Magnetometer Traces
ABSTRACT
We demonstrate a breach in smartphone location privacy through
the accelerometer and magnetometer’s footprints. The merits or oth-
erwise of explicitly permissioned location sensors are not the point
of this paper. Instead, our proposition is that other non-location-
sensitive sensors can track users accurately when the users are in
motion, as in travelling on public transport, such as trains, buses,
and taxis. Through eld trials, we provide evidence that high ac-
curacy location tracking can be achieved even via non-location-
sensitive sensors for which no access authorisation is required from
users on a smartphone.
KEYWORDS
Smartphone, Location Tracking, Privacy, Zero-Permission Apps.
ACM Reference Format:
. 2019. Location Tracking Using Smartphone Accelerometer and Magne-
tometer Traces. In Proceedings of ARES-LPW ’19: The First Location Privacy
Workshop (LPW 2019) (ARES-LPW ’19). ACM, New York, NY, USA, 9 pages.
https://doi.org/10.1145/nnnnnnn.nnnnnnn
1 INTRODUCTION
With the growing use of smartphones
1
and smartphone Apps, peo-
ple are no longer just dened by who they are but also by where
they are (location) and what activity they are taking part in (social
networking/games). Many of the services provided by feature-rich
smartphone Apps require access to your location – to serve your
needs better. For example, Strava, a tness App, revealed the lo-
cation and stang of military bases and spy outposts around the
world. Strava collects the GPS information about their users’ activi-
ties (walking, running and cycling) and charts them over a map -
which was made public.
A study published by AT&T [
5
] in 2010 showed that 19 out of
20 mobile online social networks shared location information with
third parties in a way that enabled easy identication of individual
users.
Another revelatory example of the current situation on location
privacy is the “PleaseRobMe
2
” that aggregated information from
1
A handset that can host and run applications, with additional features than just basic
text and voice call.
2
A website that states on their website “Our intention is not, and never has been, to
have people burgled". Website: http://pleaserobme.com
Permission to make digital or hard copies of all or part of this work for personal or
classroom use is granted without fee provided that copies are not made or distributed
for prot or commercial advantage and that copies bear this notice and the full citation
on the rst page. Copyrights for components of this work owned by others than the
author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or
republish, to post on servers or to redistribute to lists, requires prior specic permission
and/or a fee. Request permissions from permissions@acm.org.
ARES-LPW ’19, ARES-LPW, UK,
©2019 Copyright held by the owner/author(s). Publication rights licensed to ACM.
ACM ISBN 978-x-xxxx-xxxx-x/YY/MM. . . $15.00
https://doi.org/10.1145/nnnnnnn.nnnnnnn
Foursquare
3
and other location services to identify homes that were
empty – due to “oversharing” [
7
] of location information, home-
owners have revealed that no one is at home. Such an emergent
privacy threat is referred to as “Cybercasing” [3, 10].
Two of the major smartphone platforms (Apple iOS and Google
Android) have deployed the user’s explicit opt-in scheme for mo-
bile sensors. In this scheme, a user is asked whether (s)he would
permit an application to use a particular sensor. For this scheme,
the sensors present in smartphones are categorised into sensors
that require permission and sensors that do not. An application
that uses sensors from the latter category (that does not require
permission) is referred to as permission-less mobile App in this
paper.
In some prior work (discussed succinctly in Section 2.2), it has
been shown that some of the sensors that do not require permissions
can be used to inference the location of a user. However, in this
paper, we explore the possibility of tracking a users journey over
public transport using a permission-less mobile App. The case
scenario we consider relates to users being commuting either via a
train, bus and/or taxi and based on non-location-sensitive sensors.
1.1 Paper’s Contributions
The prime proposition of the paper is that non-location sensitive
sensors used by a permission-less mobile App can accurately (to a
high degree of condence) location track users over public transport.
In this respect, this paper contributes:
(1)
A novel scenario where an adversary may mimic the sensor
trace of a victim on a bus, by tailing him in a car behind in
busy trac. Additionally, we examine the data collection for
four dierent sets of scenarios related to public transport, in
which both the adversary and the victim are travelling on:
a) a train, b) a taxi, c) a bus.
(2)
A permission-less mobile App that eciently (with low com-
putation and battery-consumption footprint) collects the
non-location sensitive sensor data.
(3) Analysis technique and results to show successful location-
tracking and location-proximity/co-location (two or more
users being in proximity to each other at a particular point
in time) using the non-privacy sensitive sensors.
In this paper, we will refer to location-tracking, location prox-
imity and co-location frequently. Therefore, the denition of these
terms in the context of this paper are:
Location-Tracking: This relates to either collection location
information directly from sensors like GPS, or inferring
a user’s location indirectly like WiFi networks and non-
privacy sensitive sensors like accelerometer and magnetome-
ter - as discussed in this paper.
3
A mobile App that provides local search and discovery features about local attractions,
best eateries and other facilities - based on user feedback. Since this revelation, they
have changed their privacy policies.
ARES-LPW ’19, ARES-LPW, UK,
Location Proximity / Co-Location: Proximity or co-location
detection relates to identifying two or more users being in
the vicinity to each other – either through direct or indirect
location tracking.
One point to note is that co-location without location tracking
is just an assessment whether two (or more) devices are near each
other without any GPS point of reference.
2 MOBILE SENSORS AND LOCATION
PRIVACY
In this section, we briey discuss o-the-shelve sensors, location
privacy and prior work.
2.1 Mobile Sensor Access Privilege
Modern mobile phones (aka smartphones) are equipped with sen-
sors, which are a silicon-based design that measures physical/environmental
features. Table 1 lists the sensors available on an Android smart-
phone.
Table 1: Sensor Availability on Android Platform
Sensors Privilege Access Location Sensitivity
Accelerometer No Yes+
Bluetooth Yes Yes*
Geomagnetic Rotation Vector No No
GPS Yes Yes
Gyroscope No No
Magnetometer No Yes+
Network Location Yes Yes
Pressure No No
Sound Yes Yes*
WiFi Yes Yes
Light No No
Proximity No No
Relative Humidity No No
Ambient Temperature No Yes*
These sensors are categorised as privileged and un-privileged
sensors. The privileged sensors are the one for whom you re-
quire explicit permission from the user (before using them), for
un-privileged sensors no user permission is required. In Table 1,
privileged sensors are represented as ‘Yes’ in the privilege access
column. Furthermore, in the location sensitive column, we identify
potential sensors that have location privacy implications. Some
of these sensors, like ambient temperature do not have a direct
inference of locations, but it can be used to build proximity infer-
ence of multiple devices to be at the same location (discussed in
Section 2.2.2) - and if one of them is sharing GPS data, location of
all other devices is easy to infer. For example, a crowd at a concert,
where an application only needs one user to permit it for using
GPS. All other devices can deny this permission, but their location
can still be inferred. The representation ‘Yes’ in location sensitivity
column means direct inference of location, ‘Yes*’ indicated indirect
inference and ‘Yes+’ indicates that you can build location proles
of an environment (e.g., train or bus route) that later can be used
for direct inference.
2.2 Prior Work in Location Tracking and
Proximity Detection
There is a number of ways in which the location of a user can
be tracked via smartphone and associated infrastructure. The two
related methods for location tracking related to this paper are dis-
cussed as below:
2.2.1 Permission-less Mobile Applications. A mobile App collects
non-location sensitive sensors, and from this data, users location is
calculated.
Nawaz et al. [
11
] proposed the use of gyroscope and accelerome-
ter to prole users travel patterns and based on these travel patterns
notify the user about potential trac alerts to enhance their travel
experience.
Following the above-discussed work, Narain et al. [
9
] highlighted
the privacy issues related to calculating a user location and his/her
travel patterns using the side-channels (i.e. non-location sensitive
sensors). They utilised gyroscope, accelerometer and magnetome-
ter to construct the sensors data from both real routes and simu-
lated ones (mimicking the real routes data). From this data, they
constructed the graph of routes in a city and an ecient search
mechanism to identify what prole of the three sensors matches
with the which segment of the route (in a given city). They showed
with high accuracy that they were able to identify the user routes
based on the three sensors. For this analysis, they have collected
data from an extensive simulation, where in our case we show that
this extensive proling can be replaced by proximity (similarity)
between journeys collected from the users.
Here we would like to identify that both Nawaz et al. [
11
] and
Narain et al. [
9
] were primarily focused on the user travelling in a
car in optimal conditions (e.g., not taking into account the trac
congestion, driving behaviour and vehicle/road conditions etc.).
These conditions in many cases inuence the sensor readings and
can give false results (false positive, false negative). Furthermore,
they were looking into the gyroscope and accelerometer together
to track users. In the case of Narain et al. [
9
], he also utilised mag-
netometer in their papers. Our experiments, detailed in this paper
are dierent because:
We collected data from taxies (car), buses and trains that
include the environmental conditions (congestion, behaviour
and vehicle/road condition).
For location identication, we utilised the notion of prox-
imity with a higher degree of GPS correlation rather than
route proling.
We use the accelerometer for taxi and bus, where for trains
we include the magnetometer. For taxi and bus, the magne-
tometer was not an eective data source in our trials.
We also ran a bus and a car shadowing the bus, to explore
the potential of tracking users across vehicles with high
accuracy travelling on the same route at the same time.
2.2.2 Proximity Detection based on Sensors. Halevi et al. [
4
] demon-
strated the suitability of using ambient sound and light for proximity
detection. Here, the authors analysed the sensor measurements col-
lected for 2 and 30 seconds duration for light and audio respectively
Location Tracking Using Smartphone Accelerometer and Magnetometer Traces
ARES-LPW ’19, ARES-LPW, UK,
– using a range of similarity comparison algorithms. Extensive ex-
periments were performed in dierent physical locations, with a
high success rate in detecting co-located devices.
Truong et al. [
13
] evaluated four dierent sensors. Similarly to
previous studies, their sample collection was from 10-120 seconds.
Shrestha et al. [
12
] used specialised hardware known as Sensor-
drone, with many ambient sensors, but did not evaluate the com-
modity ambient-sensors available on commercial handsets, did not
provide the sample collection duration, and only mentioned that
data from each sensor was collected for a few seconds.
3 EXPERIMENTAL TESTBED DEVELOPMENT
This section describes our testbeds including the test devices, test
environments, and the data processing platform.
3.1 Test devices
Six Android devices (ve phones and one tablet) were used in this
research, namely the Galaxy Nexus, LG Nexus 5, Samsung S4, Sam-
sung S8, Lenovo Phab Pro 2, and Nexus 9, covering a variety of
Android OS and sensor manufacturers. Their sensors’ specications
are detailed in Table 2. Measurement-wise, all sensors on our test
devices achieve a ne-grained sampling rate at a minimum of 49.65
Hz (about 50 samples per second) for the magnetometer and 99.5
Hz for the accelerometer, with the latest model capable of doubling
these numbers. In all experiments, our devices were held naturally
in the hands, left in the pocket or in the bag of their respective own-
ers. Their local clocks were synchronised before each experiment
by setting to the same time zone, then connecting to the Google
server to get the current time.
Table 2: The sensors specications of our test devices.
G. Nexus Nexus 5 S. S4 S. S8 Lenovo 2 Nexus 9
Magnetometer
sampling rate 100 Hz 50 Hz 100 Hz 100 Hz 50 Hz 100 Hz
Accelerometer
sampling rate 100 Hz 200 Hz 100 Hz 500 Hz 200 Hz 100 Hz
Release date 2011 2013 2013 2017 2016 2014
Android OS 4.3 5.0.1 5.0.1 7.0 6.0.1 6.0.1
3.2 Test environments
We set out to examine the sensor traces on all types of public
transport in London (i.e. taxi, bus, and train), using our test devices
described above. The test routes were chosen to cover a vast amount
of areas in London (see Table 3 and Figure 2).
Table 3: The details of the test routes.
Taxi Bus Train
Distance travelled 11.6 km 10 km 34 km
Duration 25 minutes 25 minutes 40 minutes
Number of stops 3 19 6
(a) The user interface of data col-
lection app.
(b) The power consumption of
our app was estimated at just
over 1% in one hour.
Figure 1: The Android app we developed for this work.
3.3 Sensor Data Collection
We developed an Android app that runs passively in the phone’s
background to record the sensors’ readings into a text le stored
locally on each device (see Figure 1a)
4
. The app’s interface was
intended to be minimalistic, which only requires the user attention
to specify the le name and how frequently the app should log the
sensors. The ‘Station’ button allows the users to specify if she has
arrived at a station to aid the data analysis. At the end of the trial,
the data le will be transferred to a PC for further analysis. The
format of the le is as follows. Each line describes a snapshot of
all sensors’ measure, accompanied by a time stamp. For this paper,
we will examine just the accelerometer and magnetometer. Both of
these sensors report three measures per inquiry, corresponding to
the strength along the (x, y, z)-axis.
Battery consumption wise, one hour of continuous inquiry and
writing the data to a le on one of our test models consumed as little
as 1% of battery, according to the inbuilt Android power measure
as shown in Fig1. It is worth noting that our current procedure is
grossly unoptimised. The majority of the workload is originated
from the I/O operation of ushing all sensors data into the phone’s
memory 100 times per second on ‘normal’ mode. In reality, the
sampling rate could be reduced, and not all sensors need to be
recorded. Additionally, we may compress the data before logging
them into the memory, or reduce consecutive data with similar
readings. Hence, there is room for further improvement.
3.4 Data Processing Platform
To analyse the sensors data and plot the results, we used Matlab
(version R2017b) with the Signal Processing Toolbox, running lo-
cally on an Intel Core i7-4770k 3.50 GHz Desktop CPU with 16 GB
of RAM.
Since the sensor of each phone has dierent sensitivities and
sampling rates, we employed Dynamic Time Warping (DTW) to
4
Our app can be downloaded free of charge on the Google App store, by searching for
“Fingerprinting WiFi Magnet”.
ARES-LPW ’19, ARES-LPW, UK,
(a) The 25 minute taxi route
through central London. It be-
gan in Deptford, and ended near
the ExCeL exhibition centre.
(b) The 25 minute bus route. It began in
Egham town, and ended near Windsor town.
(c) The 40 minute train route. It began at Waterloo station,
and ended at Egham station.
Figure 2: The test routes visualised on Google Maps, using GPS data.
align the sensor traces [
8
]. DTW is a proven method with well-
known applications in speech recognition research. In short, it
stretches the shorter trace to match the longer one by nding the
optimal warping path between them, using the following recursive
steps.
(1)
Given two time series vector
t=(t1, . . . , tm)
and
r=(r1, . . . , rn)
,
DTW nds the optimal warped path of length
k
:
(p1,q1), . . . ,
(pk,qk)that minimises
k
Í
i=1
|t(pi) − r(qi)|
(2)
We dene
D(i,j)
as the DTW distance between t and r. D(1,
1) is initialised as |t(1) r(1)|.
(3) We recursively calculate
D(i,j)=|t(i) − r(j)| +min
D(i-1, j)
D(i-1, j-1)
D(i, j-1)
with i=1 : mand j=1 : n
To quantify the similarity among traces, we used two metrics,
namely the Euclidean distance and the Kullback-Leibler metric. The
similarity score is calculated as the absolute DTW distance between
the two traces, normalised by the length of the optimal warped
path found by DTW.
To assess the uniqueness of each sensor trace (i.e. what is the
chance of two dierent routes having a similar sensor trace?), we
will apply the ‘Fourier transform’ on each trace [
14
]. In short, it mea-
sures every possible cycle to identify if there are repeated patterns
within the time series.
4 RESEARCH QUESTIONS
Having understood the theories and the objectives of permission-
less Apps for co-location tracking, we are now in a good position
to set out the following research questions to be examined later on.
(1)
How similar are the accelerometer and magnetometer traces
of passengers on the same public transport (i.e. taxi, bus, and
train)?
(2)
Is it possible for an adversary driving on a car to mimic the
sensor trace of a victim riding on a bus on the same road? If
so, how similar the traces will be?
5 EMPIRICAL EXPERIMENTS
This section conducts the experiments on the taxi, bus, and train to
assess the research questions set out in Section 4.
5.1 Experiment with the sensors trace in the
taxi
To verify the similarity of the accelerometer and magnetometer’s
readings in the same car, three passengers shared one taxi for a
25-minute journey through central London (see Figure 2a). The
rst passenger left the taxi after 9 minutes, and the second one
followed up after 18 minutes. Both of them continued walking for
a few minutes after leaving the vehicle.
Figure 3 demonstrates that the accelerometer is capable of pick-
ing up the slightest changes in movements, not just when the car
accelerates or decelerates, but also as it goes through speed bumps.
The high measures from the accelerometer happened when the rst
and second passengers walked.
If we consider the portion of the traces, when all three passen-
gers were together in the taxi, the overlapped sequence’s shape
was remarkably similar (see Figure 4a). To quantify this similarity,
we compared the DTW scores of dierent portions of the traces
including those that are not overlapped (see Table 4). The co-located
traces scored consistently lower than non-co-located ones.
Table 4: The DTW scores between dierent accelerometer
traces on taxi and on foot (lower number means more sim-
ilar). The co-located traces scored consistently lower than
non-colocated ones.
Euclidean Kullback-Leibler
Co-located Galaxy Nexus & Nexus 5 on taxi 0.0776 0.0012
Co-located Galaxy Nexus & Samsung S8 on taxi
0.0991 0.0021
Co-located Nexus 5 & Samsung S8 on taxi 0.0525 0.00057
Nexus 5 on foot, Samsung S8 on taxi 1.8472 0.66055
Galaxy Nexus on foot, Samsung S8 on taxi 2.3226 1.1896
However, the magnetometer’s traces of the passengers were
relatively at, with little spatial variation throughout the 9-minute
drive (see Figure 4b). In addition, the spectrogram indicated that
there were repeated patterns, due to the magnetic eld’s low spatial
Location Tracking Using Smartphone Accelerometer and Magnetometer Traces
ARES-LPW ’19, ARES-LPW, UK,
(a) The rst passenger left the taxi after 9 minutes.
(b) The second passenger left the taxi after 18 min-
utes.
(c) The third passenger travelled for a full 25 minute
journey.
Figure 3: The full accelerometer traces of three passengers in the same taxi. Note the high measures when the passengers
travel on foot after leaving the taxi.
(a) The accelerometer traces in the taxi. The Samsung S8 and Nexus 5’s
traces were shifted 2 and 4 units vertically with respect to the Galaxy
Nexus’ trace for comparison purpose.
(b) The magnetometer measures in the taxi have very low spatial varia-
tion.
Figure 4: The overlapped sensor traces of three passengers
travelling together in the same taxi for 9 minutes.
variation (see Figure 5). Since taxis are running on petrol, they do
not alter the onboard magnetic eld. The roads and pavements are
a mixture of cement and sand which have no impact on magnetism.
These conditions made it impractical for location tracking with the
magnetometer traces.
(a) The accelerometer’s spectrogram indicates there is no clear repeated
patterns.
(b) The magnetometer’s spectrogram indicates there are repeated pat-
terns, visualised by the horizontal lines.
Figure 5: The spectrogram of the accelerometer and mag-
netometer traces in the taxi to investigate the repeated pat-
terns.
5.2 Experiment with the sensors trace on the
bus
To verify the similarity of the sensor readings on the bus, four
surveyors rode the same bus for 25 minutes (see Figure 2b). They
sat in dierent places on the bus with their phones held naturally
in their hands or left in pockets. Compared to the previous taxi
experiment, the bus environment possesses similar features (i.e.
both are petrol-based vehicles, running on the same road-material
surface). Hence, its accelerometer and magnetometer traces are
similar to the taxi’s.
ARES-LPW ’19, ARES-LPW, UK,
We applied the same methods to visually and computationally
compare the sensor traces, as in the last experiment. A visual pre-
sentation of the four accelerometer traces revealed a similar shape
(see Figure 6a), which was re-armed by their DTW scores (see
Table 8). The magnetometer measure had low spatial variation, as
expected, and would not be recommended to be used for sensor
matching (see Figure 6b). Similarly, the spectrogram of the magne-
tometer trace indicated that there were repeated patterns, due to its
low spatial variation, whereas the spectrogram of the accelerometer
trace had no such indication (see Figure 7).
(a) The accelerometer traces on the bus. The Samsung S8, Lenovo 2 and
Nexus 5’s traces were shifted 2, 4 and 6 units vertically with respect to
the Galaxy Nexus’ trace for comparison purpose.
(b) The magnetometer traces on the bus have very low spatial variation.
Note the unusual spike of one device was caused by the electric noise.
Figure 6: The sensor traces of four passengers riding on the
same bus for 25 minutes.
Table 5: The DTW scores between four accelerometer traces
on the bus (lower number means more similar).
Euclidean Kullback-Leibler
Co-located Galaxy Nexus & Samsung S8 on bus
0.10141 0.0030335
Co-located Galaxy Nexus & Lenovo 2 on bus 0.085535 0.001989
Co-located Galaxy Nexus & Nexus 5 on bus 0.084074 0.001923
5.3 Experiment with the sensors trace on a car
tailing a bus
Another potential scenario is matching the sensor measurements
of two dierent users on a dissimilar mode of transport (a bus and
(a) The accelerometer’s spectrogram indicates there is no clear repeated
patterns.
(b) The magnetometer’s spectrogram indicates there are repeated pat-
terns, visualised by the horizontal lines.
Figure 7: The spectrogram of the accelerometer and magne-
tometer traces on the bus to investigate the repeated pat-
terns.
a car in this instance). For this experiment, one rode the bus, while
the other two tailing the bus in a car for a 20-minute journey.
Figure 8 revealed a highly similar shape of the bus accelerometer
trace, backed up by their DTW scores (see Table 6). Since the car
followed behind the bus in the trac, we considered the trace lag
to be minimal (i.e. the impact of a speed bump on the bus was just
about 1 second ahead).
Table 6: The DTW scores between one accelerometer trace
on the bus and one in the car (lower number means more
similar).
Euclidean Kullback-Leibler
Samsung S4 & Nexus 9 in car 0.11469 0.0030534
Samsung S4 in car & Samsung S8 on
bus 0.12066 0.004992
Nexus 9 in car & Samsung S8 on bus 0.09675 0.0033772
5.4 Experiment with the sensors trace on the
train
Compared to the last three experiments on the taxi and bus, trains
are operated by electricity, which has a major impact on the onboard
magnetic eld.
Location Tracking Using Smartphone Accelerometer and Magnetometer Traces
ARES-LPW ’19, ARES-LPW, UK,
Figure 8: The accelerometer traces of two phones in car tail-
ing another phone on a bus. The Nexus 9 and Samsung S8’s
traces were shifted 4 and 8 units vertically for the Samsung
S4’s trace for comparison purpose. The overall shape of the
whole journey is similar.
For this experiment, four surveyors sat in dierent places through-
out the train for a 40-minute journey (see Figure 2c). A visual presen-
tation of the four accelerometer and magnetometer traces revealed
a similar shape (see Figure 9a), backed up by their DTW scores (see
Table 8).
Table 7: The DTW scores between four accelerometer traces
on the train (lower number means more similar).
Euclidean Kullback-Leibler
Co-located Galaxy Nexus & Samsung
S8 on train 0.0757 0.0011091
Co-located Galaxy Nexus & Lenovo 2
on train 0.03 0.00019595
Co-located Galaxy Nexus & Nexus 5 on
train 0.0870 0.0014
Table 8: The DTW scores between four magnetometer traces
on the train (lower number means more similar). Note that
the magnetometer measures are on a dierent scale unit
than the accelerometer ones.
Euclidean Kullback-Leibler
Co-located Galaxy Nexus & Samsung
S8 on train 31.0739 14.7643
Co-located Galaxy Nexus & Lenovo 2
on train 7.7437 1.7670
Co-located Galaxy Nexus & Nexus 5 on
train 14.4307 10.2470
However, the spectrogram of the accelerometer traces indicated
that there might be some repeated patterns, whereas the spectro-
gram of the magnetometer had no such indication (see Figure 10).
The reason was that trains often run at a constant speed in long
trips, and only accelerated at the beginning, and decelerated by the
end of the next stop.
(a) The accelerometer traces on the train. The Samsung S8, Lenovo 2 and
Nexus 5’s traces were shifted 2, 4 and 6 units vertically with respect to
the Galaxy Nexus’ trace for comparison purpose.
(b) The magnetometer traces on the train. The Samsung S8, Lenovo 2 and
Nexus 5’s traces were shifted 100, 200 and 300 units vertically with respect
to the Galaxy Nexus’ trace for comparison purpose.
Figure 9: The sensor traces of four passengers travelling on
the same train for 40 minutes.
5.5 Summary of the experimental results
In this part, we briey summarise the results obtained in previ-
ous sections, addressing the research questions outlined in Sec-
tion 4. Firstly, the accelerometer traces of the passengers in the
same vehicle demonstrated promising similarity, through-out the
experiments on a taxi, bus, and train. Secondly, the accelerometer
measures showed a high spatial variation on taxis and buses, thanks
to the frequent accelerations, decelerations, and the uneven surface
of the roads (e.g. speed bumps). The accelerometer’s measures may
be applied to match passengers’ traces. However, since trains tend
to run at a constant speed during long journeys, the traces are not
as distinctive as those on taxi and bus. Thirdly, the magnetometer
measures were distinctive on the trains, but not on the taxis and
buses. The reasons were that the trains in London are powered by
electricity, and the rail-lines are made of metal composite materials,
which alter on the onboard magnetic eld. In contrast, London
taxis and buses are petrol-based vehicles. The roads are also a mix-
ture of sand and cement which have no impact on the magnetic
eld. Fourthly, we demonstrated the possibility of mimicking the
accelerometer trace on a bus, by tailing it in a car on the same
road in busy trac. Finally, a summary of the sensors’ potential
usage for location tracking, drawn from the above experiments, is
outlined in Table 9.
ARES-LPW ’19, ARES-LPW, UK,
(a) The accelerometer’s spectrogram indicates there may be some re-
peated patterns, visualised by the horizontal lines, although they are not
perfectly clear.
(b) The magnetometer’s spectrogram indicates there is no repeated pat-
terns.
Figure 10: The spectrogram of the accelerometer and magne-
tometer traces on the train to investigate the repeated pat-
terns.
Table 9: A summary of the potential usage of mobile sensors
for location tracking.
Dierence in Dierence in
magnetometer traces accelerometer traces
For Taxi Low High
For Bus Low High
For Train High Average
6 PRIVACY IMPLICATIONS AND POTENTIAL
WAY FORWARD
This section briey discusses the implication of this work and po-
tential defence mechanism with their pros and cons.
6.1 Location Privacy and Mobile Sensors
In this paper, we have shown with eld trials that non-location
sensitive mobile sensors can be used to track users over public
transport. Our results show that the existing techniques that limit
the sensor permission to perceived location sensitive sensors are
not eective. The results of this paper, along with the prior research
discussed in Section 2.2.1 provides clear evidence that sensors that
are perceived to have no privacy consequences like magnetometer
can, in fact, enable location tracking.
Location data is privacy-sensitive, and there is a number of reg-
ulations that enshrine user’s rights about location privacy. For
example, the US Congress Location Privacy Protection Act 2014.
Furthermore, with evolving regulation around the world like the
introduction of General Data Protection Regulation (GDPR) [
2
] will
require the management of data collected via sensors that are not
deemed privacy sensitive to be carefully considered. If an applica-
tion developer uses these sensors for legit reasons, they still have to
treat them as privacy sensitive information and under GDPR they
might be liable for hefty nes if they do not adequately protect this
information.
6.2 Potential Way Forward
One of the main position privacy campaigners have taken is the
concept of "choice and informed consent" about data collection
from individual users. This concept does not take into account:
User awareness of technology, including the unintended
consequence of it.
Complexity of length terms and conditions that normal users
will not read and issues with such a position.
Lack of transparency about and control on privacy data -
after it is being collected.
In the situation highlighted in this proposal, a potential counter-
measure proposed based on choice and informed consent include
“Sensor Guardian" [
1
], which extends the application permissions
to traditionally considered non-privacy sensitive sensors.
Normal users want exibility, convenience and least among of
hassle to perform their tasks, asking for additional permission at
regular intervals has the potential of desensitising them [
6
]. A
potential solution can be towards behaviour analysis of the appli-
cations that are accessing sensor data. If an application is accessing
data often and for longer periods of time, the application may be
tracking the user.
7 CONCLUSION
This paper put forward a proposition that users can be location
tracked over public transport using non-location sensitive sen-
sors to high accuracy. To empirically support this statement, we
developed a low footprint mobile application for data collection
and an ecient analysis framework. We collected sensor data for
accelerometer and magnetometer over four dierent settings - rang-
ing on dierent public transport mechanisms including taxi, bus,
and train. The results of our experiments showed that a user could
be accurately tracked over the public transport network. Further-
more, we stipulated that the standard option of choice and informed
consent might not be a preferable solution. To conclude as future
research, we will investigate the behaviour based sensor privacy
guard that can prevent sensor data access if an application is be-
having as such that it is tracking a user via non-location sensors.
REFERENCES
[1]
Xiaolong Bai, Jie Yin, and Yu-Ping Wang. 2017. Sensor Guardian: prevent privacy
inference on Android sensors. EURASIP Journal on Information Security 2017, 1
(08 Jun 2017), 10. https://doi.org/10.1186/s13635-017-0061- 8
[2]
2016. Regulation (EU) 2016/679 of the European Parliament and of the Council of
27 April 2016 on the protection of natural persons with regard to the processing
of personal data and on the free movement of such data, and repealing Directive
Location Tracking Using Smartphone Accelerometer and Magnetometer Traces
ARES-LPW ’19, ARES-LPW, UK,
95/46/EC (General Data Protection Regulation). Ocial Journal of the European
Union L119 (4 May 2016), 1–88.
[3]
Gerald Friedland and Robin Sommer. 2010. Cybercasing the Joint: On the Privacy
Implications of Geo-tagging. In Proceedings of the 5th USENIX Conference on Hot
Topics in Security (HotSec’10). 1–8.
[4]
Tzipora Halevi, Di Ma, Nitesh Saxena, and Tuo Xiang. 2012. Secure Proximity
Detection for NFC Devices Based on Ambient Sensor Data. In Computer Security
– ESORICS 2012, Sara Foresti, Moti Yung, and Fabio Martinelli (Eds.). 379–396.
https://doi.org/10.1007/978-3- 642-33167- 1_22
[5]
Balachander Krishnamurthy and Craig E. Wills. 2010. Privacy Leakage in Mobile
Online Social Networks. In Proceedings of the 3rd Wonference on Online Social
Networks (WOSN’10). 4–4.
[6]
Kat Krol, Matthew Moroz, and M Angela Sasse. 2012. Don’t work. Can’t work?
Why it’s time to rethink security warnings. In risk and security of internet and
systems (CRiSIS), 2012 7th International conference on. 1–8.
[7]
Hai Liang, Fei Shen, and King-wa Fu. 2017. Privacy protection and self-disclosure
across societies: A study of global Twitter users. new media & society 19, 9 (2017),
1476–1497.
[8]
Meinard Müller. 2007. Dynamic time warping. Information retrieval for music
and motion (2007), 69–84.
[9]
Sashank Narain, Triet D. Vo-Huu, Kenneth Block, and Guevara Noubir. 2016.
Inferring User Routes and Locations Using Zero-Permission Mobile Sensors.. In
IEEE Symposium on Security and Privacy. 397–413.
[10]
Arvind Narayanan, Narendran Thiagarajan, Mugdha Lakhani, Michael Hamburg,
Dan Boneh, et al
.
2011. Location Privacy via Private Proximity Testing.. In NDSS.
[11]
Sarfraz Nawaz and Cecilia Mascolo. 2014. Mining users’ signicant driving routes
with low-power sensors. In Proceedings of the 12th ACM Conference on Embedded
Network Sensor Systems. 236–250.
[12]
Babins Shrestha, Nitesh Saxena, Hien Thi Thu Truong, and N Asokan. 2014. Drone
to the Rescue: Relay-Resilient Authentication using Ambient Multi-sensing. In
Financial Cryptography and Data Security. 349–364.
[13]
Hien Thi Thu Truong, Xiang Gao, Biva Shrestha, Navrati Saxena, N Asokan,
and Petteri Nurmi. 2014. Comparing and Fusing Dierent Sensor Modalities
for Relay Attack Resistance in Zero-Interaction Authentication. In Pervasive
Computing and Communications (PerCom), 2014 IEEE International Conference on.
IEEE, 163–171.
[14]
William WS Wei. 2006. Time series analysis. In The Oxford Handbook of Quanti-
tative Methods in Psychology: Vol. 2.
... The rationale is that although magnetometer does not directly measure motions, its function in detecting the Earth's magnetic North (e.g. as a compass) may be used in conjunction with accelerometer and gyroscope to determine the absolute heading. Nevertheless, the use of magnetometer for inertial tracking in this context could be restricted by the strong anomalies of the magnetic field within the building [54]. Nevertheless, as with other sensor categories, inertial sensors were not designed with indoor positioning in mind. ...
... Availability wise, almost every single smartphone comes equipped with inertial sensors to support the basic functions of adapting the phone screen's orientation. Accessibility wise, from the indoor positioning service's perspective, this group of sensors can be accessed at any given time by the app, without any user permission, to deliver a smooth user experience, yet some may argue about its potential security risk [54]. Power wise, inertial sensors belong to the group of so-called low power sensors, which consume so little power that Android allows them to be always on. ...
Article
Full-text available
The continual proliferation of mobile devices has encouraged much effort in using the smartphones for indoor positioning. This article is dedicated to review the most recent and interesting smartphones‐based indoor navigation systems, ranging from electromagnetic to inertia to visible light ones, with an emphasis on their unique challenges and potential real‐world applications. A taxonomy of smartphone sensors will be introduced, which serves as the basis to categorise different positioning systems for reviewing. A set of criteria to be used for the evaluation purpose will be devised. For each sensor category, the most recent, interesting, and practical systems will be examined, with detailed discussion on the open research questions for the academics, and the practicality for the potential clients.
... 1) Motion Sensors: Several studies have shown how the position of a person can be inferred from the accelerometer, gyroscope and magnetometer while he or she is walking, driving or using public transport [82,75,75,76]. In [82] the authors compared the pre-established routes with those taken by users while using different transport modes such as walking, train, bus or taxi. ...
... 1) Motion Sensors: Several studies have shown how the position of a person can be inferred from the accelerometer, gyroscope and magnetometer while he or she is walking, driving or using public transport [82,75,75,76]. In [82] the authors compared the pre-established routes with those taken by users while using different transport modes such as walking, train, bus or taxi. They compared both routes with a Dynamic Time Warping (DTW) algorithm obtaining a Kullback-Leibler distance of 0.00057 when the journey was made by taxi. ...
Article
Full-text available
The number of mobile devices, such as smartphones and smartwatches, is relentlessly increasing to almost 6.8 billion by 2022, and along with it, the amount of personal and sensitive data captured by them. This survey overviews the state of the art of what personal and sensitive user attributes can be extracted from mobile device sensors, emphasising critical aspects such as demographics, health and body features, activity and behaviour recognition, etc. In addition, we review popular metrics in the literature to quantify the degree of privacy, and discuss powerful privacy methods to protect the sensitive data while preserving data utility for analysis. Finally, open research questions are presented for further advancements in the field.
... Some ads were selected to due age and location, meaning the city. Hence, Twitter uses IP geolocation [10] or other location tracking methods such as utilizing smartphone sensors [26], since the city was otherwise not specified by the user. According to Diel et al. [12], tracking mechanisms used by web pages and apps are from the user's perspective not always transparent. ...
Conference Paper
The European General Data Protection Regulation (GDPR) came into effect in May 2018. It requires organizations to give European users access to their data. Although several requirements are contained in the GDPR, such as machine-readable format and easily understandable information, these kinds of regulations leave flexibility on how to achieve them. In order to understand the past and the current practices emerging from the GDPR, we evaluate data exports from 2018 and 2023 of one reference account from the social media platform Twitter. We analyze the service’s compliance with the requirements of the GDPR, the changes within the time span, and the differences between accounts. To compare and verify the results, we incorporate the findings of data exports of four verification accounts. The results show that the information presented to the users is easier to understand with the present version. However, the data is not provided in a machine-readable format and additional files, such as more than 3,000 emoticons, are incorporated. In addition, not all practices are according to GDPR. Based on the results, the study suggests future research topics and practical improvements.
... Meteriz et al. [19] predict the location trajectory of users from publicly available elevation profiles. Nguyen et al. [20] demonstrate high accuracy location tracking just through smartphone accelerometer and magnetometer's footprints. ...
Preprint
Full-text available
Wearable devices have gained huge popularity in today's world. These devices collect large-scale health data from their users, such as heart rate and step count data, that is privacy sensitive, however it has not yet received the necessary attention in the academia. In this paper, we perform the first systematic study on quantifying privacy risks stemming from step count data. In particular, we propose two attacks including attribute inference for gender, age and education and temporal linkability. We demonstrate the severity of the privacy attacks by performing extensive evaluation on a real life dataset and derive key insights. We believe our results can serve as a step stone for deriving a privacy-preserving ecosystem for wearable devices in the future.
... Certain scientific articles demonstrate that the geographic location of a person can be determined using data generated by several mobile sensors, such as accelerometer, gyroscope, and magnetometer, during the person's daily routines that involve using public transport, walking, or driving. The authors of [163] comparatively analyzed pre-defined routes, which were used by the end users relative to different means of transportation, such as walking, train, bus, or taxi. They compared the routes using a dynamic time warping (DTW) algorithm, which generated a Kullback-Leibler distance of 0.00057 relative to a taxi trip. ...
Article
Full-text available
The continuously increasing number of mobile devices actively being used in the world amounted to approximately 6.8 billion by 2022. Consequently, this implies a substantial increase in the amount of personal data collected, transported, processed, and stored. The authors of this paper designed and implemented an integrated personal health data management system, which considers data-driven software and hardware sensors, comprehensive data privacy techniques, and machine-learning-based algorithmic models. It was determined that there are very few relevant and complete surveys concerning this specific problem. Therefore, the current scientific research was considered, and this paper comprehensively analyzes the importance of deep learning techniques that are applied to the overall management of data collected by data-driven soft sensors. This survey considers aspects that are related to demographics, health and body parameters, and human activity and behaviour pattern detection. Additionally, the relatively complex problem of designing and implementing data privacy mechanisms, while ensuring efficient data access, is also discussed, and the relevant metrics are presented. The paper concludes by presenting the most important open research questions and challenges. The paper provides a comprehensive and thorough scientific literature survey, which is useful for any researcher or practitioner in the scope of data-driven soft sensors and privacy techniques, in relation to the relevant machine-learning-based models.
... Contacts and contact interaction provide information about who is in our social network and possibly on the types of relationships between us [22,43]. As most current smartphones include GPS and a myriad of other sensors, they observe and record where we go every day and for how long we stay [37,47]. Finally, any tokens that are unique to a user can cross-identify a user across different data collectors. ...
Article
Full-text available
At the end of 2020, Apple introduced privacy nutritional labels, requiring app developers to state what data is collected by their apps and for what purpose. In this paper, we take an in-depth look at the privacy labels and how they relate to actual transmitted data. First, we give an exploratory statistically evaluation of 11074 distinct apps across 22 categories and their corresponding privacy label or lack thereof. Our dataset shows that only some apps provide privacy labels, and a small number self-declare that they do not collect any data. Additionally, our statistical methods showcase the differences of the privacy labels across application categories. We then select a subset of 1687 apps across 22 categories from the German App Store to conduct a no-touch traffic collection study. We analyse the traffic against a set of 18 honey-data points and a list of known advertisement and tracking domains. At least 276 of these apps violate their privacy label by transmitting data without declaration, showing that the privacy labels’ correctness was not validated during the app approval process. In addition, we evaluate the apps’ adherence to the GDPR in respect of providing a privacy consent form, through collected screenshots, and identify numerous potential violations of the directive.
... It is possible for a malicious actor to circumvent the security policy of a smartphone by inferring sensitive information using low powered sensors such as accelerometers. Nguyen et al. demonstrated this by using magnetometer and accelerometer traces to track the movement of a target's smartphone (Nguyen et al., 2019). It was also demonstrated that JavaScript and a locally installed app could, with only 100 sensor samples, infer the device factory calibration and allow fingerprinting of a specific device across multiple platforms (Zhang et al., 2019). ...
Article
Ambient Light Sensors (ALS) are integrated into mobile devices to enable various functionalities such as automatic adjustment of screen brightness and background color. ALSs can be used to record the light intensity in the surrounding environment without requiring permission from the user; however, this ability raises novel privacy risks. In this paper, we propose LuxTrack, a side-channel privacy attack that uses the ALS of a smartphone to infer the user’s activity on a nearby laptop using the light emitted from the laptop screen. To demonstrate LuxTrack, we developed an Android app that records the light intensity data from the ALS of a mobile device, and used this app to create an ALS light intensity dataset in a controlled environment with real human subjects. From this dataset, LuxTrack extracts a total of 187 features under 6 categories and trains 6 different machine learning models for activity inference. Experiments show that LuxTrack can achieve up to 80% accuracy in inferring the sites/apps the user is viewing on their laptop. We then propose three countermeasures against LuxTrack: binning, smoothing, and noise addition. We demonstrate that while these countermeasures are effective in reducing attack accuracy, they also yield a reduction in the accuracy of legitimate tasks (e.g., adjusting screen background color). By conducting a trade-off analysis between attack accuracy and legitimate task accuracy, we show that the choice of the right countermeasure and parameters can enable the reduction of attack accuracy to below 30% while only incurring 3% loss in legitimate task accuracy.
Chapter
The increasing usage of mobile devices amounts to around 6.8 billion by 2022. This implies a substantial increase in the quantity of personal data that are managed. The paper surveys the most relevant contributions that pertain to human activity, behavioural patterns detection, demographics, health and body parameters. Moreover, significant aspects regarding data privacy are also analyzed. The paper also defines relevant research questions and challenges.
Article
Full-text available
Privacy inference attacks based on sensor data is an emerging and severe threat on smart devices, in which malicious applications leverage data from innocuous sensors to infer sensitive information of user, e.g., utilizing accelerometers to infer user’s keystroke. In this paper, we present Sensor Guardian, a privacy protection system that mitigates this threat on Android by hooking and controlling applications’ access to sensors. Sensor Guardian inserts hooks into applications by statically instrumenting their APK (short for Android Package Kit) files and enforces control policies in these hooks at runtime. Our evaluation shows that Sensor Guardian can effectively and efficiently mitigate the privacy inference threat on Android sensors, with negligible overhead during both static instrumentation and runtime control.
Article
Full-text available
Dynamic time warping (DTW) is a well-known technique to find an optimal alignment between two given (time-dependent) sequences under certain restrictions. Intuitively, the sequences are warped in a non-linear fashion to match each other. Originally, DTW has been used to compare different speech patterns in automatic speech recognition. In fields such as data mining and information retrieval, DTW has been successfully applied to automatically cope with time deformations and different speeds associated with time-dependent data. In this chapter, we introduce and discuss the main ideas of classical DTW (Section 4.1) and summarize several modifications concerning local as well as global parameters (Section 4.2). To speed up classical DTW, we describe in Section 4.3 a general multiscale DTW approach. In Section 4.4, we show how DTW can be employed in identifying all subsequences within a long data stream that are similar to a given query sequence (Section 4.4). A discussion of related alignment techniques and references to the literature can be found in Section 4.5.
Conference Paper
Full-text available
In certain applications, it is important for a remote server to securely determine whether or not two mobile devices are in close physical proximity. In particular, in the context of an NFC transaction, the bank server can validate the transaction if both the NFC phone and reader are precisely at the same location thereby preventing a form of a devastating relay attack against such systems. In this paper, we develop secure proximity detection techniques based on the information collected by ambient sensors available on NFC mobile phones, such as audio and light data. These techniques can work under the current payment infrastructure, and offer many advantages. First, they do not require the users to perform explicit actions, or make security decisions, during the transaction – just bringing the devices close to each other is sufficient. Second, being based on environmental attributes, they make it very hard, if not impossible, for the adversary to undermine the security of the system. Third, they provide a natural protection to users’ location privacy as the explicit location information is never transmitted to the server. Our experiments with the proposed techniques developed on off-the-shelf mobile phones indicate them to be quite effective in significantly raising the bar against known attacks, without affecting the NFC usage model. Although the focus of this work is on NFC phones, our approach will also be broadly applicable to RFID tags or related payment cards equipped with on-board audio or light sensors.
Article
Full-text available
While there is significant work on sensing and recognition of significant places for users, little attention has been given to users' significant routes. Recognizing these routine journeys, can open doors for the development of novel applications, like personalized travel alerts, and enhancement of user's travel experience. However, the high energy consumption of traditional location sensing technologies, such as GPS or WiFi based localization, is a barrier to passive and ubiquitous route sensing through smartphones. In this paper, we present a passive route sensing framework that continuously monitors a vehicle user solely through a phone's gyroscope and accelerometer. This approach can differentiate and recognize various routes taken by the user by time warping angular speeds experienced by the phone while in transit and is independent of phone orientation and location within the vehicle, small detours and traffic conditions. We compare the route learning and recognition capabilities of this approach with GPS trajectory analysis and show that it achieves similar performance. Moreover, with an embedded co-processor, common to most new generation phones, it achieves energy savings of an order of magnitude over the GPS sensor.
Conference Paper
Full-text available
As the number of Internet users has grown, so have the security threats that they face online. Security warnings are one key strategy for trying to warn users about those threats; but recently, it has been questioned whether they are effective. We conducted a study in which 120 participants brought their own laptops to a usability test of a new academic article summary tool. They encountered a PDF download warning for one of the papers. All participants noticed the warning, but 98 (81.7%) downloaded the PDF file that triggered it. There was no significant difference between responses to a brief generic warning, and a longer specific one. The participants who heeded the warning were overwhelmingly female, and either had previous experience with viruses or lower levels of computing skills. Our analysis of the reasons for ignoring warnings shows that participants have become desensitised by frequent exposure and false alarms, and think they can recognise security risks. At the same time, their answers revealed some misunderstandings about security threats: for instance, they rely on anti-virus software to protect them from a wide range of threats, and do not believe that PDF files can infect their machine with viruses. We conclude that security warnings in their current forms are largely ineffective, and will remain so, unless the number of false positives can be reduced.
Article
Privacy is a culturally specific phenomenon. As social media platforms are going global, questions concerning privacy practices in a cross-cultural context become increasingly important. The purpose of this study is to examine cultural variations of privacy settings and self-disclosure of geolocation on Twitter. We randomly selected 3.3 million Twitter accounts from more than 100 societies. Results revealed considerable cultural and societal differences. Privacy setting in collectivistic societies was more effective in encouraging self-disclosure; whereas it appeared to be less important for users in individualistic societies. Internet penetration was also a significant factor in predicting both the adoption of privacy setting and geolocation self-disclosure. However, we did not find any direct relationships between cultural values and self-disclosure.
Conference Paper
Many mobile and wireless authentication systems are prone to relay attacks whereby two non co-presence colluding entities can subvert the authentication functionality by simply relaying the data between a legitimate prover (P{\mathcal {P}}) and verifier (V{\mathcal {V}}). Examples include payment systems involving NFC and RFID devices, and zero-interaction token-based authentication approaches. Utilizing the contextual information to determine P{\mathcal {P}}-V{\mathcal {V}} proximity, or lack thereof, is a recently proposed approach to defend against relay attacks. Prior work considered WiFi, Bluetooth, GPS and Audio as different contextual modalities for the purpose of relay-resistant authentication. In this paper, we explore purely ambient physical sensing capabilities to address the problem of relay attacks in authentication systems. Specifically, we consider the use of four new sensor modalities, ambient temperature, precision gas, humidity, and altitude, for P{\mathcal {P}}-V{\mathcal {V}} proximity detection. Using an off-the-shelf ambient sensing platform, called Sensordrone, connected to Android devices, we show that combining these different modalities provides a robust proximity detection mechanism, yielding very low false positives (security against relay attacks) and very low false negatives (good usability). Such use of multiple ambient sensor modalities offers unique security advantages over traditional sensors (WiFi, Bluetooth, GPS or Audio) because it requires the attacker to simultaneously manipulate the multiple characteristics of the physical environment.
Conference Paper
Zero-Interaction Authentication (ZIA) refers to approaches that authenticate a user to a verifier (terminal) without any user interaction. Currently deployed ZIA solutions are predominantly based on the terminal detecting the proximity of the user's personal device, or a security token, by running an authentication protocol over a short-range wireless communication channel. Unfortunately, this simple approach is highly vulnerable to low-cost and practical relay attacks which completely offset the usability benefits of ZIA. The use of contextual information, gathered via on-board sensors, to detect the co-presence of the user and the verifier is a recently proposed mechanism to resist relay attacks. In this paper, we systematically investigate the performance of different sensor modalities for co-presence detection with respect to a standard Dolev-Yao adversary. First, using a common data collection framework run in realistic everyday settings, we compare the performance of four commonly available sensor modalities (WiFi, Bluetooth, GPS, and Audio) in resisting ZIA relay attacks, and find that WiFi is better than the rest. Second, we show that, compared to any single modality, fusing multiple modalities improves resilience against ZIA relay attacks while retaining a high level of usability. Third, we motivate the need for a stronger adversarial model to characterize an attacker who can compromise the integrity of context sensing itself. We show that in the presence of such a powerful attacker, each individual sensor modality offers very low security. Positively, the use of multiple sensor modalities improves security against such an attacker if the attacker cannot compromise multiple modalities simultaneously.
Conference Paper
This article aims to raise awareness of a rapidly emerging privacy threat that we term cybercasing: using geo-tagged information available online to mount real-world attacks. While users typically realize that sharing locations has some implications for their privacy, we provide evidence that many (i) are unaware of the full scope of the threat they face when doing so, and (ii) often do not even realize when they publish such information. The threat is elevated by recent developments that make systematic search for specific geo-located data and inference from multiple sources easier than ever before. In this paper, we summarize the state of geo-tagging; estimate the amount of geo-information available on several major sites, including YouTube, Twitter, and Craigslist; and examine its programmatic accessibility through public APIs. We then present a set of scenarios demonstrating how easy it is to correlate geotagged data with corresponding publicly-available information for compromising a victim's privacy. We were, e.g., able to find private addresses of celebrities as well as the origins of otherwise anonymized Craigslist postings. We argue that the security and privacy community needs to shape the further development of geo-location technology for better protecting users from such consequences.