Users of iPhones may be uniquely vulnerable to a new kind of cyberstalking that can reveal their real-life whereabouts, if they leave GPS and Wi-Fi activated.Enlarge
An Australian computer-security expert has created an application that lets anyone see the locations of the last three Wi-Fi access points used by an Apple iPhone or iPad ? information that could be used to deduce where the iOS device user lives.Skip to next paragraph
google_ads.line2 + '
' + google_ads.line3 + '
Subscribe Today to the Monitor
Melbourne-based researcher Hubert Seiwert's iSniff GPS, now freely available for anyone to download and use, combines three different Apple iOS features.
None of the features pose any threat to privacy on their own, but when combined could tell strangers a lot about you.
"This could be used to locate ... where people live," Seiwert told SC Magazine.
Three's a crowdsource
The first feature Seiwert used is well-known. Apple iOS devices that have both Wi-Fi and GPS turned on send the names and locations of all Wi-Fi access points they encounter back to the Apple mothership. The devices don't need to be connected to a specific access point for this to happen.
This feature helps Apple's mapping services. Google does the same thing with Android devices. Users of both kinds of devices can turn the data-sharing off.
The second feature is unique to iOS devices. Last year, security researcher Mark Wuergler of Miami-based Immunity Inc. found that iOS devices, when trying to connect to a Wi-Fi access point, will broadcast the unique network-interface IDs of the previous three Wi-Fi access points to which the devices actually did connect.
These unique network-interface IDs, called MAC addresses, can be physically located when run against online location services that keep databases of such things.
(MAC addresses differ from Wi-Fi access-point names such as "John's Wireless Router." MAC addresses are fixed, unique and used by machines to communicate with each other; Wi-Fi location names, also called SSIDs, can change at any time and exist for human convenience.)
Wuergler told the tech blog Ars Technica in March 2012 that he'd combined the Apple MAC-address feature with Google Location Services for Android to create a proof-of-concept application called "Stalker."
"I'll know where you work, I'll know where you live and know where you frequent," Wuergler said at the time. "If the last access point you connected to was your home, for example, I'll know right where to go to get to you later or get to your data."