21 Comments

Summary:

The news that Apple devices keep a record of your movements has generated plenty of coverage. Now, however, one researcher says not only has the knowledge been public for some time, but it’s already being used by security researchers and law enforcement agents.

Alex Levinson

Alex LevinsonWhen British programmers Alasdair Allen and Pete Warden took the stage at the Where 2.0 conference to unveil their work on iPhone location tracking, it was clear they had some big news on their hands. The duo outlined what they called “the discovery that your iPhone and 3G iPad [are] regularly recording the position of your device into a hidden file”. Their findings started a firestorm of media coverage.

But as the details came to light, one researcher was left scratching his head — because he’d already made the same discovery last year.

Alex Levinson, 21, works at the Rochester Institute of Technology in western New York, and he’s been studying forensic computing and working with Katana Forensics, which makes tools for interrogating iOS devices.

In a post on his blog, he explains that the existence of the location database — which tracks the cellphone towers your phone has connected to — has been public in security circles for some time. While it’s not widely known, that’s not the same as not being known at all. In fact, he has written and presented several papers on the subject and even contributed a chapter on the location data in a book that covers forensic analysis of the iPhone.

(One blogger reviewing the book in January mentioned the cell tower data and says “more and more you realize how much information Apple’s mobile devices could contain and how valuable this could be for your investigation”).

In his post, it’s clear Levinson takes issue with the claim of “discovery”. In fact, he told me by email that Allan and Warden had apparently missed out a whole area of existing research conducted by forensic analysts.

“It was a shock to me when this came out labeled as a ‘discovery’,” he explains. “I watched the video and they don’t appear to be interested in the forensic side of this, which is honestly where the research lies.”

Part of it seems to be a failure of researchers across different disciplines to plug into each others’ work. As Levinson put it, “They basically built a bridge without turning to the civil engineers — I’m not the only one familiar with this stuff”.

However, it’s not just bad communication among researchers to blame. He adds that the press missed the story first time around, and now seems more focussed on the horror of data storage than the reality (there, for example, is no evidence that the data is sent back to Apple at the moment).

“I do blame the press somewhat for sensationalizing them without recourse,” he says. “I emailed 20 of the top media outlets who covered this, linking them to my side — none of them replied, except a famous blogger who cursed me.”

Sometimes this is the case with research, and just because it’s not new to you, doesn’t mean it’s not news. Sometimes the people credited with breakthroughs are the ones who have been able to communicate their ideas to the right people. And clearly Allan and Warden’s presentation is having a lot of impact, not least because they have released the tools to make the data obvious to users.

The truth is, there may be more important things to consider than the issue of who discovered what. Levinson’s revelations are more important than that, because he explains that the location data is already being put to use. In his blog post he says (my emphasis):

This hidden file is nether new nor secret. It’s just moved. Location services have been available to the Apple device for some time. Understand what this file is — log generated by the various radios and sensors located within the device. This file is utilized by several operations on the device that actually is what makes this device pretty “smart”.

Through my work with various law enforcement agencies, we’ve used h-cells.plist on devices older than iOS 4 to harvest geolocational evidence from iOS devices.

That’s very interesting. It’s not that the location data was only already known about in some circles, but it’s actively being used by law enforcement agencies as part of their investigations. Levinson declined to divulge the names of those agencies, but told me that he had worked with “multiple state and federal agencies both in the U.S. and internationally”.

So when Allan and Warden say “Don’t panic… there’s no immediate harm that would seem to come from the availability of this data,” you have to ask whether that’s the case. There are no court orders needed to track your location history via an iPhone, since the devices are relatively open. All the investigator needs is the device itself.

    1. We know it’s a convenience for the companies involved but ultimately why is it there and how much of a time period is necessary? Are we absolutely sure there is not some Homeland Security law/requirement for this backdoor look into our lives? Did anybody read those security bills completely?

      Share
      1. Good point. I did speak to Levinson about that. He thought perhaps they had been trying to be future proof.

        Share
    2. Shouldn’t we be more worried that it’s stored local to the device in an unencrypted format, than that we’ve agreed to share the data in the first place?

      Share
      1. What is there to worry about.

        If you have done no wrong. Why the need to sweat.

        But if you did like cheating on the little lady.

        And it can be used to prove your innocence too like being not at the location someone said your were.

        Share
  1. Law enforcement in the US can get all of your location data directly for the carriers without a warrant anyways. People should be up in arms about that! Carriers even charges a fee for law enforcement access to their portals!

    Share
  2. he needs to get over his bitterness of not being credited & just be happy that the information is out there for the greater good of society.

    reminds me of people who donate too charity & then run around telling everybody about it.

    Share
  3. A full demo of the consolidated.db is here:

    Truth And Lies Behind The Iphone Consolidate.Db Discovery

    http://www.securitytube.net/video/1774

    Share
  4. Disclosure: Pete and I both write for ReadWriteWeb.

    I can tell you at least part of why the press and blogosphere never picked up on the story before Pete and Alasdair presented on it. Because they presented on it at Where 2.0, and Levinson presented on it at Hawaii International Conference for System Sciences and the Paraben Forensics Innovation Conference in Salt Lake City, UT. Not Back Hat, not Defcon, not RSA. Not any of the places tech journalists would normally look for a juicy security story, or a story of any kind.

    Reading Levinson’s post, he also seems not to think it’s a big deal – which could also help explain why it didn’t spread around. Pete and Alasdair clearly knew that they had something people would be interested in and set about to let people know. It’s not clear that Levinson realized how big a deal this was before the press picked up on it during Where 2.0. Did he send out press releases before the Where 2.0 story broke? Did he send e-mails to security mailing lists?

    The lessons I can glean from this:

    1) The tech press should pay more attention to forensic research – you never know what sort of scoops you can find there.

    2) Forensic research institutions could use better PR and outreach. My understanding, which could be wrong, is that they’re mostly interested in communicating with each other and with law enforcement – not with the public or, in this case, iOS developers.

    3) Developers should also pay more attention to forensic research. I’m not sure how many iOS developers would think to pick-up something like “iOS Forensics.”

    I’m not sure how fair it is to expect Pete and Alasdair to be familiar with Levinson’s work. Security researchers discover issues independently all the time, and there’s only so much research someone can do before it’s time to make a disclosure. Furthermore, neither of them is a security researcher per se.

    For journalists and researchers doing research after the fact, it would have become quite difficult to find Levinson’s work after the fact as a Google search for consolidated.db mostly turns up results pointing to Pete and Alasdair’s work. That said, the number 2 result on Google is to a forensic forum thread about the subject dated January 2011, so that could have tipped off a few enterprising journalists to the fact that this was known in forensic circles months ago.

    But is the real story who knew about it, or is it the matter at hand?

    Anyway, kudos, Bobbie for finding the buried lead in Levinson’s post – that police have already been using consolidated.db to bust people.

    Share
    1. Definitely. This is a perennial problem between specialists -(who see the extraordinary as very ordinary) and generalists (who see the ordinary as extraordinary). But I tend to think that it tells us more about the attention spans and intentions of the nearly-infinite media than the singular-but-uncommunicative researcher. Telling your story well is a job increasingly handed off from time-poor journalists and onto information-rich sources. Both fail to see the implications of important developments outside their immediate purview, with varying results.

      Share
  5. What is great and good for society if somebady can spy you all the time ??? I dont know mby if you love to live in matrix or what ?!?!

    Share
    1. Well at least it is unencrypted which means to can look at the data with the proper tool. It it was encrypted it would just be another hidden file on your phone that you have no access to.

      Share
  6. We did link to other prior art from the FAQ at launch – http://petewarden.github.com/iPhoneTracker/#8 – but we obviously missed Alex’s piece. We’ll be doing a followup post as soon as we have a chance, and we’ll make sure to link to his work too.

    Share
    1. Thanks Pete, There’s a lot be said about how different people working on similar ideas communicate (or not) with each other.

      Share
  7. The idea that this is a discovery is an outright lie or the researchers are so bad at their jobs they didn’t do a basic google search. Do a search on google for: :daterange:2455063-2455663 consolidated.db ios|iphone|ipad” and you will quickly find there is nothing new about consolidated.db.

    Share
  8. Here’s some stories of how Police are using this information.
    http://www.thenewspaper.com/news/34/3458.asp

    Surprised this isn’t more mainstream press coverage.

    A US Department of Justice test of the CelleBrite UFED used by Michigan police found the device could grab all of the photos and video off of an iPhone within one-and-a-half minutes. The device works with 3000 different phone models and can even defeat password protections.

    “Complete extraction of existing, hidden, and deleted phone data, including call history, text messages, contacts, images, and geotags,” a CelleBrite brochure explains regarding the device’s capabilities. “The Physical Analyzer allows visualization of both existing and deleted locations on Google Earth. In addition, location information from GPS devices and image geotags can be mapped on Google Maps.”

    Share
  9. As of iOS 4, Apple is free to do anything they want with your location data: http://www.identityblog.com/?p=1136. In all this media blitz, I haven’t seen Kim Cameron or Apple’s iOS EULA language referenced. Once you install iOS 4, Apple can do anything it wants with your location history.

    Share
  10. If that is true about the ios4 then why would any of us really use that evil device? Just doesn’t make sense … is sexiness and ease of use come before our privacy? I wonder how different it is with Android though.
    I am always disappointed of the community. If only we could see for once a real community outcry that would punish these providers. Then again if the EULA is true – the users are silly regardless.

    Share
  11. I think with check-in services and GPS-enabled devices our security went out the window a long time ago. Apple is the “who” bringing this subject to rise to the top of news, but truth be told, we’ve all been walking around with GPS-enabled devices attached to our hips (and many of us like the local services) so this was just a matter of time.

    Share
  12. Dan Danknick Friday, April 22, 2011

    If Alex Levinson is such a security wizard, why didn’t his “Hey everyone! Your iPhone creates a temporal list of your movements whether you want it to or not!” message to GIGAOM receive the same incredulous response when he sent it last year?

    Oh that’s right, he didn’t really – but chose to collude with various agencies to subvert privacy and make himself some money. Now that other researchers are pointing out this lucrative secret, he’s claiming intellectual infringement. Hear that sound of the world’s smallest violin…?

    Tell you what, Alex: I’ll give you that you’re the Big Cheese of iPhone security you even the stacks and give us “mundane” Americans a fighting chance against the Cellebrite wielding crowd. Otherwise, just go away – you’re part of the bigger privacy problem.

    Share
  13. What a collection of petty wusses.

    If you hand over your iOS device then you might be compromised. You rant on like someone is peering up your skirt – which isn’t possible without possession of the device.

    And the next time you wander into an unknown corner of your urbane kingdom and wonder where to find proper tea and cakes – please, please, don’t count on that happening if you’ve disabled that portion of your phone that could be of assistance.

    Cripes.

    Share
  14. @jzdziarski LOL. Anyways, this wouldn’t be anything new for the FBI http://t.co/SKEg0Lz0 and more recently http://t.co/l5Lecbrf

    Share

Comments have been disabled for this post