Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: iPhone GPS Data Storage - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
iPhone GPS Data Storage

We received a number of comments regarding the release of the iPhone tracker [1], a tool which plots geo location data stored in iOS backups. All iOS devices (iPhone as well as iPad) will accumulate location information over time, and store it as part of backup files. The iPhone tracker will read this file and plot the information.

However, this information is not sent to any remote sides (at least not that this is known so far). Mobile operators may of course keep their own geo location data. As a simple counter measure, it is recommended to encrypt backups using a strong password.

And of course yet more interesting data for mobile forensics.

[1] http://petewarden.github.com/iPhoneTracker

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Intrusion Detection In-Depth - SIEM Summit & Training 2019

Johannes

3627 Posts
ISC Handler
Note that while encrypting backups prevents the data from being harvested from your computer, it doesn't prevent someone from harvesting the data from your phone. You should make sure to enable a passcode to protect your phone, or someone with physical access to it for a few minutes can download the information off of it.

Jailbroken phones with SSH access and a default password may also disclose this data to attackers.

There are a wide variety of ways that this data could be unknowingly disclosed to third parties. Apple should issue a patch to remove the "feature" ASAP in order to prevent unauthorized disclosure.
Anonymous
Going through the data from my Iphone, there are large gaps that correspond to the location services being turned off, as I usually have. I think that they only log the data when location services are off.
Anonymous
Oops, I meant on.
Anonymous
1) Jailbreak
2) install OpenSSH
3) login over wifi as root + alpine
4) run 'passwd root' to change root password.
5) rm /private/var/root/Library/Caches/locationd/consolidated.db
6) ln -s /dev/null /private/var/root/Library/Caches/locationd/consolidated.db
7) reboot
8) Remove old itunes iphone backup files.
9) Sync/backup with itunes.
10) Get yourself a drink.

Alternatively, scp a new db over the top of the old one, and when you reboot, you'll have forensic evidence that it wasn't your iPhone at the bank robbery :-)
DomMcIntyreDeVitto

41 Posts
A September 2010 forensics whitepaper documented the existence of this data - iPhone 3GS Forensics: Logical analysis using Apple iTunes Backup Utility. Mona Bader, Ibrahim Baggili, http://www.ssddfj.org/papers/SSDDFJ_V4_1_Bader_Bagilli.pdf
DomMcIntyreDeVitto
2 Posts
Alex Levinson has some additional background...this is not a new discovery.
https://alexlevinson.wordpress.com/2011/04/21/3-major-issues-with-the-latest-iphone-tracking-discovery/
DomMcIntyreDeVitto
6 Posts

Sign Up for Free or Log In to start participating in the conversation!