How Cheap Mobile Ads Tell Hackers Your Location
Geolocated mobile ads can be used as inexpensive spy tools to track and locate individuals or groups of people, a security researcher said at the DerbyCon security conference in Louisville, Kentucky, earlier this month.
"We've built an open ecosystem of bidding on ad placements based on geolocation and other sensitive information — and this can be used for surveillance," said Mark Milhouse, a software developer at a Chicago-based education startup.
Work done by other researchers in 2017 used mobile ads to tell when a specific individual was in a specific location, Milhouse said. But that method cost about $1,000 per target: too expensive for most criminals. Milhouse said he had developed a cheaper method using existing mobile-ad networks and the geolocation tools found in most smartphones.
"My research took about $100 total," Milhouse said. "You could probably do one person for $5."
How to avoid location ad-tracking
As a smartphone user, you can lessen the chances of mobile-ad location tracking by turning off location services on your phone when you're not using them.
But that wouldn't stop an ad from using data collected from a previous period when location services happened to be activated, Milhouse said. That earlier data would still be useful if it indicated your daily routine.
"It might be stale information," Milhouse said, "but if that stale data includes your house, then that might still be valuable."
You can also periodically reset the ad IDs that Apple and Google assign to your device, Milhouse said. (Those IDs are meant to disguise your actual identity from advertisers, but clearly, they don't do a great job.) The Google ad ID works only on Google Play Store apps; sideloaded apps play by different rules. You can also use ad- or script-blockers for mobile browsers, but not for stand-alone apps.
The real solution to this problem, Milhouse said, would be to acknowledge that self-regulation by the advertising industry has failed to protect user privacy. He said that government legislation and regulation might be needed to limit the collection and use of smartphone-location data.
How to track someone on a tight budget
Several elements must be combined to effectively track individuals or groups of people through mobile ads, Milhouse said.
First, as an attacker, you should know one or more of the usual locations the target frequents, such as a workplace. You can geotarget ads to those locations, specifying that the mobile-ad placements you buy from ad networks should appear only on phones that are at specific locations at specific times.
"If you're a savvy criminal, you could target ads to the local FBI headquarters," Milhouse said, and then use that data to "trigger an alarm when one of those IDs shows up outside your house."
Next, you'd design ads — and put a tracking pixel in each ad. The tracking pixel receives information from each device on which the ad is displayed: the device's make and model, the mobile carrier, the apps installed on the device, the app in which the ad is displayed, the device's battery status, and, most significantly, the device's location and its Apple or Google ad ID. None of this would require the phone user to actually click on the ad.
Then it would be time to buy ad placements for your ads, targeted to specific locations and times. Milhouse used cheap Russian ad networks, but even those companies rejected his first ad submissions as too suspicious. He had to create "believable" and "boring" ads, as well as a website to which the ads would take any user who clicked on them.
Save the Pizza
Milhouse's ad campaign was called "Save the Pizza," and it took you to a single-page website with a countdown clock and a meaningless slogan. His ads were displayed on nearly 100,000 phones, even though Milhouse had spent only $40. Not every phone gave Milhouse useful location data, but he got enough to work with.
"I have run these [ads] at some [hacker] conferences," Milhouse told the DerbyCon audience, "so if any of them look familiar to you, that would explain it."
Milhouse used the collected data to "fingerprint" individual phones and create profiles that were as unique and detailed as possible.
Once you'd done so, you could try to find specific individuals and match ad IDs to them. You could list all known habitual locations for a specific person, Milhouse said — school, home, work, church — and then buy ad placements targeting those locations.
"Everybody that matched all of these different locations would be a suspect," Milhouse said, and you could narrow down the list as you gathered more data. "Eventually, you have one person, and that device ID you can use to follow that person as long as that device stays with them."
Chicago landmarks tour
Milhouse hasn't tested his method en masse, but a 2013 MIT study, with which Milhouse was not involved, got 95 percent accuracy in matching device profiles to specific individuals just by matching four different geolocation data points collected hourly from cell towers. Milhouse's method gathers far more data.
It's not a entirely perfect system. Milhouse found that he and a co-worker shared a single device "fingerprint" because they worked in the same location and had iPhones that were exactly the same model and configuration.
Geolocated-ad tracking is more accurate with Android phones than with iPhones, Milhouse said, both because there's greater variation of make and model, and because Android apps simply allow more data to be collected than iOS apps do.
Milhouse used an Android phone to track a fictional version of himself, and he showed slides in which his ads tracked him through Chicago.
His "home" was designated as the home-team dugout at Wrigley Field, and his "workplace" was the Chicago Merchandise Mart building. The tracking ads showed that he spent a lot of time in both places, and that he'd also gone to the Ohio Street Beach and to the Lincoln Park Zoo.
To solve the privacy nightmare that geolocated ads create, new rules will have to be imposed on ad networks and app developers, Milhouse said. He suggested that iOS and Android could require separate permissions for location-targeted ads, and that users be given the ability to reject them.
"This is a real problem that affects every member of the digital society," Milhouse said, "and it's not going to get better."