GPS Loophole Could Allow Mass Smartphone Hacking
At last month’s Black Hat security conference in Las Vegas, University of Luxembourg researcher Ralf-Philipp Weimann demonstrated a security weakness related to GPS that could potentially be used by hackers to hijack most modern smartphones. The loophole specifically affects phones that use assisted GPS (A-GPS).
Many modern smartphones now come with a GPS receiver to allow navigation features and other location based services. GPS receivers can consume a large amount of battery power if used constantly however; so many phones will employ a system known as assisted GPS to provide an approximate location.
A-GPS uses data transmitted from cell phone towers to triangulate a phone’s position, and while it is not quite as accurate as true GPS it can provide better battery performance when used in conjunction. It is also much quicker at determining a location than GPS which can take anywhere up to 12 minutes to calculate co-ordinates.
The security flaw highlighted by Weimann relates specifically to the use of A-GPS in phones. When a phone sends A-GPS data to cell phone masts to calculate its location it does so over an insecure connection that could easily be intercepted by hackers.
A hacker could switch the A-GPS data being sent from a phone network with its own data, allowing the hacker to determine the location of the phone. The phone could be configured to send this data every time that it requests A-GPS support, so the attacker would no longer need to be in range of the compromised phone to obtain location data.
Weimann stated, “If you just turn it on once and connect to that one network, you can be tracked any time you try to do a GPS lock. This is rather nasty.”
The vulnerability was demonstrated by Weimann on a number of Android phones. While the security hole could potentially result in some rather insidious data theft, Weimann also stated that the problem was pretty easy to solve, but that many manufacturers simply hadn’t bothered to implement the technology to prevent such attacks.
Along with the theft of location data the security flaw could allow for some more serious crimes involving these phones. The A-GPS system is processed on the phone’s main processor rather than the GPS chip, and messages sent by the hacker on the compromised connection could cause system crashes that would allow the hacker to gain remote access to the device.
While it is not thought that anyone has actually exploited this loophole so far it does raise serious concerns over the security of modern smartphones. Malware is a relatively minor problem on smartphones compared to desktop computers as it is much more difficult to get the malware onto devices. The loophole identified by Weimann, and similar potential loopholes, could make smartphones a much more enticing target for professional malware developers in future. Now that this A-GPS loophole has been identified it will most likely be patched on future devices and software updates, but for the time being many smartphones remain vulnerable.
Simon writes for Best Mobile Contracts, a UK mobile phone comparison website.
Geo-APIs Increasingly Evolving; Here are some new cool ones
As of this day, there are about 6890 APIs documented in the Programmableweb.com’s API Directory. More than 1000 of them have been added within the shortest space in time ever. What does this indicate? For me, it shows that the emergence and the utilization of APIs are on the swift increase.
As lots of APIs emerge almost on daily basis, Geo-APIs are not left out. Here are some of the newest cool ones in the directory coutesy of Directions Magazine.
Open Weather Map API: Open Weather Map provides interactive maps of current and historic weather conditions. The Open Weather Map API allows users to retrieve the current weather at a city or weather station, the historical measurements for a weather station, or a list of cities and/or weather stations in a given rectangle (limited by geographic coordinates). The API uses RESTful calls issued in JSON format.
Resighting API: Resighting is an application for geo-tagging and saving favorite places. Resighting allows users to also see other Resighting places nearby and create collections of favorite places.
The Resighting API allows developers to access and integrate the functionality of Resighting with other applications and to create new applications. Some example API methods include listing places, listing sightings, resizing photos, and managing account information.
RestFul Web Services GeoIP API: An Internet Protocol (IP) address is the numerical label assigned to devices using the Internet Protocol for communication. It serves two principal functions: identification of host or network interfaces and addressing of interface locations. The RestFul Web Services GeoIP API provides location details for a given IP address. This service can be accessed using SOAP or REST calls in XML format. Calls in both formats are directed toward WSDL
RestFul Web Services Postal Code API: The RestFul Web Services Postal Code API allows users to retrieve details for a given postal code. This service works with postal codes from a number of countries, including Australia, France, Germany, India, Ireland, Japan, New Zealand, Norway, Pakistan, South Africa, Switzerland, and the United Kingdom. This service can be accessed using REST or SOAP calls in XML format. Calls in either protocol are directed toward WSDL endpoints.
RestFul Web Services USA Zip Code API: The RestFul Web Services USA Zip Code Service API provides details regarding the location of a given zip code in the United States by using either SOAP or REST calls. Both types of calls are aimed at WSDL endpoints.
RestFul Web Services Weather Forecast API: The RestFul Web Services Weather Forecast API provides the weather forecast for a given location, specified by name. This service can be accessed using either REST or SOAP calls in XML format. Both types of calls are aimed at WSDL
MyGasFeed API: The service provides frequently updated reports of automotive fuel prices (gasoline in three grades and diesel) for specified locations or regions. It also provides locations of gas stations near a specified location along with background information about the stations, if desired. Applications can also update the service’s pricing data for a particular station. Location information supports mapping protocols.
API methods support requesting fuel price information for a specified location or area. Methods also support retrieving a list of stations and details about an individual station. The API also supports updating the service’s information with new pricing for an existing station or addition of a new station to the database.
Source: Directions Magazine