What would you buy for $1,000? The new iPhone? A 60-inch LED TV? 3 years’ worth of subscriptions to Netflix, Amazon Video, and Hulu? Or access to someone’s whereabouts as they move from their home to office and other places?
A surprisingly modest budget of $1,000 is all it takes to exploit an individual’s online advertising network to track their location and learn what kind of apps they are using, according to a research at the University of Washington.
Are you kidding me? How can someone do that?
The creep would first need to obtain their target’s mobile advertising ID (MAID) which play a role similar to the cookies on a website and help marketer’s dish out targeted ads to a user. Now, obtaining this MAID is not too hard a task, the researchers have explained. Anyone in the Wi-Fi range of the target when they are on an unsecured network or anyone with access to the Wi-Fi router the target uses – even temporarily – can quickly sniff out the MAID. In fact, if the target has clicked on any of the attacker’s ads in the past, extracting the MAID becomes a cakewalk.
After that, it is just a matter of purchasing ads targeted to specific apps and locations – easily achievable in a reasonably cheap budget of $1,000. These ads will show up only if a user opens a particular app at a particular location. Within mere 10 minutes of the target’s arrival at a location, the attacker would learn about it through the ad network – this, without the target ever clicking on or engaging with the ad in any manner.
The map above shows the morning commute of a research subject. The red dots represent the places where the researchers were able to track that person’s movement. These include the target’s home, a coffee shop, bus stop and workplace. A targeted ad would show up if the individual stayed in one location for about four minutes. Hence the absence of red dots along the bus route and the walking track.
Anybody from a burglar, stalker, disgruntled spouse or an ideological vigilante can easily exploit this highly-targeted spy network to extract private information about other people. Serving ads targeted to specific apps would also allow malicious minds to learn sensitive information about their targets, such as sexual orientation or religious beliefs. For example, an anti-gay group could location-target gay bars and serve ads in apps like Grindr to expose the gay population in that area. Or paparazzi could send ads targeted for pregnancy trackers to the home locations of celebrities.
“To be very honest, I was shocked at how effective this was,” Tadayoshi Kohno, co-author of the study told UWNews. “We did this research to better understand the privacy risks with online advertising. There’s a fundamental tension that as advertisers become more capable of targeting and tracking people to deliver better ads, there’s also the opportunity for adversaries to begin exploiting that additional precision. It is important to understand both the benefits and risks with technologies.”
Now, it seems like that never using any apps or visiting websites with ads may be the only solution, but the researchers urge ad networks to be more proactive in taking action that would mitigate attacks. For example, Facebook and Google – with their large user bases – have thresholds on how few users an ad can specify that it targets (20 and 1,000, respectively). But given the problem of market incentive with other ad networks, legal regulations may prove to be more effective. But till that happens, we urge you to reset your device identifiers like cookies and the MAIDs on a regular basis.