Adversarial hackers could pounce on exposed location data from mobile and Internet facing devices to attack federal government systems, the National Security Agency (NSA) warned in a new advisory.
The NSA guidance is intended for National Security Strategy(NSS)/Department of Defense(DoD) personnel with network access to sensitive government systems. But information in the alert could also be useful to a wider audience, the NSA said.
Exposed geolocation data, including the number of users in a location, user and supply movements, daily routines of users and organizations and other information, can be easily exploited by cyber attackers. While interventions can reduce the impact of an infiltration, no mitigation can eliminate such risks, the NSA said in the memo.
It’s ISPs that can unwittingly serve as a conduit for bad actors, the NSA said. “Mobile devices inherently trust cellular networks and providers, and the cellular provider receives real-time location information for a mobile device every time it connects to the network. This means a provider can track users across a wide area. If an adversary can influence or control the provider in some way, this location data may be compromised,” the security agency said.
Any device, mobile or not, that sends and receives wireless signals--such as fitness trackers, smart watches, smart medical devices, Internet of Things (IoT) devices, and built-in vehicle communications--carry location, security and privacy risks, the NSA’s alert said. In particular, IoT-related connected devices, which have little if no security baked in and are expected to number about 42 billion things by 2025 and generate nearly 80 zettabytes of data, present significant risk to users. “
These security and privacy issues could result in these devices collecting and exposing sensitive location information about all devices that have come into range of the IoT devices,” the memo said. "Geolocation information contained in data automatically synced to cloud accounts could also present a risk of location data exposure if the accounts or the servers where the accounts are located are compromised.”
Mobile apps that ask for a user’s location but are not needed for the app to function are also potential surface for hackers to attack, the memo said. “Users with location concerns should be extremely careful about sharing information on social media. If errors occur in the privacy settings on social media sites, information may be exposed to a wider audience than intended.”
The NSA listed the following 10 mitigations to limit exposure:
- Disable location services settings on the device.
- Disable Bluetooth and turn off WiFi if these capabilities are not needed.
- Use Airplane Mode when the device is not in use.
- Set privacy settings to ensure apps are not using or sharing location data.
- Avoid using apps related to location.
- Disable advertising permissions to the greatest extent possible.
- Turn off settings that allow a lost, stolen, or misplaced device to be tracked.
- Set browser privacy/permission location settings to not allow location data usage.
- Use an anonymizing Virtual Private Network to help obscure location.
- Minimize the amount of data with location information that is stored in the cloud.
“While it may not always be possible to completely prevent the exposure of location information, it is possible—through careful configuration and use—to reduce the amount of location data shared. Awareness of the ways in which such information is available is the first step,” the NSA said.