NSA warns that mobile device location services constantly compromise snoops and soldiers

It might be best not to ask how the NSA knows this and why it advises most mitigations don’t help


The United States National Security Agency has issued new advice on securing mobile devices that says location services create a security risk for staff who work in defence or national security.

The new guide [PDF], titled “Limiting Location Data Exposure”, notes that smartphones, tablets and fitness trackers “store and share device geolocation data by design.”

“Location data can be extremely valuable and must be protected,” the document adds. “It can reveal details about the number of users in a location, user and supply movements, daily routines (user and organizational), and can expose otherwise unknown associations between users and locations.”

Which is not good at all for spies and defence force personnel.

The guide also suggests that it is impossible to stop mobile devices recording and revealing location data, partly because network operators can’t help but collect such data in their normal course of business.

The document also warns: “Location data from a mobile device can be obtained even without provider cooperation. These devices transmit identifying information when connecting to cellular networks. Commercially available rogue base stations allow anyone in the local area to inexpensively and easily obtain real-time location data and track targets.”

While acknowledging that most devices offer settings to reduce location-tracking, the guide says “Mitigations reduce, but do not eliminate, location tracking risks in mobile devices. Most users rely on features disabled by such mitigations, making such safeguards impractical.”

The guide nonetheless suggests many mitigations, including turning off radios when not in use, using a VPN, and disabling features like “Find my Phone”.

Users are also told to “Disable advertising permissions to the greatest extent possible” by limiting ad tracking and resetting the advertising ID for the device at least weekly.

“While it may not always be possible to completely prevent the exposure of location information, it is possible—through careful configuration and use—to reduce the amount of location data shared,” the document concludes. “Awareness of the ways in which such information is available is the first step.”

Clearly the NSA has given some thought to how the information is available. It may therefore be best not to ask how it knows its advice is sound. ®


Biting the hand that feeds IT © 1998–2020