Thursday, September 5, 2013

How Big a Risk are Geotagged Photos?

A friend showed me a video from a Missouri news station (from a newscast almost 3 years ago, mind you). In the video, the reporters discuss a "new threat" with "new technology."  While the video engages in the usual FUD (fear, uncertainty, and doubt) to oversell the risk, there is a nugget of truth that bears repeating.

Smartphones, tablets, and many standalone digital cameras have a GPS built-in, and can "geo-tag" photos with the location at which they were taken. This can make it easy to group photos by location (as in, group all my photos from the Grand Canyon, or from Disney World, or from Jamaica ... assuming I had vacationed at any of these places). But it makes it equally easy for someone else to do the same.

In the news story, the reporters used photos posted by a selected family, and by examining the GPS tagging data in the photos were able to identify with great accuracy the layout of the family’s home (Where did the children sleep? Where is the living room? Where is the dining room?), the park they liked to play at, the school their children attended, and more. Granted much of this is not too difficult to determine, but it’s a little unnerving to see total strangers mapping out a family’s daily routine.

There have been some well-publicized examples of actual harm that originated with location gleaned from photographs.  Last year, geo-tagged photos of an Army flightline in Iraq led to 4 Apache helicopters being attacked and destroyed. A couple of years ago, a security researcher was hiding out after some threats accidentally revealed his location when he posted photos of himself. More benignly, in a hacker contest I participated in earlier this year, one of my competitors used geo-tagged Twitter posts to locate contest objectives.

I did some research to see how great a risk this poses, and what I found was quite a different story from the one presented by this news article.

First, a little background education. The JPEG, or JPG, image format is a widely used way of storing images. All modern browsers, and most if not all modern digital cameras, can use this format for handling photographs. Newer versions of the format standard support something known as the “Exchangable image fileformat,” or Exif. Exif specifies a standard way for non-visual information to be stored in an image file. Some of this data is directly related to the image itself – file size and type, image dimensions, information about how the colors in the image are encoded. Other data may include the device that created the image (i.e. camera model), camera settings (aperture, exposure time, focal length), information about ambient lighting and the flash used, and more to our point, GPS coordinates and timestamp.

All this information can be viewed with readily-available Exif data viewers. For the sake of example, I took an image of a Styrofoam cup and used the web site exifdata.com to inspect its Exif tags. This is what I found:

System
File Name                 IMG_20130904_133459_626.jpg
File Size                 1206 kB
File Modify Date          2013:09:04 14:36:56-04:00
File Permissions          rw-r--r--

File
File Type                 JPEG
MIME Type                 image/jpeg
Exif Byte Order           Big-endian (Motorola, MM)
Image Width               1836
Image Height              3264
Encoding Process          Baseline DCT, Huffman coding
Bits Per Sample           8
Color Components          3
Y Cb Cr Sub Sampling      YCbCr4:2:0 (2 2)

IFD0
Make                      Motorola
Model                     DROID RAZR HD
Orientation               Horizontal (normal)
X Resolution              72
Y Resolution              72
Resolution Unit           inches
Modify Date               2013:09:04 13:34:58
Y Cb Cr Positioning       Centered

Exif IFD
Exposure Time             1/24
F Number                  2.4
Exif Version              0220
Date Time Original        2013:09:04 13:34:58
Create Date               2013:09:04 13:34:58
Components Configuration  Y, Cb, Cr, -
Shutter Speed Value       1
Aperture Value            2.4
Brightness Value          undef
Max Aperture Value        2.4
Metering Mode             Average
Light Source              Cool White Fluorescent
Flash                     Auto, Did not fire
Focal Length              4.4 mm
Flashpix Version          0100
Color Space               sRGB
Exif Image Width          1836
Exif Image Height         3264
Scene Type                Directly photographed
Custom Rendered           Normal
Exposure Mode             Auto
White Balance             Auto
Digital Zoom Ratio        1.51
Scene Capture Type        Standard
Contrast                  Normal
Saturation                Normal
Sharpness                 Soft

Interop IFD
Interop Index             R98 - DCF basic file (sRGB)
Interop Version           0100
GPS
GPS Version ID            2.2.0.0
GPS Latitude Ref          North
GPS Latitude              30.xxxxxx degrees
GPS Longitude Ref         West
GPS Longitude             97.xxxxxx degrees
GPS Altitude Ref          Above Sea Level
GPS Altitude              0 m
GPS Time Stamp            18:34:43
GPS Map Datum             WGS-84
GPS Processing Method     ASCII
GPS Date Stamp            2013:09:04

The actual GPS latitude and longitude tags were detailed enough to pinpoint my work desk in my home office, and in fact the web site displayed a Google Maps map with a marker at my home. Eerie.

But, a picture on my camera is one thing. What happens if I share that picture?

To find out, I uploaded this picture to four common social media platforms: Facebook, Instagram, Twitter, and Pinterest. As it turns out, each of these platforms modifies the image file to both fit its own size preferences, and to remove the vast majority of Exif data. In each case, the GPS data was stripped out. The lesson? While modern cameras and smartphones may geotag photos with location information, the most common photo-sharing platforms wipe that data out, so the photos as shared reveal no GPS information.

Risk averted? Well, somewhat. Keep in mind that the image itself may include recognizable features (street signs, school signs, business signs, address labels, familiar landmarks, etc.). Images shared via text/SMS, or obtained directly from a phone or camera, may have this geotagging data embedded in them. 

Bottom line: The age-old advice of not posting online anything that you wouldn’t want the whole world to see still holds true. Turning off geotagging on your camera when you don't specifically want to use it is wise. But news articles about “new threats” brought about by “new technology” are more hype than substance.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.