Published: 17.04.08
WiFi location spoofing

Positioning systems used by iPhone and iPod breached

The System Security Group, led by Professor Srdjan Capkun, at ETH Zurich's Department of Computer Science (D-INFK) has demonstrated that positions displayed on any device using a new self-localization system can be falsified, and so are unsuitable for security or safety-critical applications. But the group also proposes mechanisms that could potentially address the problem. Professor Capkun discussed his research findings with ETH Life.

Renata Cosby
System Security Group members: Professor Srdjan Capkun, Nils Ole Tippenhauer, Christina Pöpper, Kasper Rasmussen.
System Security Group members: Professor Srdjan Capkun, Nils Ole Tippenhauer, Christina Pöpper, Kasper Rasmussen. (large view)

What was the purpose of your research?

This has been our long-term project on secure localization and localization privacy, funded in part by the Swiss National Science Foundation. Our research had already yielded a number of results in this domain. So when Skyhook announced in January that Apple would be using Skyhook’s WiFi Positioning System (WPS), we jumped at the chance to test it.

What were your research results?

The results clearly show that the Skyhook self-localization system can be easily spoofed. If you have a location displayed on your IPod or IPhone or any device using Skyhook’s WPS system or one similar to it, you simply cannot trust the information. You cannot be sure if the information itself is correct, or if someone is manipulating your location.

What does this mean for iPhone and iPod users?

If you are in Zurich, or anywhere else, and know that your device is displaying incorrect information, you can ignore it and just not use this service. But if you build an application on top of this, for example if you want to use a banking application and need to verify your position, if your application automatically integrates this location information, then obviously this can have unfortunate consequences. It depends on the application that is put on top of the positioning system. Simply put, you cannot use WPS-obtained location because you cannot trust the result displayed by the application, even if you trust the device and the application. You just do not know if the information being provided is correct.

What are the implications for telephone companies or emergency aid operators?

It is a case of not being able to use the information from the Skyhook system and similar WiFi self-location systems as evidence or proof of location because the information can be easily modified. Operators in Switzerland, for example, who want to show that their users are in fact in the country? This is not possible. Another example is mobile phone users outside New York who want access to services only available in New York. Our research shows that users can be in Zurich, or anywhere, and still access the New York-based services. We could not only modify the information, but we could do so on devices which were not even ours. It was possible to manipulate the device-computed location such that anyone on the Bahnhof Strasse in Zurich would see their location as being in Manhattan. We were able to completely falsify the actual physical location.

How would you like to see your research results used?

We want to see them used as a warning. If companies or individuals are using this service, particularly for any security or safety-related applications, we want to say “Be careful, until this application is first made more secure”. We want these WiFi self-location systems to be able to offer some sort of security guarantee because right now they do not offer much. Once these guarantees are in place, then users and companies can start to build on these services.

What are your fears for the misuse of present self-localization systems?

There are several scenarios. Emergency calls, for example. People making such a call are often unable to accurately give their position, and this can delay efforts to find and help them. In the US, regulations mandate that emergency calls will soon need to be localized to within ten to 100 meters accuracy. So, if someone makes an emergency call for help, theoretically no one needs to ask where that person is because the person’s location has been accurately determined. But our research shows that this is not the case. Unless the person can tell the operator where he/she is, then unfortunately emergency calls are useless because the information can be so easily falsified by, for example, an individual who may have caused the emergency in the first place. Our research also showed that it is just as easy to perform a ‘Denial of Service (DoS)’ attack and effectively disable the WPS localization service at a given location; this can be even easily done within a wide area. Devices therefore would not be able to identify their locations even if they were programmed to automatically record them. And another example: if someone wanted to track the movements of valuables through a city, we could easily falsify the location of the device that is being tracked. If the item was in Zurich, as example, we could overtake it and be holding it in our office. But the owner’s tracking system would still show the valuables moving in and around the city.

How can your results benefit industry?

Our attack results are really negative-positive (laugh). Negative because they show that industry cannot use applications in their present form for security and safety- critical applications. But in the end, our results are very positive because they call for more research in this area and show the need to be careful when using these technologies, particularly for security and safety-critical applications. It is a similar scenario as with GPS systems. Here too location systems cannot be fully trusted because they can be spoofed as well. What we showed was that the WPS system does not offer any better security guarantees than GPS does. People simply need to be aware of this.

Reader comments: