My next class:

iPhone GPS Data Storage

Published: 2011-04-20. Last Updated: 2011-04-20 18:31:53 UTC
by Johannes Ullrich (Version: 1)
6 comment(s)

We received a number of comments regarding the release of the iPhone tracker [1], a tool which plots geo location data stored in iOS backups. All iOS devices (iPhone as well as iPad) will accumulate location information over time, and store it as part of backup files. The iPhone tracker will read this file and plot the information.

However, this information is not sent to any remote sides (at least not that this is known so far). Mobile operators may of course keep their own geo location data. As a simple counter measure, it is recommended to encrypt backups using a strong password.

And of course yet more interesting data for mobile forensics.

[1] http://petewarden.github.com/iPhoneTracker

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: gps iphone
6 comment(s)
My next class:

Comments

Note that while encrypting backups prevents the data from being harvested from your computer, it doesn't prevent someone from harvesting the data from your phone. You should make sure to enable a passcode to protect your phone, or someone with physical access to it for a few minutes can download the information off of it.

Jailbroken phones with SSH access and a default password may also disclose this data to attackers.

There are a wide variety of ways that this data could be unknowingly disclosed to third parties. Apple should issue a patch to remove the "feature" ASAP in order to prevent unauthorized disclosure.
Going through the data from my Iphone, there are large gaps that correspond to the location services being turned off, as I usually have. I think that they only log the data when location services are off.
Oops, I meant on.
1) Jailbreak
2) install OpenSSH
3) login over wifi as root + alpine
4) run 'passwd root' to change root password.
5) rm /private/var/root/Library/Caches/locationd/consolidated.db
6) ln -s /dev/null /private/var/root/Library/Caches/locationd/consolidated.db
7) reboot
8) Remove old itunes iphone backup files.
9) Sync/backup with itunes.
10) Get yourself a drink.

Alternatively, scp a new db over the top of the old one, and when you reboot, you'll have forensic evidence that it wasn't your iPhone at the bank robbery :-)
A September 2010 forensics whitepaper documented the existence of this data - iPhone 3GS Forensics: Logical analysis using Apple iTunes Backup Utility. Mona Bader, Ibrahim Baggili, http://www.ssddfj.org/papers/SSDDFJ_V4_1_Bader_Bagilli.pdf
Alex Levinson has some additional background...this is not a new discovery.
https://alexlevinson.wordpress.com/2011/04/21/3-major-issues-with-the-latest-iphone-tracking-discovery/

Diary Archives