In the era of smartphones, location-aware advertising is nothing new. We’re used to seeing ads based on where we are, and in plenty of cases it makes them more interesting and relevant. At least when it’s used non-maliciously, that is.
But what if these ads were used to track your location – instead of trying to sell you something? What if someone were to get wind of your daily routine and, God forbid, break into your home when they know you’re away?
Sadly, it appears that’s very much possible. It doesn’t even take much money. A paper by the trio of researchers Paul Vines, Franziska Roesner, and Tadayoshi Kohno from the Paul G. Allen School of Computer Science & Engineering at the University of Washington has proven exactly that.
The researchers found that about $1000 is enough for an attacker to purchase enough targeted advertising to reliably determine someone’s whereabouts and the apps they use. The information about the apps can be used to deduce one’s interests, religious affiliation, or even political opinions. This kind of attack has been dubbed as ‘ADINT attack’.
As long as the person remained in the same location for four minutes, an ad related to it would be served. They didn’t have to click on an ad; the impression itself was recorded. The researchers could pinpoint the location of the person within an 8-metre radius.
The representation of a target’s morning commute. Red dots show the points where the person was tracked. © University of Washington.
The number of ad companies offering these ‘hyperlocal’ ads means that this attack will be even easier to pull off in the future. Plenty already offer ad targeting with a granularity of 1 metre. Facebook and Google are more conservative, with a 1-mile radius location targeting.
This is made possible with the use of so-called ‘Advertising IDs’ that are anonymised strings used to identify a device without sharing the owner’s personal information.
$1000 is an investment with a potential huge return if it is used for criminal or surveillance purposes.
Researchers say there is a way to defend against the practice. You should disable or reset your advertising IDs often, and whenever possible, disable the location services on your phone.
They also gave advice to ad companies. They should come up with algorithms that will reject suspiciously specific and narrowly-targeted ads.
We can only hope advertisers will stop this practice in its tracks. They better do, otherwise this is yet another argument for the ad-blocking camp.
