A pair of researchers have found that Apple iPhones and iPads track users' locations and store the data in an unencrypted file on the devices and on owners' computers.
The data, which appears to have been collected starting with iOS 4, which Apple released last summer, is in a SQLite file on iPhones and iPads with 3G capability, said Pete Warden, the founder of Data Science Toolkit and a former Apple employee, and Alasdair Allan, a senior research fellow at the University of Exeter.
The same file, named "consolidated.db," is also stored in the iOS backups made by iTunes on the Mac or Windows PC used to synchronize the iPhone or iPad.
Stored in the file in clear text are locations' longitude and latitude, a timestamp and other information, including Wi-Fi networks in range of the device.
About 100 data points per day are logged to the file, said Warden and Allan in a video posted on the O'Reilly Radar blog.
"There can be tens of thousands of data points in this file," said the pair in the blog post.
The data may be hard to extract remotely from an iPhone or iPad, but not impossible, said Charlie Miller, a noted Mac and iPhone vulnerability researcher, and a four-time winner at the Pwn2Own hacking contest.
"The file is in the root's directory, so apps, including Safari, won't have access," said Miller. "That's still bad, though."
To view the location file on an iPhone remotely, an attacker would have to exploit a pair of vulnerabilities, one to hack Safari -- likely by duping the user into visiting a malicious site -- then another to gain access to the root directory, Miller said. That's possible, but unlikely for most criminals.
Instead, he said the biggest threat was if a person lost his or her iPhone, or it was seized by authorities. "If you lose it, or it's taken when you're crossing a border, say, then the data is accessible," said Miller.
Allan echoed Miller in the video. "If you lose your phone, then all your movements for the last year are on that phone, and can be taken off," said Allan.
Graham Cluley, a senior security senior technology consultant with U.K.-based security company Sophos, pointed out that the backup file on a PC or Mac also poses a risk. "If you're not around, someone else can access the information on your home or work computer," said Cluley.
Nina Simosko, CEO of NTT Innovation Institute Inc., On The Driving Force Behind Technology Innovation
Learn about NTT i³'s unique approach to technology innovation and their latest projects.
Financial firms can stay relevant by focusing on digitization, security and data quality
How can financial institutions be faster, smarter and more responsive? Find out how they can avoid the risk of becoming irrelevant with insights into digitization strategies, beefing up on data security and ensuring data quality.
VMware Virtual SAN risk avoidance and Availability
Veeam Backup & Replication provides full support for VMware vSAN, enabling faster backups through smart logic that reduces network traffic and enables backup and restore for the storage policy associated with the VM.
Transforming Data protection with Integrations for Microsoft Azure and Microsoft Office 365
Veeam for the Microsoft Cloud provides a consolidated solution for virtual, physical and cloud-based workloads with integrations for Microsoft Azure and Office 365.
Veeam Availability Platform Designs for Ransomware Resiliency Series
The threat of ransomware is real and should be top of mind for CIOs as well as technology administrators of all types. In this brief, Veeam® will share some key tips to add ransomware resiliency to provide the best levels of Availability for critical applications and data.