http://news.cnet.com/8301-31921_3-20056344-281.html

April 21, 2011

How police have obtained iPhone, iPad tracking logs

by Declan McCullagh

Law enforcement agencies have known since at least last year that an iPhone or iPad surreptitiously records its owner's approximate location, and have used that geolocation data to aid criminal investigations.

Apple has never publicized the undocumented feature buried deep within the software that operates iPhones and iPads, which became the topic of criticism this week after a researcher at a conference in Santa Clara, Calif., described in detail how it works. Apple had acknowledged to Congress last year only that "cell tower and Wi-Fi access point information" is "intermittently" collected and "transmitted to Apple" every 12 hours.

At least some phones running Google's Android OS also store location information, Swedish programer Magnus Eriksson told CNET today. And research by another security analyst suggests that "virtually all Android devices" send some of those coordinates back to Google.

Among computer forensics specialists, those location logs--which record nearby cell tower coordinates and time stamps and cannot easily be disabled by someone who wants to use location services--are not merely an open secret. They've become a valuable sales pitch when targeting customers in police, military, and intelligence agencies.

The U.K-based company Forensic Telecommunications Services advertises its iXAM product as able to "extract GPS location fixes" from an iPhone 3GS including "latitude, longitude, altitude and time." Its literature boasts: "These are confirmed fixes--they prove that the device was definitely in that location at that time." Another mobile forensics company, Cellebrite, brags that its products can pluck out geographical locations derived from both "Wi-Fi and cell tower" signals, and a third lists Android devices as able to yield "historical location data" too.

Alex Levinson is the technical lead for a competing company called Katana Forensics, which sells Lantern 2 software that extracts location information from iOS devices.

"The information on the phone is useful in a forensics context," Levinson told CNET today. Customers for Lantern 2, he said, include "small-town local police all the way up to state and federal police, different agencies in the government that have forensics units."

Research by security analyst Samy Kamkar, a onetime hacker with a colorful past, indicates an HTC Android phone determined its location every few seconds and transmitted the data to Google at least a few times an hour, according to a report in The Wall Street Journal. It said that the Android phone also transmitted the name, location and signal strength of nearby Wi-Fi networks, as well as a unique identifier for the phone.

Apple did not respond to a request for comment. Google could not immediately be reached for comment.

Apple's iOS operating system does not appear to make geolocation logs readily available to applications, but storing records of an owner's physical meanderings raises novel security and privacy concerns. Not only is the log stored on the device itself (a lock code can easily be bypassed by forensics software), but it's typically backed up on the computer to which it's synchronized.

One concern is the circumstances under which law enforcement can gain access to location histories. Courts have been split on whether warrants are required to peruse files on gadgets after an arrest, with police typically arguing that the Fourth Amendment's prohibition on unusual searches doesn't apply. (The Justice Department under the Obama administration, in a series of prosecutions including one in Nebraska involving a crack cocaine dealer, has taken the same position.)

In addition, the U.S. Department of Homeland Security has publicly asserted the right to copy all data from anyone's electronic devices at the border--even if there's no suspicion of or evidence for illegal activity. The U.S. Ninth Circuit Court of Appeals has blessed the practice.

All of this has led to a spike in law enforcement interest in the topic. Micro Systemation, a Swedish firm that announced last year the U.S. government had placed the largest order in the company's history, offers a course on how to extract "GPS information" from the "Apple iPhone, iPod Touch and iPad devices." A now-deleted description of the course, retrieved from Google's cache [1], says students will "learn how to acquire data and retrieve GPS location" from iOS devices. O'Reilly Media, too, offers a two-day workshop on iPhone forensics for the princely sum of $3,500. (Police get a discount.)

Micro Systemation said in a post on its Web site that this week's news "will come as a surprise to most iPhone users, as their devices do not give any visual indication that such data is being recorded." But, the company said with some apparent glee, they're "no surprise to the developers here at MSAB who have been recovering this data... for some considerable time."

The U.S. Department of Justice has funded tests of which "mobile device acquisition tools" are most effective in forcibly extracting information from iPhones. Test results (PDF) for the iXAM software say it was able to "acquire SIM memory and review reported location related data." Another evaluation of a competing product called Mobilyze 1.1 (PDF) said "if the cellular forensic tool supports acquisition of GPS data, then the tool shall present the user with the longitude and latitude coordinates for all GPS-related data in a useable format," although neither report appears to have tested that feature. The U.S. Embassy in Bogota, Colombia, even pays for training for local counter-narcotics agents to learn about iPhone and BlackBerry forensics.

A book titled iOS Forensic Analysis ($59.99 list) published by Apress in December 2010 elaborates on how the information is stored. Here's an excerpt:
Cell tower data also has geospatial data. This data covers all cell towers that the iDevice comes into contact with. This list can be very extensive and can assist in investigations of placing a phone in a general area from a cell tower on a given date and time. These data points have changed file types over time...This property list appears to give not only the latitude and longitude from where the cell phone was in relation to the cell tower but also the compass heading from it. The compass heading is very important so you can get an azimuth from the cell tower to the iPhone. All these values--latitude, longitude, and azimuth--combined can give an approximate location of the iPhone. A date and time value is also given in the property list...This, on top of other artifacts on the device, adds up to giving you a complete picture of the travels of the iDevice and could place the phone in a general area in reference to a crime.
Rep. Ed Markey, the Massachusetts Democrat, today wrote a letter (PDF) to Apple CEO Steve Jobs posing a series of questions, including whether the company collects this information from iPhone users and whether the logs can be turned off. Markey also suggested the practice could violate federal privacy law, 47 USC 222, although the language only applies to "telecommunications carriers" and not handset makers. (See related article about Markey pressing wireless carriers for tracking details earlier this month.) [2]

It's still not entirely clear when Apple added this extensive location logging to the iOS operating system, except that it did exist in an even less visible location before iOS 4.

An August 2008 analysis of the files suggested that the "cache.plist" file only included the most recent location. That's also what iPhone hacker-turned-author Jonathan Zdziarski wrote in his September 2008 book on iPhone forensics, saying it "contains the last coordinates fixed on by the GPS."

Levinson of Katana Forensics, who previously published information about the location logs, says the alterations in the database between iOS 3 to iOS 4 strongly suggests that Apple is intentionally storing the data.

"I don't buy the argument that Apple dropped the ball on the data being there, that the programmer forgot" to delete old locations, he says.

1. http://webcache.googleusercontent.com/search?q=cache:HrVH-iiR7f8J:www.msab.com/training/courselist/details/courseid/136/page.php

iPhone Forensics Course


In this advanced course, students will be taught how to get the most out of the MSAB Forensic Pack using both XRY Logical and XRY Physical analysis for iPhone Forensics; in order to extract the maximum information from these types of devices. They will also learn how to acquire data and retrieve GPS location of actions made by the device owner.

After completing the course, students are certified to a level of competence to use XRY Complete and confidently explain the information they are producing from the system.

Prerequisites: At least 6 months experience of examining mobile phones. Prior experience with XRY Logical would be beneficial but not essential.

Prices for iPhone Forencic Course: SEK 10 000 / $ 1 290 / [...]

iPhone course summary:
[...]

2. http://news.cnet.com/8301-31921_3-20049882-281.html

April 1, 2011

Congressmen push for location tracking disclosure

by Declan McCullagh

Two congressmen are trying to pry information out of wireless carriers about how closely they track their customers' whereabouts.
Letters sent to AT&T, Sprint, Verizon, and T-Mobile this week ask what personally identifiable information is stored, how long it is kept, and for what other purposes it's used.

Reps. Ed Markey (D-Mass.) and Joe Barton (R-Texas) asked for responses no later than April 19. Their request came after Germany's Zeit Online published data showing that a cellular provider kept track of tens of thousands of locations that one person visited over six months.

Their letters could prove more important than they might seem: this type of data collection is prized by police, but details about each company's procedures are hard to locate, and in many cases impossible.

If the responses from the companies are illuminating, they could influence the forthcoming debate in the U.S. Congress about whether to require police to obtain search warrants before tracking someone's location.

Sen. Ron Wyden (D-Ore.) is drafting legislation requiring judicial approval and a showing of probable cause to learn the locations of cell phones and, via GPS tracking, cars. (See CNET's Q&A with Wyden and article about his draft bill.)

Even though police are tapping into the locations of mobile phones thousands of times a year, the legal ground rules remain hazy, and courts have been divided on the constitutionality and legality of the controversial practice. In September, the first federal appeals court to rule on the legality indicated that no search warrant was needed, but sent the case back to a district judge for further proceedings.

Because the two-way radios in mobile phones are constantly in contact with cellular towers, service providers know--and can provide to police if required--at least the rough location of each device that connects to their mobile wireless network. If the phone is talking to multiple towers, triangulation yields a rough location fix. And, of course, the location of GPS-enabled phones can be determined with near-pinpoint accuracy.

CNET was the first to disclose the existence of police asking for warrantless tracking of cell phones in a 2005 news article. [http://news.cnet.com/Police-blotter-Cell-phone-tracking-rejected/2100-1030_3-5846037.html]

The Obama Justice Department has argued that warrantless tracking is permitted because Americans enjoy no "reasonable expectation of privacy" in their--or at least their cell phones'--whereabouts. Justice Department lawyers have argued in court documents that "a customer's Fourth Amendment rights are not violated when the phone company reveals to the government its own records" that show where a mobile device placed and received calls.