Hidden file reveals each iPad, iPhone owner's whereabouts

Researchers have uncovered a hidden file that reveals the whereabouts of the owners of Apple iPhones, iPad 3Gs, and mobile devices that run iOS 4 or later. Alasdair Allan and Pete Warden said the unencrypted file (“consolidated.db") secretly records where the owner had been, on what date and on what time. “What makes this issue worse is that the file is unencrypted and unprotected, and it’s on any machine you’ve synched with your iOS device. It can also be easily accessed on the device itself if it falls into the wrong hands. Anybody with access to this file knows where you’ve been over the last year, since iOS 4 was released," they said in a blog post on O’Reilly.com. Online magazine WIRED expressed alarm over “[t]his iPhone and iPad privacy leak …, considering that Apple has sold over 100 million iPhones and 15 million iPads." Apple’s iOS devices can sync to a Mac or Windows computer running Apple’s iTunes software. Version 4 of iOS was released in late 2010. The two have also authored an open source application that allows a reader to find and read data stored in the hidden file. In an FAQ explaining their application, they disclosed Warden had worked for Apple for five years and left three years ago “on good terms," but has had no contact with anything iPhone-related. “By passively logging your location without your permission, Apple have (sic) made it possible for anyone from a jealous spouse to a private investigator to get a detailed picture of your movements," they said. Fundamental problem “The more fundamental problem is that Apple are collecting this information at all. Cell-phone providers collect similar data almost inevitably as part of their operations, but it’s kept behind their firewall. It normally requires a court order to gain access to it, whereas this is available to anyone who can get their hands on your phone or computer," they added. In their article, Allan and Warden said devices running iOS 4 have been storing a long list of locations and time stamps, which they said is “clearly intentional." They said it is possible the geographical data was acquired when the device registers with the nearest available cell tower. Also, they said the database is being restored across backups, and even device migrations. “The presence of this data on your iPhone, your iPad, and your backups has security and privacy implications. We’ve contacted Apple’s Product Security team, but we haven’t heard back," they said. In their article, Allan and Warden said the “consolidated.db" file contains latitude-longitude coordinates along with a timestamp which although “aren’t always exact, ... are pretty detailed." “Our best guess is that the location is determined by cell-tower triangulation, and the timing of the recording is erratic, with a widely varying frequency of updates that may be triggered by traveling between cells or activity on the phone itself," they said. No immediate harm But they said there does not appear to be immediate harm coming from the availability of this data, or evidence such data is leaving the device. “But why this data is stored and how Apple intends to use it — or not — are important questions that need to be explored," they said. An article by Gregg Keizer on Computerworld quoted Mac/iPhone vulnerability researcher Charlie Miller as saying the data may be hard to extract remotely but not impossible. He said an attacker may have to exploit vulnerabilities to hack the Safari browser – likely by tricking the user into visiting a malicious site – then exploit another vulnerability to gain access to the root directory. “The file is in the root’s directory, so apps, including Safari, won’t have access ... That’s still bad, though," Miller said . But he said the biggest threat was if a person lost his or her iPhone, or it was seized by authorities. “If you lose it, or it’s taken when you’re crossing a border, say, then the data is accessible," said Miller. Worse, Graham Cluley – a senior technology consultant at UK-based security company Sophos – said it is possible to access the backup file on a PC or Mac. “If you’re not around, someone else can access the information on your home or work computer," said Cluley. – MRT/VS, GMA News