Apple got into some hot water earlier this year when it was revealed that the iPhone was storing a treasure trove of location data in an insecure file, but is Microsoft doing the same thing?
A report from Stanford University security researcher Elie Bursztein claims that Wi-Fi data stored by Windows can be used to see where a particular laptop has been. Microsoft said it discards on-the-go data and only focuses on devices with fixed locations.
Bursztein, however, expressed concern about how easy it was to access the Microsoft data. His research started last year using similar data from Google. He wrote a module for OWADE, a forensic tool he developed with his colleagues, and used the Google geo-location API to locate routers using their MAC address. After a June CNET article revealed how easy it was to track this data (and potentially, your phone’s location), Google changed its policies and Bursztein was out of luck.
"Ever since, Google returns a location only if you supply two MAC addresses that are fairly close together. This smart defense completely thwarted my module and I was back to square one," he wrote in a Friday blog post.
As a result, he turned his focus to Microsoft since Internet Explorer also supports the W3C geo-location API and uses the Live Location API under the hood.
In a statement, Reid Kuhn, partner group program manager for the Windows Phone Engineering Team acknowledged that Microsoft collects publicly broadcast cell tower IDs and MAC addresses of Wi-Fi access points in order to provide location-based services. This is done by Street View-esque cars and from user devices, like laptops and cell phones, he said.
"If a user chooses to use their smartphone or mobile device as a Wi-Fi access point, their MAC address may also be included as a part of our service. However, since mobile devices typically move from one place to another they are not helpful in providing location," Kuhn said. "Once we determine that a device is not in a fixed location we remove it from our list of active MAC addresses."
Microsoft did not address whether it plans to update its policies. Bursztein will present his findings at the upcoming BlackHat security conference.
Apple, meanwhile, said its location data snafu was caused by a "bug," which was fixed by a recent release of iOS. Specifically, it reduced the size of the cache, no longer backed up the cache to iTunes, and deleted the cache entirely when location services is turned off.
-pcmag
Sign up here with your email