Personal tracking devices heading towards a precise, dangerous new era

For some people, the rise of Bluetooth and ultra-broadband (UWB) tracking devices and accessories is likely not only welcome but necessary. It’s easy for a phone to be lost or stolen, not to mention keys or wireless earbuds that literally pop out. Gear swaps are also becoming prohibitive – high-end earbuds can exceed $ 250, and the Galaxy Z Fold 3 costs as much as a gaming PC. If you have a tendency to misplace things, tracking technology can save you thousands of dollars.

However, in the rush to adopt it, it is important to be aware of the serious privacy issues. It is known that governments often use every available tool to track down suspects, whether or not those targets are legitimate. Check out the NSA metadata collection uncovered by Edward Snowden or the Pegasus spyware used by countries like Saudi Arabia and the United Arab Emirates. Stingray cell tower simulators are used by many government agencies, including US law enforcement agencies.

The private sector is also hardly immune from such worries. We already share a wealth of location data with app-based companies like Google and Facebook. There are companies that specialize in improving, analyzing, and / or reselling this data, such as Foursquare, and some of them are not too picky about their customers or methodologies. Some people will completely ignore the law.

Broadly speaking, device tracking risks fall into two categories: stalking and general surveillance.

stalking

Stalking is perhaps the biggest and most obvious threat. A tile-like bluetooth tracker that slips into a person’s pocket, vehicle, or clothing can potentially be used to follow someone anywhere, especially now that the only major size limitation is batteries. The range of Bluetooth is (realistically) limited to a few hundred meters – but companies like Tile and Apple have gotten around this by using networks that anonymously “echo” the location of trackers when customers pass by. For example, if you hid a Tile in an e-bike before it was stolen, its location should be updated when another Tile app user is nearby.

The stalking threat is not hypothetical. In 2018, for example, a woman from Houston told the story ABC 13 that she discovered a tile in the console of her car that her ex had used to follow her to homes, restaurants, and places out of town. The ex was charged with a wrongdoing in this case, but it’s not difficult to imagine an alternate scenario in which the woman was assaulted or killed.

Aside from criminal activity, there is room for parents and partners to get involved in controlling the behavior. A violent husband could use trackers to follow his spouse to a shelter or to the police. An overprotective mother might prevent her child from going anywhere other than home or school.

Apple credits Apple for making anti-stalking an integral part of AirTags – iPhones automatically notify their owners when they are followed by an unpaired AirTag. and after eight to 24 hours the day begins to beep. However, this still doesn’t apply to Android phones, and even if such support is put online, Android users will need to download an app to keep themselves safe. That hardly helps unsuspecting victims, because currently the waiting time until an AirTag with suspected “person tracking” beeps from non-iPhone users is three days.

Related: Apple AirTag review

Samsung’s SmartTags follow a similar model, but require users to manually search for stalkers. Fortunately, people also need the right Samsung app on their phones to transfer location data, so SmartTags are not easy to arm. However, Tile doesn’t offer any such anti-stalking features at all.

As tracking technology advances and networks grow, the tug-of-war between stalkers and tech companies will inevitably escalate, with the former exploiting whatever loopholes they can find. Unfortunately, they don’t have to personally install a bluetooth tracker to hunt someone down – hacking into mobile platforms is another option that brings us to the topic of general surveillance.

monitoring

Hacking can actually be more effective than planting a tracker, as people can take their phones anywhere and attackers can get a lot more than just location information – provided they overcome the hurdles of encryption and detection. The combination of this with the most modern location devices expands the monitoring possibilities.

The problem here isn’t so much the hardware as the apps that people use to track them. Tools like Google Find My Device and Apple Find My are built into their respective platforms, and if infiltrated they can potentially associate any connected device with a person. These require at least breaking into heavily protected accounts. So as long as a person has a strong password and two-factor authentication (2FA), the threat is low.

Loose security practices have always been an issue, however, and things get sticky with third-party apps. Most companies don’t have the same security resources as giants like Apple and Google, which means their servers and accounts don’t always have as much security in place. Brands like Tile are generally trustworthy, but even they aren’t using 2FA at the time of writing.

The more objects a person tracks via first- or third-party apps, the more comprehensive the monitoring can theoretically become. Let’s say you have a tracker on your backpack or laptop. With your phone and tracker going to a certain location every morning, it’s easy to guess that the starting point is your home and the destination is an office or work place. Placing another tracker on a TV remote will instantly confirm your home location, and if you monitor headphones or a personal electric vehicle, hackers can pick some of your favorite places like parks or the gym.

Things are even more complicated in 2021 as UWB-equipped trackers like the AirTag and SmartTag Plus are rampant, not to mention larger products with built-in UWB. While a phone may need to be within 9 meters of a tracked object to switch from Bluetooth to UWB, the latter can keep the location down to just a few inches. By hacking into a phone surrounded by UWB objects, an attacker can find out where devices are kept in a building or even where a particular person is sitting and sleeping. In the wrong hands, this data could be used to plan break-ins or even murders.

See also: Everything you need to know about UWB wireless technology

Fortunately, there are several limiting factors starting with the online security layers. UWB tracking for consumers is also relatively new, and only devices with the right radios can relay this data, like the S21 Plus or the iPhone 12. In other words, a destination requires a state-of-the-art UWB ecosystem to generate accurate information , and must then fall victim to device or server hacks. When UWB becomes ubiquitous, the ecosystem barrier will fall away, hopefully without creating new vulnerabilities.

Difficult times could be ahead. Ransomware attacks are on the rise, since NPR Notes, and it’s entirely possible that tracking apps will become a lucrative destination. Meeting them could exploit users’ most confidential information while threatening the companies that rely most on reputations for security. Stalkers may become more tech-savvy and take full advantage of Bluetooth / UWB tracking devices and technologies. If everything from shoes to cars has built-in tracking 20 years from now, you may no longer be able to tell when someone is following you.

Even if criminal attacks are kept to a minimum, the problem of government intrusion still exists, especially in authoritarian countries like China. Chinese law requires that local user data remain on local servers. This is not a bad idea in principle, but under an authoritarian regime this means that if the police or secret services want access to a person’s location data, they can get it without much pushback. More trackers result in more data points for monitoring and disagreement suppression.

Both China and Russia regularly launch cyber espionage against the US, Canada and Europe. There is an obvious incentive for them to collect as much location data as possible on targets – imagine knowing the daily habits of a politician or general, or just a person with classified data access. This type of espionage could also be used to assess vulnerabilities for future hacks and to flag devices that spies are not necessarily aware of.

With all that said, worst-case scenarios rarely come true, and both public and private organizations are finally stepping up their cybersecurity efforts, albeit mainly to avoid paying millions in ransom demands. We only need this to apply to Bluetooth and UWB tracking as well as to banks and hospitals.

Continue reading: How to manage your location data

There are things that app, device, and accessory manufacturers can do. First, anti-stalking measures such as those for AirTags and SmartTags must be widespread and enabled by default. 2FA should probably be an option for all tracking apps on the Play Store or App Store, and mandatory for people using first-party Android and iOS tracking.

If you have any concerns, there are personal steps you can take that go beyond 2FA and don’t turn off location data entirely. For example, you can manage the location sharing app by app or device by device and regularly clean up the location history if this is allowed. Virtual private networks (VPNs) can help mask IPs and add additional network security.

It’s also good to be diversified in social spaces. By keeping a close eye on who is around you and where your belongings are, you can reduce the risk of threats like mugging and pickpocketing, not just stalking. Finally, be careful when using Bluetooth / UWB trackers – while the idea of ​​never losing anything is nice, ask yourself how often do you actually lose a particular item and if you have so much more tracking in your life require.