Do Your Cell Phone Pictures Reveal Your Identity to Hackers?

Why you should know what EXIF data is, and how it might reveal a lot more info about you than you think.

I was thinking the other day as I was walking through [major big box electronics store] about how amazingly far cell phones have come since the first one I used (a Motorola StarTAC).  Not even 10 years ago, phones were monochromatic, unwieldy bricks that cost a bundle to own and operate. 

Now of course, smartphones are ubiquitous, and they've actually done a great job of replacing the functions of a vast number of gadgets - for instance, GPS navigation systems, as just about every smartphone has a GPS module in it. Remember that big, clunky digital camera you used to have to take with you everywhere?  Now most phones are capable of taking pictures with at least 4x the resolution of the first camera I ever bought (at 2 megapixels).


"Okay Mike, nice story, but....."

Alright, keep your pants on!  So what do GPS and and digital cameras have to do with each other?  The answer:  EXIF data.  EXchangeable Image File Format data has been a huge deal for photographers and GIS (Geographic Information System -- i.e., Google Maps) users and developers.

EXIF data stores information about the pictures you take and saves it - it's metadata, so it's embedded in the file.  Some information it can* store:

  • Exact date and time the picture was taken (down to the second!)
  • Camera model that took the picture
  • Serial number of the camera
  • ISO speed
  • Aperture info

and, most importantly

  • Location details about where the picture was taken

(* I say "can" because not ALL cameras/phones will store this data for you, but most will)

How does it do this?  Well consider that a lot of people keep their phone's GPS on all the time - by default, many (not every) programs turn location service on.  Ever used a little site called "Facebook"?  If your GPS is on and your camera is set to use location - then your GPS info is being stamped into your EXIF data.


Still skeptical?

What?  You don't think this is a real thing, huh?  That's cute.  Indulge me for a moment...

A great resource for EXIF data is a site called Jeffrey's EXIF viewer you can upload a picture (or grab one from the web if you know the URL) andview the EXIF data in painstaking detail.  I posted some examples - check out the pictures I posted (in order of how they are in the gallery):

  1. This is a picture I took of Assembly Square one evening recently.  I did not have GPS turned on (I usually do not -- not only for security but it's a huge battery drain).  Notice though that you can tell the "camera model" (which is just my Android phone)
  2. This is another example of basic EXIF data from a picture I took just now - notice, still no location info - I had GPS off.
  3. I turned the GPS on - then took this picture of my gorgeous Rickenbacker bass.  When I looked at the EXIF data, I could see that a GPS section showed up -- with my EXACT location.  Whoa.
  4. I uploaded that same picture to Jeffrey's EXIF viewer and saw that the photo did indeed have my exact coordinates.
  5. So now you might say “Wow, I’ll plug those coordinates into Google Maps and find where this Mike G. character lives!”  Well don’t worry, the EXIF viewer page did that for you already. 
  6. And here’s another example of the Extended EXIF data that the EXIF viewer page gives you.

Holy crap.  That's scary.

Yes.  Very much so… remember my article on Social Engineering?  This plays a big part of how an attacker can use information that you think is innocuous to his/her advantage.  That said - you can take solace in a few things:

  1. This is completely under your control.  You must choose whether or not to turn your location on.  I always keep mine off, but it’s completely up to you.
  2. Most sites (Facebook included) strip out the really juicy EXIF data.
  3. Check out the 3rd picture in the series I posted – Windows provides you a handy link where you can scrub the personal information off of the photo before you ship it off to wherever it may go next.
  4. To be extra safe, you can scrub EXIF data by using a program for Windows, aptly named JPEG Scrubber

So, in summary - do this right now before you forget:  go grab your phone, and review your location settings.  Become aware and familiar with where, and how you turn the location on and off.  Check your camera app and see if it's storing your location by default.

When it comes right down to it, anyone can find information about you on the Internet.  But why do all the work for them?

Be safe out there, have a good week!

Next up:  "I Bought an Ultrabook!" and "Why You Shouldn't Listen to [big box store] Employees"

Send me your questions!  mikeg@forestdaleinfosys.com

This post is contributed by a community member. The views expressed in this blog are those of the author and do not necessarily reflect those of Patch Media Corporation. Everyone is welcome to submit a post to Patch. If you'd like to post a blog, go here to get started.

david mokal September 30, 2012 at 11:43 PM
thx Diana I thought I was hearing things. I dont use face book because if no one wanted to talk to me in 5th grade why do they want to talk to me now? :>)
George Lyons October 01, 2012 at 02:45 AM
Point taken, Mike - but once we've left a carbon footprint on the Interweb, it would take a ton of whiteout to become anonymous.
Kelly Ilebode October 01, 2012 at 01:05 PM
I am not trying to be anonymous on the internet....but some of this technology is new and I am happy to read well written articles such as Mikes to build up my own knowledge bases and be aware. Some people will do nothing, and that is ok, but if we have an opportunity to do something and we want to take that step, then that is ok also.


More »
Got a question? Something on your mind? Talk to your community, directly.
Note Article
Just a short thought to get the word out quickly about anything in your neighborhood.
Share something with your neighbors.What's on your mind?What's on your mind?Make an announcement, speak your mind, or sell somethingPost something
See more »