I was thinking the other day as I was walking through [major big box electronics store] about how amazingly far cell phones have come since the first one I used (a Motorola StarTAC). Not even 10 years ago, phones were monochromatic, unwieldy bricks that cost a bundle to own and operate.
Now of course, smartphones are ubiquitous, and they've actually done a great job of replacing the functions of a vast number of gadgets - for instance, GPS navigation systems, as just about every smartphone has a GPS module in it. Remember that big, clunky digital camera you used to have to take with you everywhere? Now most phones are capable of taking pictures with at least 4x the resolution of the first camera I ever bought (at 2 megapixels).
"Okay Mike, nice story, but....."
Alright, keep your pants on! So what do GPS and and digital cameras have to do with each other? The answer: EXIF data. EXchangeable Image File Format data has been a huge deal for photographers and GIS (Geographic Information System -- i.e., Google Maps) users and developers.
EXIF data stores information about the pictures you take and saves it - it's metadata, so it's embedded in the file. Some information it can* store:
- Exact date and time the picture was taken (down to the second!)
- Camera model that took the picture
- Serial number of the camera
- ISO speed
- Aperture info
and, most importantly
- Location details about where the picture was taken
(* I say "can" because not ALL cameras/phones will store this data for you, but most will)
How does it do this? Well consider that a lot of people keep their phone's GPS on all the time - by default, many (not every) programs turn location service on. Ever used a little site called "Facebook"? If your GPS is on and your camera is set to use location - then your GPS info is being stamped into your EXIF data.
What? You don't think this is a real thing, huh? That's cute. Indulge me for a moment...
A great resource for EXIF data is a site called Jeffrey's EXIF viewer you can upload a picture (or grab one from the web if you know the URL) andview the EXIF data in painstaking detail. I posted some examples - check out the pictures I posted (in order of how they are in the gallery):
- This is a picture I took of Assembly Square one evening recently. I did not have GPS turned on (I usually do not -- not only for security but it's a huge battery drain). Notice though that you can tell the "camera model" (which is just my Android phone)
- This is another example of basic EXIF data from a picture I took just now - notice, still no location info - I had GPS off.
- I turned the GPS on - then took this picture of my gorgeous Rickenbacker bass. When I looked at the EXIF data, I could see that a GPS section showed up -- with my EXACT location. Whoa.
- I uploaded that same picture to Jeffrey's EXIF viewer and saw that the photo did indeed have my exact coordinates.
- So now you might say “Wow, I’ll plug those coordinates into Google Maps and find where this Mike G. character lives!” Well don’t worry, the EXIF viewer page did that for you already.
- And here’s another example of the Extended EXIF data that the EXIF viewer page gives you.
Holy crap. That's scary.
Yes. Very much so… remember my article on Social Engineering? This plays a big part of how an attacker can use information that you think is innocuous to his/her advantage. That said - you can take solace in a few things:
- This is completely under your control. You must choose whether or not to turn your location on. I always keep mine off, but it’s completely up to you.
- Most sites (Facebook included) strip out the really juicy EXIF data.
- Check out the 3rd picture in the series I posted – Windows provides you a handy link where you can scrub the personal information off of the photo before you ship it off to wherever it may go next.
- To be extra safe, you can scrub EXIF data by using a program for Windows, aptly named JPEG Scrubber
So, in summary - do this right now before you forget: go grab your phone, and review your location settings. Become aware and familiar with where, and how you turn the location on and off. Check your camera app and see if it's storing your location by default.
When it comes right down to it, anyone can find information about you on the Internet. But why do all the work for them?
Be safe out there, have a good week!
Next up: "I Bought an Ultrabook!" and "Why You Shouldn't Listen to [big box store] Employees"
Send me your questions! firstname.lastname@example.org