OFFICIAL SECURITY BLOG
June 28, 2013 | BY Jean Taggart
Metadata is data about data, imbedded in that data.
Confused yet? Files can have information about themselves, contained within them. It can be simple information, such as genre or artist in the case of an mp3 music file. It can also have more complex information, like camera model, aperture of the lens, and GPS data in relation to a picture.
Metadata has been in the news recently, with the revelation that the National Security Agency (NSA) collects a lot of metadata about American citizens and foreigners.
Many people do not know that this hidden data exists and that this is where it can be an issue. If you take a picture with a device, then post it to a social network, you could be unwittingly advertising your exact location.
This happened not too long ago, when a reporter who was interviewing John McAfee posted a picture that contained geotagging metadata. This effectively pinpointed exactly where they were when the interview took place. There are arguments concerning whether this was done intentionally or not, but it certainly demonstrates how powerful this metadata can be.
Projects such as icanstalku.com showed that GPS coordinates could be harvested from pictures posted to online services. This helped raise awareness on the potential risks associated with unwittingly sharing more information than intended. Many manufacturers have modified their default settings since then. Some have disabled geotagging by default, while others have implemented a more granular approach, in which individual applications request permission when required.
It is always a good thing to revisit problems, to see if things have changed. And so, I set about collecting any Internet-enabled device I could that had a camera attached to it and verifying the geotagging settings in each of them.
First up, the iPhone:
You can access these settings by selecting settings, then scrolling down to privacy.
This will indicate if location services are enabled. You can disable this feature all together. If you go one level deeper, you can selectively disable it, for specific applications.
One thing to keep in mind is that, if you disable location services altogether, several apps that depend on it will not work as well anymore, such as maps. In my case I was simply confirming that on photos, it was indeed disabled.
Next up, the iPad. You can access the location services in much the same way. Go to settings, and select privacy. I found to my surprise that location services were enabled on the camera. I must have enabled it at some point in the past but had forgotten to disable it afterward. Already this exercise has proven to have value.
You can find out more information about location services directly from Apple here.
The location and method for enabling and disabling this feature in Android can be in many different places, depending on the version of Android of the device. This is can also vary from device to device, as some carriers like to customize the interface of their devices.
Here is an example of the setting on a Nexus 4, running the latest version of Android.
Other devices that seem less obvious than phones or tablets included handheld game consoles.
At first I was unable to locate the setting to enable or disable geolocation metadata. I took a picture to inspect if it was enabled with the default settings. After wrestling with Sony’s wonderful content manager, I was able to import a picture for a more in-depth inspection. The model I had on hand lacks the 3g functionality, and upon greater scrutiny it yielded no geolocation information.
From within the camera application, on the PSVita, I noticed that there was a little green icon. I wondered what the bandage, or sushi roll, was for, until I eventually recognized it as a satellite. I enabled it, confirmed my console was connected to the Internet, and snapped another picture.
Here are the results:
As you can see, despite not having any 3g capabilities or hardware GPS capabilities, the PSVita is perfectly capable of embedding geolocation data in a picture. This is done by using Skyhook, a service that relies on Wi-Fi access points rather than a true GPS chip. Kudos to Sony for not enabling this option by default. I am still left to wonder how many parents are aware of the capabilities of this device.
I was not able to find any mention of geotagging capabilities for the 3DS. I enabled Internet access on a 3DS and took a picture, saved it to the sdcard, and copied it over. As you can see, there was no location data.
Although I suspect I may be an edge case, I was amazed at the sheer number of Internet-enabled devices equipped with a camera that I possess. Examining the metadata of pictures taken with these demonstrated how much more information can be extracted from what most users think of as “only a picture.”
In parting, I leave you with yet another picture of my desk. You might find this one interesting, in light of what this post has been about.