The National Security Agency released a Limiting Location Data Exposure Cybersecurity Information Sheet (CSI) to guide National Security System (NSS) and Department of Defense (DoD) mobile device users on how they might reduce risk associated with sharing sensitive location data. The guide summarizes how and why mobile devices expose location data and explains potential risk that comes with using them. It provides mitigations to limit the sharing of this information, but warns there is no solution to fully mitigate a mobile device from being located.
Mobile devices, from smart phones to tablets to fitness trackers, have become intertwined in many people’s lives over the last decade, providing numerous benefits and becoming almost indispensable. However, the benefits and convenience can come at a cost. Mobile devices store and share valuable location data by design. This data can reveal details about the number of users in a location, user and supply movements, daily routines and can expose otherwise unknown associations between users and locations.
A cell phone begins exposing location data the second it is powered on because it inherently trusts cellular networks and providers. Devices’ location data, from GPS to Wi-Fi or Bluetooth connections, may be acquired by others with or without the user or provider’s consent. Anything that sends and receives wireless signals has location risks similar to phones, including Internet of Things (IoT) devices, vehicles and many products with “smart” included in the name.
Each user must assess what level of risk they are willing to accept regarding location tracking. The CSI offers mitigations for those with location sensitivities and for those whose mission dictates they must not reveal their location.