The PinME attack explained
A team of researchers at Princeton university recently discovered a way to track cellphone users even when they’ve disabled their GPS and denied installed apps GPS permissions. They’ve called their discovery PinMe.
The research team reported this in an article published in an IEEE journal in September last year. A patent is pending on their innovation. According to Prateek Mittal, an assistant professor in Princeton’s Electrical Engineering Department:
PinMe demonstrates how information from seemingly innocuous sensors can be exploited using machine-learning techniques to infer sensitive details about our lives
As grim as that sounds, PinMe can also be used to protect phone users. GPS signals can be faked by hostile third parties and this can be troublesome for naval ships and for passengers of automatic vehicles. PinMe could be used a second source to confirm GPS readings.
Since the calculations PinMe uses are based on statistical inference, it probably won’t be as accurate as GPS. Also if a phone’s Internet connection is poor or non-existent, the results could be even less accurate.
The algorithm used by PinMe to locate a phone can be summarised as follows:
- First it reads the last IP address and network status of the phone. This allows it to narrow in on the location of closest WiFi router.
- Once it has a location it uses the phone’s sensors(probably the gyro) the determine the mode of travel and speed, whether by foot, air, car or in a plane.
- Once it had a mode of travel, it would access map data for the mode of travel to identify specific routes of travel whether by air, sea or on land.
- Additional information was gathered using detailed temperature, humidity and air pressure reports from The Weather Channel’s weather stations, to further contextualize the phone’s air-pressure-sensor readings.
It will be interesting to see where the discussion on this tech goes.