The National Security Agency (NSA) is issuing a warning about location services on mobile devices, which it says could pose a security risk if a device is compromised.
On Tuesday, the NSA released new guidance for Defense Department employees and federal government employees who have security clearances. However, the agency said it could apply to a “wide range of users.”
“Using a mobile device—even powering it on—exposes location data,” the guidance read. “Mobile devices inherently trust cellular networks and providers, and the cellular provider receives real-time location information for a mobile device every time it connects to the network.”
“This means a provider can track users across a wide area. In some scenarios, such as 911 calls, this capability saves lives,” it continued. However, “For personnel with location sensitivities, it may incur risks. If an adversary can influence or control the provider in some way, this location data may be compromised. Public news articles have reported that providers have been known to sell data, including near-real time location data, to third-parties.”
The NSA also warned that location data can be obtained “without provider cooperation.”
“Commercially available rogue base stations allow anyone in the local area to inexpensively and easily obtain real-time location data and track targets. This equipment is difficult to distinguish from legitimate equipment, and devices will automatically try to connect to it, if it is the strongest signal present.”
Simply turning off cellular service does not entirely prevent the sharing of location data, the guidance said. “Even if all wireless radios are disabled, numerous sensors on the device provide sufficient data to calculate location.”
The NSA also warned that “anything that sends and receives wireless signals has location risks similar to mobile devices.” That includes fitness trackers, smartwatches, smart medical devices, built-in vehicle communications, and smart home devices.
And apps on mobile devices may “collect, aggregate, and transmit information that exposes a user’s location.”
Additionally, the NSA warned that sharing pictures on social media could reveal location information. “Pictures posted on social media may have location data stored in hidden metadata. Even without explicit location data, pictures may reveal location information through picture content.”
Finally, the guidance laid out a series of steps users could take to try to protect their location information.
The NSA recommends disabling location services on devices, turning off Bluetooth and Wi-Fi when “these capabilities are not needed” and turn on Airplane Mode when devices are not in use.
It also urged users to “avoid using apps related to location if possible, since these apps inherently expose user location data.”
The new guidance comes roughly two years after the Pentagon banned personnel from using smartphones, fitness trackers, or apps that have geolocation services that could reveal the user’s location in “locations designated as operational areas.”
A 2018 a memo read, “Effective immediately, Defense Department personnel are prohibited from using geolocation features and functionality on government and non-government-issued devices, applications and services while in locations designated as operational areas.”
That move came after the Pentagon discovered that fitness tracking app Strava may have shared the locations of security forces.