A stunning new report has revealed that it costs £760 ($1,000) for someone to purchase online ads, which can be used to monitor someone else’s location and app use.
The creepy technology, according to a report by Daily Mail could be used in a range of ways, including by burglars or by employers hoping to check up on their employees.
It said research led by the University of Washington tested if it was possible to exploit the existing online advertising infrastructure for personal surveillance.
‘Anyone from a foreign intelligence agent to a jealous spouse can pretty easily sign up with a large internet advertising company and on a fairly modest budget use these ecosystems to track another individual’s behaviour,’ said lead author Paul Vines.
The report said researchers discovered an individual ad purchaser can see when a person visits a predetermined sensitive location within 10 minutes of their arrival.
For example someone could track the suspected rendezvous spot for an affair, the office of a company that a venture capitalist might be interested in or a hospital where someone might be receiving treatment.
The team also discovered that individuals who purchase the ads could see what types of apps their target was using.
That could potentially divulge information about the person’s interests, dating habits, religious affiliations, health conditions, political leanings and other potentially sensitive or private information.
‘Because it was so easy to do what we did, we believe this is an issue that the online advertising industry needs to be thinking about,’ said co-author Franzi Roesner.
‘We are sharing our discoveries so that advertising networks can try to detect and mitigate these types of attacks, and so that there can be a broad public discussion about how we as a society might try to prevent them.’
Someone who wants to track a person’s movements first needs to learn the mobile advertising ID (MAID) for the target’s mobile phone.
These unique identifiers that help marketers serve ads tailored to a person’s interests are sent to the advertiser and a number of other parties whenever a person clicks on a mobile ad.
A person’s MAID also could be obtained by eavesdropping on an unsecured wireless network the person is using or by gaining temporary access to his or her WiFi router.
Customers of advertising services can purchase a number of hyperlocal ads through that service, which will only be served to that particular phone when its owner opens an app in a particular spot.
By setting up a grid of these location-based ads, the adversary can track the target’s movements if he or she has opened an app and remains in a location long enough for an ad to be served – typically about four minutes, the team found.
Importantly, the target does not have to click on or engage with the ad.
The purchaser can see where ads are being served and use that information to track the target through space. In the team’s experiments, they were able to pinpoint a person’s location within about eight metres.
‘To be very honest, I was shocked at how effective this was,’ said co-author Tadayoshi Kohno. ‘It is important to understand both the benefits and risks with technologies.’
Disabling location tracking within individual app settings could help, the researchers said, but advertisers still may be capable of harvesting location data in other ways.
On the industry side, mobile and online advertisers could help thwart these types of attacks by rejecting ad buys that target only a small number of devices or individuals, the researchers said.
They also could develop and deploy machine learning tools to distinguish between normal advertising patterns and suspicious advertising behaviour that looks more like personal surveillance.
Culled from Daily Mail