Just about everyone I know has posted a pic or video on YouTube, Twitter, Facebook, Flickr, Tumblr and or on the many other social networking sites online. People post visual shares of themselves standing by their expensive new cars, daughters in prom dresses and of course, the countless family dog chasing the squirrel (yet never the catch.. odd, isn’t it?) photographic staple. And who can resist the envy-inspiring caption ”Off to vacay for the weekend. Squeal moi!!”. (Ok, most of you would just add the comment, “Taking the family to the shore/cabin/lake this weekend.)
Embedded in most images are geotags, data providing the longitude and latitude of where the photo was taken. Hence, you have just revealed exactly where you live. Adding that caption also lets burglars know you are not going to be home.
As security experts, we have begun warning our clients, friends and families about the potential dangers of geotags, which are embedded in photos and videos taken with GPS-equipped smartphones and digital cameras. Because the location data is not visible to the casual viewer, most people do not realize it is there; potentially compromising their privacy and safety when this geotagged media content is posted online.
I’ve had IT friends forget to disable their geotagging capabilities on their iPhones, Blackberries… But let’s face it, many of us are just not that technologically informed or aware.
The problem too with GPS-enabled devices is that the access to turn off geotags in hidden behind several layers of menus before you actually get to the “location” setting. Once you find this setting, you can select “Off” or “Don’t Allow” to deactivate this feature. Seems simple enough, right? But in doing so, this can sometimes turn off all GPS capabilities, including mapping, so it can get complicated.
Other networking sites like Foursquare or Twitter can reveal your geographical location but a) it is not hidden and b) can easily be disabled without extraordinary effort.
Okay, so now that the burglar has the geo data, how does he convert that to an actual location from just the lat and long? Using any number of available apps online such as Opanda IExif for Internet Explorer, anyone can not only find the address but create a Google map of the location of where the photo was taken. (Wouldn’t want to have a criminal get lost on his way to your house now would we? )
We recently conducted a real-time experiment for a client.
The objective: To tell him where he, his wife and kids were during the week and the times that his home and possessions were most vulnerable to break-ins.
We laid out the criteria for this test: 1. The client was not to change his posting habits whatsoever, 2. He was not to let us know in any other communication form of his location at any given time and 3. We would not visually surveil him.
It took less than an hour to find his main accounts on FB, Twitter and LinkedIn. From there, we identified his wife and children, her job location and photos of the kids in team gear gave us the names of the schools they attended. We kept a closely monitored calendar of his posts (usual times of his first to last daily posts), called the wife’s job under pretext to determine when she was in and from the school, unquestioned, obtained sports/activity practice schedules.
After one week, we provided our client with a time grid – of the most accessible times to his house. If we were on the opposite team, under guise of course (neighbors almost never question certain company-issue uniforms or grounds services), we could have entered, removed property and left the scene in less than 15 minutes. The items that get hit are laptops, iPads, phones, jewelry and money. All easily hidden in a larger than the thief sized, multi-pocketed uniform.
(In one recent burglary, the thief carefully removed the hard drive from a home office pc and simply screwed the unit back together. The tampering was undetectable. He also took a few small valuables so as to qualify the crime as he had to do a “soft” but noticeable to the homeowner break in and clipped some interior wiring. By the time the owner came home, realized he’d been burglarized, called the police, gave them a stolen items list, settled down, realized his pc didn’t work and hadn’t figured out why, all of his personal info had been ripped off of his drive. Social Security Number, Driver’s License, credit card info, other banking data and much more. This criminal was clever. If your pc is not functioning, especially after noticing clipped electrical wires, which also affected other devices, who would think to look for a missing hard drive??)
Most multimedia sites like Twitter and YouTube have user-friendly application programming interfaces, or A.P.I.’s, which will allow anyone who knows how to even turn on a pc to create a program to search for geotagged photos in a systematic way. For example, they can search for photos, vids or other media posts with text like “on vacation” “at work” or those taken in a specified neighborhood.
ICanStalkU.com has a unique marketing approach. They monitor geotagged photos posted on Twitter and send notifications to the posters. (Is there a better word?) One of four recipient responses will occur: 1. It is ignored and deemed spam, 2. anger at the intrusion, 3. acknowledgement and nothing else or 4. proactive reaction and request for methods to moat the castle.
Several sites like Flickr have taken recent steps recently taken steps to block access to geotag data on images taken with smartphones without the user’s manual opt in.
This issue goes well beyond social networking sites. Innocent posts on blogs and bulletin boards create the same problem. Or a friend may take a photo in or around your home and post it.
The best advice we can give you is to make sure your geotagging setting is disabled, think from a criminals’ perspective and review your media posts and ask friends and family to have the courtesy of asking you before they post your child’s cute Halloween outfitted pic on their site.
BNI Operatives: Street smart; web savvy.
As always, stay safe.