Last week, Symantec’s MessageLabs Intelligence Sr. Analyst Paul Wood shared some predictions for online threats in the coming year with us. With the increasing emergence of location-based services, we wondered what kind of threats (beyond the obvious) come with this new territory.
"One attack that may be predicted is for malware faking location information in order to boost ranking or prominence of the spoofed location," Wood told us. "This type of information will be of value in the reconnaissance stage prior to a targeted attack, or perhaps prior to burgling someone’s house – the robber can know the owner is elsewhere."
We asked Wood to elaborate this a bit. "Most attacks are conducted for profit," he says. "Therefore for a new service to be utilized as a source of attacks the methods by which the attack can be used to make money need to be clear. In the case of location sharing, it’s not clear how this information can be used to make money for the legitimate provider of the service, and equally unclear how this can be subverted by criminals for their profit, unless it’s part of a surveillance or reconnaissance process prior to an attack."
"One way that location sharing may be expected to raise revenue for the provider is by offering services by which the most popular ‘X’ in location ‘Y’, according to the number of people registering their location, can be promoted," he explains. "This could be by allowing a service provider to promote themselves as the most popular ‘coffee shop’ in ‘New York’ according to location sharing. In this case, there is a motive for less popular and less scrupulous service providers to artificially boost their popularity according to location sharing by buying fake location sharing registrations from criminals who have illegal access to mobile devices or location sharing accounts."
If it can be done, I’m sure it will be.
"If location sharing is used to boost rankings in any system then this gives criminals a motivation to subvert the system," he adds. "However, at the moment, location sharing is very new, it’s not clear how it will be used by the companies providing the service and so not clear how it may be abused either."
On the topic of "boosting ranking or prominence", when asked if search engines are capable of detecting fake location sharing entries, he admits he has no idea. He also says he’s not familiar with any such instances in the past.
If location-based services continue to pick up steam, and Google continues its trend of delivering location-based results, I’m betting we will start go see more integration between the two (not unlike what we’ve seen with real-time search). This will be something to keep an eye on to say the least.
When asked if this kind of thing could occur within Facebook and/or Twitter with their respective location-based offerings, Wood says, "We cannot comment on specific services. However, humans are social creatures that always take advantage of efficient methods for indulging their hunger for communication with their friends, family and contacts."
"My guess is that ever since the first language was invented, there have been liars and con men who have found ways to subvert the new means of communication to their own ends," he continues. "If an attacker is able to identify the individual concerned and then use public services to track them, this may be a concern – do you want everyone and anyone to know your location or the location of your mobile device at all times? This is where privacy controls come in to play – parents may wish to benefit from this technology for their children, but privacy is important when publishing this type of data – if that information were to fall into the wrong hands, the consequences could be disastrous; for example, cyber bullying and cyber stalking are already increasingly becoming a concern for many individuals."
The United States Air Force is apparently concerned. A recent report says the Air Force has warned its troops about using location-based services for fear that they can jeopardize missions. While it’s unclear whether other branches of the military have issued similar warnings, the Army’s Chief of Strategic Communications recently told WebProNews that the Army doesn’t have many social media restrictions, as long as lives aren’t being put in danger, meaning communications don’t violate "operational security" – they don’t reveal anything involving upcoming missions. He didn’t talk specifically about location-based services, however, but they are becoming very much part of social media.