Yeah I saw this making the rounds at least a week ago.
I think it's grasping at straws to find a security implication.
I mean, I guess that's why they're security researchers and not spies. Not even Mossad could come up with something clever to do with this metadata or these "attacks". But who knows, who knows - maybe they'll drain a Hamas terrorist's cell phone battery by 1-2%.
Is the information leaked an immediate privacy threat? No. Can it be collected en masse and analysed later? Yes. Can that reveal behavioural patterns? Yes. I'd rather not have my habits collected by ad agencies, much less by anyone else who merely needs to ask. I don't want this leaked for the same reason I don't want my phone to leak the list of wifis it knows, or was last connected to.
No, you have to do better than that. Don’t just say advertisers would want this metadata if you have no idea how or why. Give specific examples. Why is pinging someone’s phone 24/7 superior to the massive amount of ad tracking that already exists? And what could you find from this data that is actually useful or you couldn’t otherwise deduce by simple common sense? Like that people sleep at night.
Well, why don't you tell us what the "implications" are then, instead of just adding oneliners bar of any information to this thread?
We have seen this kind of security theater countless times by now; completely irrelevant "information gathering" that gives an attacker almost zero useful information. Oh, the RTT is low cool, that tells me ... a person is using the device it probably uses 100 times a day. Wooow.
So, do tell, (you have read the paper, have you?) what are the grand security implications behind this?
An attacker can track when you're using the device and when you're using the app.
This might only be an issue for a few people but it is still an issue, and one with a solution that isn't yet being implemented.
Wow, that's a pretty big oversight. A state actor could use ping response times from different geos to triangulate location. There might even be a dataset and services that can be purchased to where someone with more limited resources would be able to pull it off.
I think that "tracked" is more of an aspirational word insofar as the usefulness of the kind of data you can learn by pinging a device.
Did you read the article?
Yeah I saw this making the rounds at least a week ago.
I think it's grasping at straws to find a security implication.
I mean, I guess that's why they're security researchers and not spies. Not even Mossad could come up with something clever to do with this metadata or these "attacks". But who knows, who knows - maybe they'll drain a Hamas terrorist's cell phone battery by 1-2%.
Information leakage is information leakage. You might not find it useful but nefarious actors definitely do.
Nope, that's what is known as security theater. You found a thing, you can't articulate why the thing matters, but you still want a cookie.
Is the information leaked an immediate privacy threat? No. Can it be collected en masse and analysed later? Yes. Can that reveal behavioural patterns? Yes. I'd rather not have my habits collected by ad agencies, much less by anyone else who merely needs to ask. I don't want this leaked for the same reason I don't want my phone to leak the list of wifis it knows, or was last connected to.
No, you have to do better than that. Don’t just say advertisers would want this metadata if you have no idea how or why. Give specific examples. Why is pinging someone’s phone 24/7 superior to the massive amount of ad tracking that already exists? And what could you find from this data that is actually useful or you couldn’t otherwise deduce by simple common sense? Like that people sleep at night.
If you'd actually read the article, you'd see where the issues are
Well, why don't you tell us what the "implications" are then, instead of just adding oneliners bar of any information to this thread?
We have seen this kind of security theater countless times by now; completely irrelevant "information gathering" that gives an attacker almost zero useful information. Oh, the RTT is low cool, that tells me ... a person is using the device it probably uses 100 times a day. Wooow.
So, do tell, (you have read the paper, have you?) what are the grand security implications behind this?
An attacker can track when you're using the device and when you're using the app. This might only be an issue for a few people but it is still an issue, and one with a solution that isn't yet being implemented.
Unless network latency makes the entire method meaningless. Which, given the "reliability" of cell networks, is almost always.
And eve so...oh, someone can tell when I'm using my phone. Wow. That would be...constantly. Wow, such secure, very information.
Can’t remember whether it was in an article or in the paper itself, but in theory you can raid their house while their device is unlocked.
By the time you're in the door, the phone will have locked itself
Or you know, literally any other wifi in the world.
Wow, that's a pretty big oversight. A state actor could use ping response times from different geos to triangulate location. There might even be a dataset and services that can be purchased to where someone with more limited resources would be able to pull it off.
If they've already got the targets phone number then they can do that far more accurately through other means
A state actor could do that by simply subpoena-ing cell tower data. Which does not require the device to have any kind of app installed.
This technique does not reveal ANY location information.
Russia and China are likely not going to get a subpoena to track down dissidents to kill in the US.