Is Your IoT Device Watching You? The Hidden Dangers of Location Sharing

IoT has revolutionized the way we interact with the world around us. From fitness trackers that monitor our health to smart home devices that adjust our thermostats, IoT technology has made life more connected and convenient. However, with this convenience comes a significant risk - location sharing. While geolocation data helps improve user experiences and personalize services, it also opens the door to privacy violations, security threats and even real-world dangers.

In this article, we delve into the often-overlooked risks of location sharing in IoT devices, how it impacts users’ privacy and security, and what can be done to mitigate these risks.

The IoT landscape | A network of constant connections

IoT devices are designed to be always-on, constantly transmitting data to the cloud or other connected devices. Whether it’s your fitness tracker, smartphone, smart home system, or connected vehicle, the data these devices collect is often a treasure trove of personal information, including "your precious" location (geolocation data). In many cases, these devices don’t just track where you are, but also your habits, routines and even your preferences.

While the benefits of IoT devices are clear - such as convenience, personalization, and enhanced functionality - they also pose a new kind of risk. These devices generate vast amounts of data, and much of it can be tied directly to your geolocation.

Location-sharing in IoT enables devices to understand the user’s context. For example, your smartwatch might suggest you go for a jog around the block based on your location, or your home security system might adjust to “away” mode when you leave for work. These conveniences, however, come at a price.

The problem with constant location sharing

The constant flow of location data creates multiple security vulnerabilities:

1. Privacy violations: Many IoT devices share your location data with third-party services. This could be for advertising purposes or to improve service accuracy. For instance, apps like Google Maps or Facebook collect data on your movements to provide more relevant ads or notifications. While this is often sold as a feature, it can also expose personal information. A seemingly harmless photo posted to social media could reveal the precise location you took it -whether that’s at your home, office, or even a vacation spot. In the case of fitness trackers, users might unknowingly expose sensitive data about their habits, routes, or frequent locations.
2. Stalking and physical security risks: The most immediate and alarming risk of location sharing in IoT devices is the potential for stalking or theft. Attackers or criminals can use public geolocation data to track an individual’s whereabouts, making it easier for them to target their next move. Whether it's a smart home device revealing when you’re away, or a fitness tracker broadcasting your jogging route, this information can leave you vulnerable to personal harm or burglary.
3. Data breaches and unauthorized access: Most IoT devices store location data in the cloud. Without adequate security measures, this information is vulnerable to hacking. A breach of an IoT system can give cybercriminals access to vast amounts of personal data, including your real-time location, travel patterns, and even sensitive information tied to the geolocation data, like medical visits or personal relationships.
4. Unintended data sharing: Often, users are unaware that their IoT devices are constantly transmitting location data. Many apps and devices default to sharing location data unless explicitly disabled. This lack of awareness can lead to significant privacy risks. People may unknowingly share their location with third parties, opening the door for corporate surveillance, targeted ads, and even corporate espionage in more sensitive industries.

When location data betrays | Case Studies in IoT tracking gone wrong

1. Two weeks ago, a significant hack led to the theft of millions of individuals' location data, primarily through the U.S.-based firm Gravy Analytics. In a major hack, millions of people's intimate location data were stolen, primarily through a U.S. location tracking firm, Gravy Analytics. The data includes precise movements, revealing sensitive details like visits to military bases and personal locations. Hackers reportedly stole over 10 terabytes of data, shared on forums, and identified individuals based on their location data. This breach exposes a new type of vulnerability in IoT and app-related tracking, highlighting privacy risks. For further details, check the full story here.
2. A major issue with location data collection has emerged, where the company Huq was found to gather GPS coordinates even when users opted out of sharing their location in specific apps. The data, often harvested through a software development kit (SDK) integrated into apps, has been transferred without consent, undermining users' privacy preferences. This points to a lack of accountability in how location data is handled and highlights the need for stricter regulations. For further details, check the full article here.
3. The Strava Heatmap Incident: One of the most famous examples of IoT location data causing a security breach occurred in 2018, when the fitness tracking app Strava released a global heatmap of user activity. The heatmap, designed to show the most popular running and cycling routes, inadvertently revealed sensitive military locations. Fitness enthusiasts and soldiers alike unknowingly shared their running and cycling routes, exposing military bases and patrol routes. This incident underscores the potential for location data to compromise national security.
4. Russian Naval Commander's Assassination: In June 2023, Russian submarine commander Stanislav Rzhitsky was assassinated after assailants accessed his Strava fitness tracker data, revealing his jogging routes and routines. For more details, check out the full article here.
5. Fitbit Data Leak: In 2018, it was discovered that Fitbit's fitness tracking data, including user locations, was accessible to third parties, raising concerns about privacy and data security.
6. Google Location Tracking: Reports have shown that Google continues to track users' locations even when location history is turned off, leading to privacy concerns.
7. Amazon Ring Doorbell Data Sharing: Amazon's Ring doorbell cameras have been found to share user location data with law enforcement agencies without explicit consent, sparking debates over privacy and surveillance.
8. Google Maps Location Sharing: Google Maps' location sharing feature has been criticized for potentially exposing users' real-time locations to unintended parties, raising concerns about user consent and data security.
9. Apple AirTag Stalking Incidents: Reports have emerged of individuals using Apple AirTags to track people's movements without their knowledge, leading to privacy and safety concerns.
10. Smart Home Device Data Sharing: Studies have shown that smart home devices, such as smart speakers and thermostats, can inadvertently share users' location data with manufacturers and third parties, raising privacy concerns.

Protecting your digital footprint | A guide to IoT location privacy

As the IoT ecosystem grows, so do the risks associated with it. Here are some tips for safeguarding your privacy while using IoT devices:

1. Disable Location Sharing: Go into your device settings and turn off location sharing for apps that don’t require it. Fitness apps like Strava or Google Maps often allow you to disable location sharing or limit it to only when you’re actively using the app.
2. Review App Permissions Regularly: Always check what permissions apps have access to. For example, some fitness trackers or smart home devices may request unnecessary access to your camera, microphone, or location data. If an app doesn’t need this information, deny the permission.
3. Use Secure IoT Devices: Ensure that the IoT devices you use have strong security measures, such as encryption for data transmission. Devices that don’t offer end-to-end encryption for location data or communication are much more vulnerable to hacking.
4. Educate Yourself and Others: Many users are unaware of the implications of sharing location data. Educate yourself on the potential risks associated with IoT devices and share that knowledge with others. Ensure that family members or employees are also aware of the dangers of over-sharing location information.
5. Use a VPN for IoT Devices: When using IoT devices that transmit sensitive information, consider using a VPN (Virtual Private Network) to protect your online activities. A VPN can help mask your location and keep your personal data encrypted.

Conclusion

Location sharing in IoT devices can greatly enhance the functionality of products and services, offering users convenience, customization, and improved experiences. However, when mismanaged, this sharing can expose individuals and organizations to significant risks. From personal security threats to corporate espionage, the consequences of unchecked location data can be severe.

By understanding these risks and taking proactive steps to protect our location data, we can enjoy the benefits of IoT while safeguarding our privacy and security. It’s time to recognize that while convenience is valuable, privacy protection must always come first.