This month, University of Washington researchers will present Exploring ADINT: Using Ad Targeting for Surveillance on a
Budget — or — How Alice Can Buy Ads to Track Bob at the Workshop on Privacy in the Electronic Society in Dallas; the paper details a novel way that stalkers and other low-level criminals can accomplish state-grade surveillance on the cheap with targeted ad-purchases.
The attack relies on the fact that major "Demand Side Platform" ad brokers like Google Adwords allow you to target an ad to a specific place and a specific person. By placing ads that only get served if a target is on a given block, the attacker can trace the target's movements in space and time. Ad networks also allow attackers to enumerate the apps installed on the target's device and retrieve sensitive demographic data.
Variations on the technique allow attackers to count the number of people in a given room who have a gay hookup app -- or an app that reminds Muslims about daily prayers and orients them to Mecca.
For $1000 or less, attackers can conduct surveillance of the sort that costs states millions.
That tracking method has a couple of serious limitations. The target would have to have a certain app open on their phone at the time they're being tracked, so that the ad can appear. And to track a specific phone, any ad-buying spy would have to know a unique identifier of the target phone, known as a Mobile Advertising ID, or MAID.
"It’s not a particularly high bar to entry for a very, very highly targeted attack," says Adam Lee, a professor at the University of Pittsburgh who reviewed the University of Washington study.
Exploring ADINT: Using Ad Targeting for Surveillance on a
Budget — or — How Alice Can Buy Ads to Track Bob [Paul Vines, Franziska Roesner, and Tadayoshi Kohno/University of Washington]