Mobile ad technique allows stalkers to follow you around a city for less than $1000

This month, University of Washington researchers will present Exploring ADINT: Using Ad Targeting for Surveillance on a
Budget — or — How Alice Can Buy Ads to Track Bob
at the Workshop on Privacy in the Electronic Society in Dallas; the paper details a novel way that stalkers and other low-level criminals can accomplish state-grade surveillance on the cheap with targeted ad-purchases.

The attack relies on the fact that major "Demand Side Platform" ad brokers like Google Adwords allow you to target an ad to a specific place and a specific person. By placing ads that only get served if a target is on a given block, the attacker can trace the target's movements in space and time. Ad networks also allow attackers to enumerate the apps installed on the target's device and retrieve sensitive demographic data.

Variations on the technique allow attackers to count the number of people in a given room who have a gay hookup app — or an app that reminds Muslims about daily prayers and orients them to Mecca.

For $1000 or less, attackers can conduct surveillance of the sort that costs states millions.

That tracking method has a couple of serious limitations. The target would have to have a certain app open on their phone at the time they're being tracked, so that the ad can appear. And to track a specific phone, any ad-buying spy would have to know a unique identifier of the target phone, known as a Mobile Advertising ID, or MAID.

But to get around the first of those limitations, a spy could buy ads against a range of popular apps in the hopes that one of them would show the ad. And for the second, the researchers suggest a variety of ways to obtain that MAID, including placing an "active-content" ad that uses javascript to pull the MAID from a phone at a certain location, and then use that identifier to continue to track the phone with normal ads. Perhaps more simply, they point out, MAIDs can also be intercepted by someone on the same Wi-Fi network as the target phone.

"It's not a particularly high bar to entry for a very, very highly targeted attack," says Adam Lee, a professor at the University of Pittsburgh who reviewed the University of Washington study.

Exploring ADINT: Using Ad Targeting for Surveillance on a
Budget — or — How Alice Can Buy Ads to Track Bob
[Paul Vines, Franziska Roesner, and Tadayoshi Kohno/University of Washington]


[Andy Greenberg/Wired]