ADINT

User targeting capabilities provided by mobile advertisers can also be abused to track users with an accuracy of 8 meters and for a budget of $1,000 or less.

These are some of the conclusions of a comprehensive study of the mobile advertising landscape carried out by a team of three researchers from the Security & Privacy Lab at the University of Washington.

Mobile advertising networks can be abused for user surveillance

Researchers discovered that mobile networks provide user targeting capabilities so accurate and finely tuned that a threat actor could abuse these tools to track down individuals fitting a certain pattern or to spy on known targets.

For example, an attacker could register for one of these services and set up to deliver ads only to a certain geographical area, such as the coordinates of a house in his local neighborhood.

Because the attacker bought ads, this also means he gets usage reports on how and when the ads were delivered for his recent purchase, in this case, the local house.

These reports don't only show when ads are clicked, but they also show when they're displayed, and in the case of mobile ads, on what apps and websites.

An attacker can use this technique to infer details about his target, such as the time of day when he's at home, his religious beliefs, sexual habits, medical conditions, or more. This data is not directly available through the report, but if the user often receives ads while visiting the website of a cancer clinic or inside an LGBT dating app, then the data speaks for itself in most cases.

MAID can be abused for high-accuracy tracking

This type of tracking scenario relies on volatile and often inaccurate data like geographical coordinates or IP addresses. Researchers say that user tracking through mobile ads could be many times more accurate if the attacker discovers a user's MAID (Mobile Advertising ID), which is unique per user device.

The trick is that the MAID is not freely available, but researchers also argue that this isn't actually a big hurdle for attackers.

Threat actors can discover a target's MAID when the user clicks on an ad, by intercepting local unencrypted local WiFi network traffic, or by delivering ads with malicious JavaScript that collects the MAID even if the user doesn't click on the ad. Furthermore, in some cases, an attacker may be able to compute the MAID himself if he has access to various device specifications.

Once the attacker has the MAID, the accuracy of his tracking abilities can be increased many times over, and allow him to deliver even more targeted ads.

ADINT tracking can be very cheap

Researchers named this tracking technique ADINT, similar to the terms SIGINT (signals intelligence) and HUMINT (human intelligence), two terms used in real-world espionage operations.

Furthermore, the technique is also very cheap to carry out, costing only a few thousands of dollars, when compared to spy-grade tracking malware that can sometimes cost millions.

ADINT pricing table

The problem is not likely to go away in the near future. Nonetheless, there are a series of mitigations that both advertisers and users can apply.

For example, advertisers could do a better job at vetting customers, while they could also ensure that targeted ads are distributed to a minimum number of people and locations, thereby making it more difficult to accurately track individuals or individual locations.

Similarly, users could reset their MAID at regular intervals. Instructions on how to do this are available here for Android users, and here for iOS users. Another protection measure is ad blockers.

"There is a fundamental tension at work in the online advertising ecosystem: the precision targeting features we used for these attacks have been developed for legitimate business purposes," researchers say. "Advertisers are incentivized to provide more highly targeted ads, but each increase in targeting precision inherently increases ADINT capabilities."

Bleeping Computer readers interested in finding out more about the subject can study the "Exploring ADINT: Using Ad Targeting for Surveillance on a Budget — or — How Alice Can Buy Ads to Track Bob" research paper. The team's work will also be presented at the Workshop on Privacy in the Electronic Society that will take place in Dallas, Texas, at the end of October 2017.