|The U.S. signals intelligence agency releases guidance on mobile device location services that should not shock anyone versed in cybersecurity. Why the agency did so is the question.|
The National Security Agency (NSA) has issued guidance for those who work for the United States’ (U.S.) security services and military on how to limit their exposure on their mobile devices to the risks of apps and operating systems use of location data. This public guidance is the latest in a series of recommendations and best practices from the previously more secretive agency charged primarily with signals intelligence for the U.S.
The NSA is aiming the guidance at the U.S. Intelligence Community, Department of Defense, and other users of “national security systems” who are usually outside the purview and authority of the U.S. agency empowered to police the cyber and data security of civilian agencies: the U.S. Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Perhaps the NSA sees space in the federal scheme to advise those working for national security agencies or in these functions at civilian agencies.
The timing of the document is puzzling, however, unless, of course, this is an exercise in public relations given that it is not exactly a secret that location data may compromise all sorts of data about a person. The NSA is likely seeking to recraft its image along the lines of the United Kingdom’s National Cyber Security Centre (NCSC), which often issues advice aimed at a general audience. In the fall of 2019, the NSA announced a reorganization resulting in the creation of the Cybersecurity Directorate, “a major organization that unifies NSA’s foreign intelligence and cyberdefense missions.” NSA asserted this new entity would “work to prevent and eradicate threats to national security systems and critical infrastructure, with an initial focus on the defense industrial base and the improvement of our weapons’ security.” Moreover, “[t]he Cybersecurity Directorate will reinvigorate NSA’s white hat mission by sharing critical threat information and collaborating with partners and customers to better equip them to defend against malicious cyber activity,” the agency claimed.
Since June, NSA has issued a range of guidance documents and warnings, including:
- Cybersecurity Advisory: Mitigate the GRUB2 BootHole Vulnerability
- Info Sheet: Mobile Device Best Practices (July 2020)
- Advisory: Protect Operational Technologies and Control Systems against Cyber Attacks (July 2020)
- Advisory: APT29 Targets COVID-19 Vaccine Development (July 2020)
On the other hand, presumably, the NSA, other IC agencies, the DOD and other agencies are aware of the dangers proposed by the use of mobile devices. In fact, the programs exposed by former NSA contractor Edward Snowden included the collection and use of metadata, most likely including location data. Moreover, agencies of the DOD, including the Army and Navy, ordered personnel to remove TikTok from their military devices, in part, because the company would be able to collect location data. More relevantly, in a 3 August 2018 memorandum issued by then Deputy Secretary of Defense Patrick Shanahan, the DOD explained “[e]ffective immediately, Defense Department personnel are prohibited from using geolocation features and functionality on government and nongovernment-issued devices, applications and services while in locations designated as operational areas.” This memorandum resulted from the exercise app Strava releasing a heatmap of the exercise routes of people all over the world, including military personnel that highlighted precise locations of some previously secret bases. In 2017, the U.S. Government Accountability Office (GAO) released a report specific to the DOD on the security risks of the Internet of Things, and in 2012 the GAO flagged location data as a potential weak spot in mobile device security.
In the guidance on location data, the NSA conceded
Mitigations reduce, but do not eliminate, location tracking risks in mobile devices. Most users rely on features disabled by such mitigations, making such safeguards impractical. Users should be aware of these risks and take action based on their specific situation and risk tolerance. When location exposure could be detrimental to a mission, users should prioritize mission risk and apply location tracking mitigations to the greatest extent possible. While the guidance in this document may be useful to a wide range of users, it is intended primarily for NSS/DOD system users.
Thereafter, the agency lays out how mobile device users may minimize their exposure and the tradeoffs for disabling location data for certain apps and for entire operating systems, to the extent that is possible.
NSA noted that “[d]ifferent users accept different levels of risk regarding location tracking, but most users have some level of concern…[and] [t]he following general mitigations can be used for those with location sensitivities:
- Disable location services settings on the device.
- Disable radios when they are not actively in use: disable BT and turn off Wi-Fi if these capabilities are not needed. Use Airplane Mode when the device is not in use. Ensure BT and Wi-Fi are disabled when Airplane Mode is engaged.
- Apps should be given as few permissions as possible:
- Set privacy settings to ensure apps are not using or sharing location data.
- Avoid using apps related to location if possible, since these apps inherently expose user location data. If used, location privacy/permission settings for such apps should be set to either not allow location data usage or, at most, allow location data usage only while using the app. Examples of apps that relate to location are maps, compasses, traffic apps, fitness apps, apps for finding local restaurants, and shopping apps.
- Disable advertising permissions to the greatest extent possible:
- Set privacy settings to limit ad tracking, noting that these restrictions are at the vendor’s discretion.
- Reset the advertising ID for the device on a regular basis. At a minimum, this should be on a weekly basis.
- Turn off settings (typically known as Find My or Find My Device settings) that allow a lost, stolen, or misplaced device to be tracked.
- Minimize web-browsing on the device as much as possible, and set browser privacy/permission location settings to not allow location data usage.
- Use an anonymizing Virtual Private Network (VPN) to help obscure location.
- Minimize the amount of data with location information that is stored in the cloud, if possible.
- If it is critical that location is not revealed for a particular mission, consider the following recommendations:
- Determine a non-sensitive location where devices with wireless capabilities can be secured prior to the start of any activities. Ensure that the mission site cannot be predicted from this location.
- Leave all devices with any wireless capabilities (including personal devices) at this non-sensitive location. Turning off the device may not be sufficient if a device has been compromised.
- For mission transportation, use vehicles without built-in wireless communication capabilities, or turn off the capabilities, if possible.
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.