How is it possible that John McAfee–John McAfee, the pioneer in protection against hacking, for goodness sake–was tracked down in Guatemala by a hack so simple it doesn’t really deserve to be called a hack?
First, Vice magazine posted a picture of McAfee snapped by an iPhone-bearing staffer who was visiting the fugitive. Then, the enterprising Twitter user Simple Nomad downloaded the photo and extracted the metadata from special headers, EXIF tags, embedded in most digital images. Based on longitude and latitude, the type of device used, and sometimes even the name of its owner, the metadata can reveal precisely where a photo was taken.
This isn’t even cutting-edge stuff. The capability to glean information from image headers has been around for years in traditional digital cameras, says Johannes Ullrich, who heads the Internet Storm Center for the SANS Technology Institute. “Its original intent was to help you store information like what type of lens you were using, or the aperture setting. But as cameras became fancier, more information was stored in these headers.”
While few digital cameras have GPS capabilities, they–like cameras–are a given in smartphones.
Back in 2010, Ullrich tested the prevalence of EXIF tags. He collected 15,291 images from Twitpic.com, analyzed their EXIF data and found:
- Approximately 10,000 images had basic EXIF information, such as camera orientation and resolution.
- 5,247 included camera model.
- 399 noted camera location at the time the photo was taken.
- 102 included the photographer’s name.
- The bulk of images with GPS information came from iPhones. (Apparently, iPhones store the most extensive amount of EXIF data.)
Ullrich offered up a photo he took with his iPhone:
Here’s image’s EXIF information, as it appears when collected with a tool called exiftags:
Take the latitude and longitude, pop them into a mapping site and…Voilà:
The complications this can cause for pretty much anyone are apparent, whether they’re an on-the-run millionaire or someone just skipping work for the day. If you want to avoid any trouble, disable the location services on your smartphone. You won’t be able to arrange your pictures geographically, but that could be a small price to pay.
Unfortunately, removing data from images you’ve already posted online is harder. “There are some commercial tools, but it’s nothing I would recommend to consumers at this point because it’s too hard to use and too expensive for the use it would get,” Ullrich says.
There’s also the of time and effort. You’d have to download the images you wanted to scrub and then rub them through one of the available EXIF tools. But if you’re determined to do it, take a look at exiv2 and ImageMagick, which can help you review and strip out the image’s header information.
But before you freak out thinking about of all of the pictures you’ve got on Facebook, Google+ or wherever, Ullrich notes that some sites strip out the metadata before it’s posted.
In fairness, a number of reports say it was an “unseasoned” Vice staffer who posted the photo without scrubbing the metadata.