This map represents an individual’s morning commute. Red dots reflect the places where the UW computer security researchers were able to track that person’s movements by serving location-based ads: at home (real location not shown), a coffee shop, bus stop and office. The team found that a target needed to stay in one location for roughly four minutes before an ad was served, which is why no red dots appear along the individual’s bus commute (dashed line) or walking route (solid line.) (Credit: Courtesy of University of Washington)

Editor’s Note: Welcome to my weekly column, Virtual Case Notes, in which I interview industry experts for their take on the latest cybersecurity situation. Each week I will take a look at a new case from the evolving realm of digital crime and digital forensics. For previous editions, please type “Virtual Case Notes” into the search bar at the top of the site.

Americans have long been wary of businesses tracking and targeting them with ads. It’s hard not to raise an eyebrow the first time you notice an ad for a product you were recently browsing suddenly appear on a different website. Or, when you’re out shopping and ads from nearby stores begin to pop up in your apps, you may ask, “how do they know”?

Businesses use this highly targeted and location-based advertising to sell more specific things to more specific people, increasingly the likelihood that ads will lead to purchases and thus increase their profits. But the potential for this individualized tracking to be used for more nefarious purposes has kept privacy controversies alive around the topic of advertising, and a team of researchers from the University of Washington recently proved how this potential could become a reality for as little as $1,000.

Paul Vines, a recent doctoral graduate of the UW’s Paul G. Allen School of Computer Science & Engineering, was the lead author of a paper describing how practically anyone can track someone’s location, as well as their app use, using a method dubbed ADINT. (The paper will be presented at the Association for Computer Machinery’s Workshop on Privacy in the Electronic Society on Oct. 30.) ADINT can track an individual’s location by creating a grid of hyperlocal ads and seeing which ads get served to the targeted user over a period of time; it can also gain information about what kinds of apps a particular person is using—which could provide sensitive information about the target’s religious beliefs, medical conditions or sexual orientation.

“Anyone from a foreign intelligence agent to a jealous spouse can pretty easily sign up with a large internet advertising company and on a fairly modest budget use these ecosystems to track another individual’s behavior,” Vines said in a UW news release. Vines’ team surveyed over 20 demand-side providers (DSPs) of advertising services with varying prices and features, finding that most of them offered services that could be misused by someone looking to covertly track a target.

The team also conducted a case study and a handful of proof-of-concept attacks using one DSP—the services they used cost about $1,000 to execute ADINT, a feasible budget for a small group or individual. Additionally, Vines said in response to a question from Forensic Magazine that it might be possible for an employee of a business to use a DSP that their employer is paying for on a subscription basis, with specific attacks costing as little as $1 and potentially going unnoticed by the employer.

“I think that would definitely depend on exactly who they are targeting, what they are trying to find out, and definitely how their business operates. E.g., if no one else ever looks at the ads they are buying, then it certainly seems possible, but this ultimately depends on the situation,” he explained.

The team chose not to disclose the name of the DSP they used for the case study, as they feel the threat of ADINT is an “industry-wide” issue, the paper states.

In order to track an individual, the attacker would first need to know the target’s device’s Mobile Advertising ID (MAID), which they could find fairly easily by “sniffing” unsecured network traffic, like at a public WiFi hotspot for example. Once the attacker knows the target’s MAID, they can see which ads (corresponding to locations within a range of about 8m) are being served to the target’s device and which apps the ads are appearing in.

The DSP they used served ads to a number of popular apps with user bases in the millions, as well as potentially sensitive apps such as Grindr, a gay dating app, and Quran Reciters, a religious app. Along with their case study, in which they were able to accurately track a person’s commute over a distance of 2.5 miles as well as tell when someone was active on the Grindr, the researchers also described a set of other possible attack scenarios, including a burglar tracking a homeowner’s daily routine in order to know when they will be away from home, and a member of the paparazzi servings ads to a celebrity in order to figure out what kinds of apps they’re using.

The researchers received no interference from the DSP while conducting their case study, despite their unusual and specific advertising activity that likely wouldn’t make sense for a real business. The researchers suggested possible defenses for targets would be to frequently reset their MAID or simply not use apps, as the apps must be active for ads to be served—both of these options are notably impractical. The team concludes that it would make more sense for advertising networks to have a minimum number of devices the ads can target, and for DSPs to have methods of detecting unusual activity from advertisers that could alert them to potential ADINT attack.

While their study focused only on ads served within mobile apps while they are active, Vines told Forensic Magazine that mobile ads appearing on web pages in browser apps such as Google Chrome and Safari could also possibly be used for ADINT.

“Web ads can definitely be used for ADINT in concept (and we discuss this a bit obliquely in our survey section of the paper), however we experimented on mobile app ads to keep the study focused,” Vines said. “Web ads will have some differences, but we can’t speak authoritatively about exactly how those differences change using them for ADINT.”