Social Engineering: Location Spoofing
Before the era of social media and Photoshop revolutionized how every single one of us, including your Grandma, told our life stories, we had relatively much simpler ways of sharing. When I was eleven my parents took my brother and I to Disney World, a right of passage for any child (Good job Disney marketing). I vaguely remember a Toy Story parade, including an obscenely over sized Buzz Lightyear, but in all honesty I don’t have any photos to verify that. Why? Because, like everyone else at the park, my family toted around a backpack of Kodak disposable cameras of which nobody knows where the developed photos are anymore. Do you remember the process and excitement of coming back from vacation, running to the local CVS (shameless CVS plug, please send coupons), and having the joy of seeing your photos in your hand? Of course, like today, more than half the photos were crap, over-exposed, under-exposed, mostly taken in excitement haste with no clear framing. Nonetheless, they were tangible proof of a story.
All right, but what’s the point here? This post is supposed to be about injecting custom global positioning coordinates into your iPhone’s operating system, not my memories of Buzz Lightyear from Disney.
My point is, before Facebook, Instagram, Foursquare, Twitter, etc, showing friends and family your vacation photos was the only way to prove beyond a reasonable doubt that you were indeed traveling on vacation. Fast forward to today where simply checking-in on any of these social platforms instantly makes others assume and trust that you are indeed present at the described location. When I’ve talked to friends outside of the IT field about social engineering and the idea of GPS spoofing, typically they immediately dismiss it as impossible. “How can you ‘be’ at the Santa Monica Pier, if you’re sitting in your downtown Princeton office?” Very simply, let me show you the easiest method to get started.
Firstly you need to jailbreak your iPhone, if you don’t know how to do this then utilize your favorite search engine for instructions. After jailbreaking you should have the popular application, Cydia, accessible on your iPhone for downloading and installing 3rd party iOS apps not available in the official Apple Store. Search for ‘Location Faker’, which is assessable from the ‘BigBoss’ repository. Once it’s installed, launch the app and everything is pretty much straight forward. You can select which applications to spoof, what location to inject and so on right from an easy to navigate interface.
By now you are probably thinking, great, now I can trick my friends into thinking I’m traveling to cool places, while I’m sitting home on a Netflix marathon, but what else is this good for? Not many of us even realize just how many mobile applications are location sensory based. Utilizing the general populations trust in technology will potentially allow you to physiologically manipulate situations to your advantage. Perhaps you just returned from a trip early, but don’t want your boss/spouse to know, so you spoof your coordinates on a message embedded with location metadata to show your still working hard at that conference.
Regardless of whether you have any interest in actually utilizing this hack, its important for everyone to know that its very easy for the every day iPhone user to pull off. So next time your checking up on your significant others on ‘Find my Friends’, or drooling with envy over your ex’s sudden excursion to London, think twice about believing it.
Fine Print: While this post does indeed give you a rough idea on how to actually setup location spoofing from your phone, I take no responsibility for any loss of functionality from your device, or consequences from the results of your actions. Some emergency services are dependent on meta-data sent from your iPhone. It’s important to understand what you are modifying and how it can affect your overall usage of your device as well as the ability for others to locate you in an emergency.