My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

Twitpic, EXIF and GPS: I Know Where You Did it Last Summer

Published: 2010-02-10. Last Updated: 2010-02-11 14:51:27 UTC
by Johannes Ullrich (Version: 1)
13 comment(s)

Modern cell phones frequently include a camera and a GPS. Even if a GPS is not included, cell phone towers can be used to establish the location of the phone. Image formats include special headers that can be used to store this information, so called EXIF tags.

In order to test the prevalence of these tags and analyze the information leaked via EXIF tags, we collected 15,291 images from popular image hosting site Twitpic.com. Twitpic is frequently used together with Twitter. Software on smart phones will take the picture, upload it to twitpix and then post a message on Twitter pointing to the image. Twitpic images are usually not protected and open for all to read who know the URL. The URL is short and incrementing, allowing for easy harvesting of pictures hosted on Twitpic.

We wrote a little script to harvest 15,291 images. A second script was used to analyze the EXIF information embedded in these images. About 10,000 of the images included basic EXIF information, like image resolution and camera orientation. 5247 images included the Camera Model.

Most interestingly: 399 images included the location of the camera at the time the image was taken, and 102 images included the name of the photographer. Correlating the camera model with the photographer field, we found that it was predominantly set for the Canon and Nikon cameras. Only few camera phones had the parameter set.

GPS coordinates where only set for phones, with one single exception (a Nikon Point and Shoot camera, which does not appear to come with a build in GPS. The location may have been added manually or by an external GPS unit). The lion share of images that included GPS tags came from iPhones.

The iPhone is including the most EXIF information among the images we found. The largest EXIF data set we found can be found here. It not only includes the phone's location, but also accelerometer data showing if the phone was moved at the time the picture was taken and the readout from the build in compass showing in which direction the phone was pointed at the time.

Figure 1: Pictures with GPS coordinates broken down by Phone manufacturer.

 

Figure 2: Geographic Distribution of Images

 

Now the obvious question: Anything interesting in these pictures? The images all the way up north shows an empty grocery store (kind of like in the DC area these days). The picture at the Afghan - Pakistan border shows a pizza... Osama got away again I guess.

The scripts used for this can be found here: http://johannes.homepc.org/twitscripts.tgz (two scripts, also needs "exiftools" to pull out the data).

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: cameras exif gps twitpix
13 comment(s)
My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

Comments

I checked my iphone 3gs photos (some of which I have on my web server). While it does have the GPS coordinates, they are very inaccurate. They seem to be off by about 5 city blocks.. The GPS in the iphone must be pretty far off.

My name is not in the EXIF data for the iphone, but the pictures from my canon do have my name (I know I put it in the camera).

John
The picture from upnorth:
The note says that all diary products have moved elsewhere. The picture is from Longyearbyen, Spitsbergen.

My Android phone has a setting for "Store location in pictures", which can be turned off if you desire.

The phones have several mechanisms for determining location. It can use the location of the nearest cell towers as an approximation, and those coordinates can obviously be off by quite a bit. If I turn on real GPS in the phone, it is quite close. But I choose to leave it turned off - it really sucks down the battery, and I simply don't need it 99% of the time.
Omigod - you remember how they used MMS pics of clock faces in The Wire to co-ordinate drug re-ups? Now Osama is doing it with pizzas!
John, I've noticed the same thing with my iPhone 3gs. The GPS coordinates can be wildly innacurate at times. I even see this when using applications like Latitude and Loopt....my location is often depicted several blocks from where I am actually at.
Fixed a typo in the article: it is twitpic.com, not twitpix.com.

Regarding GPS and the iPhone: The iPhone will use cell phone towers if it doesn't get a clean GPS signal. In that case, accuracy is not that great. GPS signals take a while to acquire and if you just pull your phone and take a quick snapshot, chances are that you are using the non-GPS coordinates.

I guess they could add the location accuracy to the EXIF data (if it is not already in there somewhere)
Greg: "Omigod - you remember how they used MMS pics of clock faces in The Wire to co-ordinate drug re-ups? Now Osama is doing it with pizzas!"

What an idea! I bet there is a code. Maybe if you overlay a map to the pizza, the meat pieces mark attack sites. Or maybe a grid that then is used to encode words!
I've been doing this for a while. Some sites that you upload your pictures to strip exif data.. while others like Photobucket don't. I've pulled exif data on lots of pics that reveal far more than people wish to share. I used to use http://regex.info/exif.cgi but maybe i'll give yours a shot.
I include contact information in my EXIF, in addition to copyright restrictions. Several times I've found my work being used without my permission and having full EXIF brought each violation to a very swift and satisfying conclusion.
This has been going on for a while now. Digging out the EXIF data in peoples' images has been a game that some people play, kind of like Tag - "I know where you were last night!"

I use the exif utility (http://libexif.sourceforge.net) to remove or scramble the EXIF data on my images before I post them.

Diary Archives