There have been comments and minor warnings about GPS spoofing before, but now we have examples of it in action and it turns out to be very easy.
GPS and location awareness in general is increasingly popular because it allows applications to deliver a local experience. It can also have economic benefits.
The very nature of the sort of application that provides local information makes it difficult to see why anyone would bother to fake their location. However you need to be aware that it is generally very easy to do so - and thus to spoof GPS.
Nearly all development environments include some way of providing a fake GPS signal to allow location using apps to be tested. These GPS simulators are generally part of the SDK and if they are not then it is often one of the first things that is supplied by a third party.
For example, for Android there is Fake GPS which can be downloaded for free. Or there is a slighly less easy to use utility in the SDK. However, until now there seemed to be little point in playing with them just to find out what fast food was available in say Nova Scotia or Timbuctoo. Some amusement might be had by using GPS spoofing to check into a remote location and you can imagine scenarios where this might be used to claim that you were somewhere else - perhaps to cheat in some way.
The new element however is Color - a recently launched web site that allows you to share photos. Before you conclude that there are enough photo sharing sites this one is different. What it does is to connect together photos posted in geographical regions and lets you view photos taken by other people close to where you are. The idea is to allow people to "connect" if they are close by. With a little GPS spoofing you can of course connect no matter where you are.
Security researcher and Veracode CTO Chris Wysopal reports just such a hack for the iPhone and Nicholas Schmidt has done the same thing for Android.
"It was pretty fun to see the reactions as I checked into the Oval Office, Falkland Islands, Arab Alabama, and Tripoli. Note to self, the chicken is horrible at the Sheraton in Tripoli and the place is a real hell hole right now :)"
Color has no privacy or security measures in place it simply states that everything is public. In a sense this is reasonable because if you post pictures to Color then the only reason to do it is to share but you might not realise that you are allowing distant voyeurs access to your photos.
GPS spoofing is in the early stages but then so are location aware apps. It might be time to consider a secure way of entering location data, but it is even possible?
The last word should go to Nicholas Schmidt:
"For me the takeaway is that GPS coordinates are considered gospel by the Internet. With the prevalence of development tools and rooted devices it is very easy to spoof those trusted data sets. When performing social engineering one of the most powerful tools is shared backgrounds. Being able to checkin to a location for a week straight or use Color to pull pictures and information from a company will serve to be a powerful tool in the future."