A picture paints a thousand words

A picture paints a thousand words

Nearly all of us upload images to share them with friends or family members. However, images can be used to gather information about us. This article contains several examples, so that you think twice when you are about to upload an image next time.

Contents

  1. Metadata in image files
  2. Visible information
  3. Conclusions
  4. Links
  5. Changelog

Always stay in the loop!
Subscribe to our RSS/Atom feeds.

Metadata in image files

Most likely you think of Exif when you read “metadata”. Exif stands for “Exchangeable image file format”. However, there are more standards like IPTC, PLUS and Dublin Core. All of these standards can add metadata to your photos which isn’t obvious. Additionally, smartphones and cameras can automatically add your location using GPS.

While devices add most metadata automatically, you can also add, modify or remove metadata manually. Automatically added metadata is, for instance, camera model and manufacturer, information about lens and flash configuration. Nowadays, most image viewers are able to show metadata embedded in photos. You can also use ExifTool to view and modify Exif data.

Of course, websites are able to automatically process metadata. For instance, Wikimedia Commons processes and stores metadata of all images uploaded there. While this processing can be useful (e.g. you want to see similar pictures or other pictures taken by this particular camera model) it also puts your privacy at risk. After all, embedded metadata can consist of more than 300 different data sets.

Besides the exact time, data and location (where and when the photo was taken) attackers learn about your device due to metadata. They can estimate how valuable your photo equipment is. Furthermore, they can gather information about your smartphone and may learn about unpatched security vulnerabilities in the OS of your device.

Visible information

So far we talked about metadata like Exif data or GPS data. However, attackers can also process visible information in a photo. This information includes approximate daytime (e.g. in the morning, in the evening), season (e.g. vegetation, snow, clothing) and position of the photographer/camera. Faces and gestures of photographed individuals reveal more information like relationships and moods.

Even a single photo without visible persons and without metadata can reveal dozens of reference points, so that attackers can locate where the photo was taken. Several real examples:

  • A photo showing a flower box on a balcony was sufficient to pinpoint the exact apartment (floor, location in the apartment building) of the photographer within 30 minutes. In addition to the photo, we knew the name of the city where the building was located (24,000 inhabitants).
  • Another photo showing the view from a window of an apartment building in a city with 290,000 inhabitants was sufficient to locate the exact building and approximate floor within 45 minutes.
  • One second of a live video stream which showed the view from a balcony covered by a curtain was sufficient to locate the exact building and approximate floor in Budapest (1.7 million inhabitants) within several hours. We only knew that the building was located in the northeast of Budapest.

We only used satellite imagery to spot buildings which came into question and then used Google Street View to pinpoint the exact building. There is also a paper describing this process: Accurate Image Localization Based on Google Maps Street View.

Nowadays, Google+, Facebook and other websites are able to automatically locate your position with the help of machine learning and algorithms. Of course, automatic determination of the position is more exact when you take pictures of well-known structures like the St. Mary’s Cathedral in Linz or the AZ Tower in Brno.

Additionally, reverse image search engines like TinEye process images to find these images (or similar ones) on the internet. Using these engines can reveal other profiles of you and attackers can learn more about you.

Follow us on Mastodon:
@infosechandbook

Conclusions

In the best case, attackers only need one photo to gather lots of information about you. Of course, they can combine this data with information from other public sources or photos.

You should always rename files and strip metadata before you upload them. Please note that even renamed files without metadata can disclose information like your address, interests, location etc. An interesting project is “I Know Where Your Cat Lives” which visualizes publicly-available photos of cats on a world map using embedded metadata.

When you have ImageMagick installed (this is often the case when you run a Linux distro), you can use the following commands in the terminal to view metadata or strip it:

  • identify -format '%[EXIF:*]' abc.jpg: Shows stored Exif data in abc.jpg
  • mogrify -strip abc.jpg: Removes all Exif data in abc.jpg

Changelog

  • Apr 5, 2018: Added two ImageMagick commands

See also